IBM QRadar

Hello and greetings to the community.

One of our customers has a Symantec Cloud Solution called "Symantec ICDM". In order to set this solution to send its logs to QRadar, the customer made the appropriate settings on its cloud managing console, and we then made the corresponding log source in QRadar, using a Universal Rest API call. In order to make this function, we set a workflow code and the corresponding workflow parameters, (somehow similar to setting parameters for an Office365 log source) inside the Symantec ICDM log source in QRadar.

The problem is that this attempt only worked for a short while. When testing the log source, it showed an error "User is not authorized for the operation". In addition, we recently got a new client token, and produced a new "curl response" forthe workflow parameters, so all this staff is renewed. We then contacted IBM (official) technical support, and an IBM engineer found that there must be a problem with the workflow code.

I also tried to disable the existing log source and make a new one with the same parameters, workflow etc, but nothing worked.

Can anyone here help me with this? Can I post here the workflow and its parameters in order to help me find the problems and fix them ?

Thank you in advance for the support.

I may be misinterpreting what you're saying, but it sounds to me like you are generating a temporary auth token outside of the workflow, then defining that in your workflow parameters. Those temporary tokens typically only last a few minutes to an hour.

Instead, you should put permanent secrets (e.g. client-id and secret) in the workflow parameters, then generate the temporary token for each workflow run. If you're already doing this, you may want to check if the application has automatic expiration of the "permanent" API credentials