Views:

Resolving API Token Authentication Error for LogRhythm SIEM Integration with Trend Vision One

Symptoms

  • API token generated from Trend Vision One console is rejected during LogRhythm integration setup.
  • Authentication errors such as "401 Unauthorized" appear when testing or using the token.
  • LogRhythm logs show failed API authentication or token validation errors.

Root Cause

This issue commonly occurs due to one or more of the following:

  • Incorrect or incomplete API token copied from Trend Vision One.
  • Using the wrong regional API endpoint URL.
  • Expired or insufficiently permissioned API token.
  • Network connectivity or SSL/TLS issues between LogRhythm and Trend Vision One API.

Resolution

Follow these steps to resolve the API token authentication error:

1. Verify API Token Generation in Trend Vision One

  1. Log in to the Trend Vision One console.
  2. Navigate to Workflow and Automation → Third-Party Integration → LogRhythm SIEM.
  3. Click Generate to create a new API token.
  4. Immediately copy the entire token exactly as displayed. The token should be a long JWT string containing dots (.) and typically over 500 characters.
  5. Confirm the token's expiration time and permissions.

For detailed steps, refer to the LogRhythm SIEM integration documentation.

2. Confirm Correct Regional API Endpoint URL

  1. In the same Trend Vision One integration page, locate the API endpoint URL.
  2. Ensure the URL matches your deployment region. Common formats include:
    • US: https://api.xdr.trendmicro.com
    • EU: https://api.eu.xdr.trendmicro.com
    • JP: https://api.jp.xdr.trendmicro.com
  3. Copy this endpoint URL exactly to avoid typos.

3. Test API Token Manually

Use a tool like Postman or curl to verify the token works before configuring LogRhythm:

curl -X GET \
  "https://api.[your-region].xdr.trendmicro.com/v3.0/workbench/alerts" \
  -H "Authorization: Bearer [YOUR_API_TOKEN]" \
  -H "Content-Type: application/json"
  • A successful response returns HTTP 200 with alert data.
  • HTTP 401 indicates invalid or expired token.
  • HTTP 403 suggests insufficient permissions.
  • HTTP 404 indicates wrong endpoint URL.

4. Verify API Token Permissions

  1. In Trend Vision One console, go to Administration → API Keys.
  2. Locate the API key used for LogRhythm integration.
  3. Confirm it has the following minimum permissions:
    • Workbench: View, filter, search
    • Response Management: View, create, edit
    • Search: View, filter, search
    • Threat Intelligence: View, filter, search
    • Reports: View, configure, download
  4. If permissions are insufficient, update the role, save changes, and generate a new token.

5. Configure LogRhythm Integration Correctly

  1. Open LogRhythm console and navigate to Deployment Manager → Tools → Administration → SmartResponse Plugin Manager.
  2. Verify the Trend Vision One plugin is installed and active.
  3. Access the plugin configuration:
    • Set Base URL to the exact regional API endpoint URL copied from Trend Vision One.
    • Paste the full API token without truncation or extra spaces.
    • Set API version to v3.0.
    • Configure timeout (e.g., 30000 ms) and retry count (e.g., 3).
  4. Save the configuration.

6. Test Connection from LogRhythm

  1. Use the Test Connection button in the plugin configuration.
  2. If the test fails, review the exact error message.
  3. Check LogRhythm logs (typically under C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\) for API or SmartResponse errors.

7. Verify Network Connectivity and SSL/TLS

  1. From the LogRhythm server, verify DNS resolution and connectivity:
nslookup api.[your-region].xdr.trendmicro.com
telnet api.[your-region].xdr.trendmicro.com 443
curl -I https://api.[your-region].xdr.trendmicro.com
  1. Ensure firewall allows outbound HTTPS (port 443) to the Trend Vision One API endpoint.
  2. Confirm SSL/TLS certificates are trusted:
openssl s_client -connect api.[your-region].xdr.trendmicro.com:443
  1. If SSL inspection or proxy is used, configure LogRhythm accordingly.

For more information on SSL implementation and credential provisioning, see the SSL implementation and credential provisioning.

8. Final Validation

  1. Create a test alert in Trend Vision One.
  2. Confirm LogRhythm pulls the alert successfully.
  3. Monitor for any authentication errors or integration failures.

If issues persist, contact Trend Micro Technical Support with detailed logs and configuration screenshots for further assistance.

Keywords: api token authentication error, logrhythm siem integration, vision one api token, http 401 unauthorized error, trend micro api endpoint, api token permission settings, network connectivity api token, ssl tls certificate validation