SIEM API client downloading WSS HTTP logs via the SyncAPI endpoint.
WSS logs have been downloading and ingesting correctly into SIEM until October 28 2022 when no new logs are visible.
Downloading the same logs using curl working fine.
SIEM logs showing TLS handshake errors as shown below:
SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
TLS 1.1 support has been removed from the Portal, impacting all requests into Portal and not just the WSS administration tool.
SIEM client was set to use TLS 1.1 which failed.
Make sure that your SIEM client uses TLS 1.2 and greater for all requests into the SyncAPI endpoint.
Curl worked well because curl defaults to using TLS 1.3 in the setup. Curl parameters exist to force a TLS 1.1 session where the issue was seen.
$ curl "https://portal.threatpulse.com/reportpod/logs/sync?startDate=0&endDate=0&token=none" -H "X-APIUsername:xxxxxxx" -H "X-APIPassword:yyyyy" -o /dev/null --tlsv1.1 --tls-max 1.1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure