401 unathorized using API Keys with Siem or the Mgmt API
search cancel

401 unathorized using API Keys with Siem or the Mgmt API

book

Article ID: 231085

calendar_today

Updated On:

Products

CASB Security Advanced CASB Audit CASB Security Premium

Issue/Introduction

In Postman - If you select Authorization type  "API Keys" and enter valid CloudSOC API Key & Key Secret Value you get the error "1. Authorization Required"

(See bottom of the screenshot below)

Valid CloudSOC API Endpoints, Query Options, and Sample Results:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/api-home.html

 

Environment

US Prod

Cause

 

 

Resolution

In Postman Under "Authorization Tab" - Select "Basic Auth" & enter the "Key ID" for Username & "Key Secret" for Password from CloudSOC:

image.png

CloudSOC API keys can be created/downloaded by SysAdmin or authorized Admin from "CloudSOC/Settings/API Keys."

In Postman, you must also add these two keys under the "Headers" Tab:

   Key                                                       Value

Content-Type                                    application/JSON

X-Elastica-Dbname-Resolved                 True

 

Using "Basic Authentication" with API Key / API Secret and Headers configuration, as shown above, enables CloudSOC queries to function correctly in Postman

(Example below)

https://api-vip.elastica.net/examplecom/audit/v2/data/?resource=service&earliest_date=1638349200&latest_date=1640077200&resolution=31556926

 

Postman is just one example of a utility that a client could use to run CloudSOC Management API queries.

The customer could use similar queries in other utilities such as Linux cURL, Powershell, JSON, Splunk, QRADAR, etc.

Broadcom CloudSOC Support and Engineering do NOT support any of these utilities but rather ensure that the API End Points and API keys in CloudSOC are functioning. correctly

 

 

 

Additional Information

CloudSOC API Management Tech Doc:

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/api-home/supported-authentication-methods.html

CloudSOC API supports Basic Access Authentication. Use the Key ID and Key Secret as your user name and password. The API keys are allocated on a per-user basis and inherit the permissions granted to that user.

 

Note:

The API Logins are subject to the IP address login restrictions defined in the "IP Address Profile" section [Cloudsoc Portal > Settings > IP Addresses].

If the IP Address profile is configured, then the API calls will be allowed from the defined IP addresses/ranges only. All the other IP addresses will fail to authenticate. The error message reads "Authorization Required," and the HTTP response code is (401)

If the IP Address profile is NOT configured, then this restriction does not apply, and the login is allowed from any source IP Address.

*** The user and key must be Active.  Disabling or deleting the user will invalidate the key.  A new key will would need to be generated.