requesting endpoints - suddenly forbidden - key not working anymore for getting endpoints

Hello Sophos Central API Support,

 we have been using the Sophos API for some months now and we never had problems receiving a token,  tenants and endpoint data using always one key.

We have asked Sophos Support about this problem but  the answer did not help us further and we should now ask this in the Sophos Central API forum.

Now this month september 2021, we have started to collect the september data and nothing in our software has been changed.

But now we get the Error ‘Forbidden’ by trying to get the Endpoints of a tenant.

Current temporarily Solution : We created a new key (with the same rights) and used it in our software and it works again, but we have a lot of configurations with the old key who has stopped working and perhaps we can fix this so we do not have to reconfigure, which will be lot of work to do.

There are 2 suggestions from Sophos Support what we can to do find out the reason for the problem:

  1. Verify with postman: We tried to verify the error with postman and got the same error.
  2. We should use Logz.io to analyse the traffic. We created a Trial Account which we should use to analyse the traffic details.
    We are not able to find the Option to “request the full query”. We never used this tool before, so we need detailed instructions, how to use it, to get the desired information.

 

Our Question: Why did the old account stop working, while the new account, with the same rights, is working?

Kind regards

Ralph Felger

  • Hi there,

    Allow us to have a quick check on this and get back to you.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi, 

    Can you share the error return from the response? Also collect logs using logz.io based on the ID correlation response.
    Validate as well below details.

    The API credential still exists
    -It has proper roles assigned


    The API credential is applicable to their tenant
    -Often times this will arise if they create the API credential at the tenant level and try to use it for another tenant
    -Validate the API credential is a PDB level credential


    The Tenant in question is managed
    -This will return a 403 if the tenant in question being queried is not a managed tenant.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi,

     

    thanks for your answer.

     

    We get the following error if we attempt to get the endpoint data:

     {
    "error": "forbidden",
    "correlationId": "65273394-a935-4aa3-bcbd-baa060cd0b58",
    "requestId": "62daf4e5-289b-4008-b5af-819c5f64baa5",
    "createdAt": "2021-09-27T10:11:42.224Z",
    "message": "Forbidden"
    }

    - The API Key credential is a PDB level credential

    - It is not a tenant-level credential

    - The API credential still exists and has the role “Service Principal Super Admin” assigned

    - The tenant from which we want to get the endpoints, is a managed tenant

     

    Logz.io . We never used Logz.io before, so we need detailed instructions, how to use it, to get the desired information.

     

     

    Kind regards

     

    Ralph Felger

  • Hi Ralph,

    Thank you for sharing the details. For the logs.io I'll drop you a DM for instructions on how we can collect logs to further investigate the issue. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi GlennSen,

    now we have activated Remote Assistance.

    Our unique Sophos ID: c2707604-0741-142a-88fc-d72de9b5b2f0

    please tell me when we can start a new test run with our software to detect the problem with the key.

    Kind Regards

    Ralph Felger

  • Hi Ralph, 

    We tried fetching the logs through the details you've shared with us but we aren’t able to fetch any information.
    "correlationId": "65273394-a935-4aa3-bcbd-baa060cd0b58",
    "requestId": "62daf4e5-289b-4008-b5af-819c5f64baa5",
    Does your key associate with email ID? If so? Can you DM us the Details we can try fetching using Email ID? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer | Global Community and Digital Customer Support
    Connect, Engage, Earn Rewards - Join the Sophos Community
  • Hi GlennSen,

    our software runs on demand, i will have to start it manually and i asked in the reply before :

    please tell me when we can start a new test run with our software to detect the problem with the key.

    we did not have started our test run because i have got no reply on this question

    can i start a test run anytime with our software to detect the problem with the key.?

    i will now start a test run with the problem key.

    here are the results trying to get the endpoints  for  the tenants:

    {
    "error": "forbidden",
    "correlationId": "c2de9c9b-1a1a-409f-8c9e-71c4d19bec84",
    "requestId": "9a0e7afb-30a6-4685-b4bf-7b73d93837d8",
    "createdAt": "2021-10-08T06:06:45.437Z",
    "message": "Forbidden"
    }

    {
    "error": "forbidden",
    "correlationId": "cfbb6196-d892-4c15-8dc7-dd619a14bd02",
    "requestId": "d6b02775-fa8c-43a9-b046-78175e18ffac",
    "createdAt": "2021-10-08T06:07:58.485Z",
    "message": "Forbidden"
    }

    Kind Regards

    Ralph Felger

  • Hi GlennSen,

    since we haven't heard from each other for some time:

    Have you been able to verify our testrun with the given key? Should we start a new test run with our softwareOr can we support you in other ways in solving the problem?

    Kind Regards

    Ralph Felger