search cancel

LogRhythm API certificate error trying to download WSS logs via SYncAPI

book

Article ID: 229490

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

SOC reported that LogRhythm SIEM is not able to pull logs from WSS 

LogRhythm support found that the connections to portal.threatpulse.net:443 are failing with error "Unable to communicate securely with peer: requested domain name does not match the server's certificate"

According to Download Audit Logs with REST API, the REST API URL references https://portal.threatpulse.net/api/rest

Manually browsing to that URL as shown below returns the same error and a certificate with only one SAN which indeed doesn't match: "DNS Name=*.threatpulse.com".

$ curl "https://portal.threatpulse.com/reportpod/logs/sync?startDate=0&endDate=0&token=none" -H "X-APIUsername:1234fa8d-0b91-4c0b-b9ea-8d1e6xxxxxx" -H "X-APIPassword:1234ea043-1234-457c-871c-yyyyyyb8bc8" -o WSS_log.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8319k    0 8319k    0     0   540k      0 --:--:--  0:00:14 --:--:--  785k
 
$ curl "https://portal.threatpulse.net/reportpod/logs/sync?startDate=0&endDate=0&token=none" -H "X-APIUsername:1234fa8d-0b91-4c0b-b9ea-8d1exxxxxxx" -H "X-APIPassword:1234ea043-1234-457c-871c-yyyyyyb8bc8" -o WSS_log.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL: no alternative certificate subject name matches target host name 'portal.threatpulse.net'
More details here: https://curl.se/docs/sslcerts.html

 

Environment

LogRhythm SIEM solution

WSS SyncAPI endpoints

Cause

SIEM client referencing wrong domain

Documentation has been cleared to reference the portal.threatpulse.com, and not portal.threatpulse.net domain

 

Resolution

Make sure that the SIEM (LogRhythm here) points to portal.threatpulse.com domain.