Hello and greetings to the community.
One of our customers has a Symantec Cloud Solution called "Symantec ICDM". In order to set this solution to send its logs to QRadar, the customer made the appropriate settings on its cloud managing console, and we then made the corresponding log source in QRadar, using a Universal Rest API call. In order to make this function, we set a workflow code and the corresponding workflow parameters, (somehow similar to setting parameters for an Office365 log source) inside the Symantec ICDM log source in QRadar.
The problem is that this attempt only worked for a short while. When testing the log source, it showed an error "User is not authorized for the operation". In addition, we recently got a new client token, and produced a new "curl response" forthe workflow parameters, so all this staff is renewed. We then contacted IBM (official) technical support, and an IBM engineer found that there must be a problem with the workflow code.
I also tried to disable the existing log source and make a new one with the same parameters, workflow etc, but nothing worked.
Can anyone here help me with this? Can I post here the workflow and its parameters in order to help me find the problems and fix them ?
Thank you in advance for the support.
------------------------------
Dimitrios Koutoufaris
------------------------------