FortiSOAR Knowledge Base
FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
Article Id 300777
Description This article describes how to fix the 401 HMAC authentication error when using the Splunk Add-on to create records in FortiSOAR.
Scope FortiSOAR.

When attempting to create an alert in FortiSOAR using the Splunk Add-On, it consistently shows a 401 HMAC Authentication Error even after regenerating a new Public/Private Key Pair.


Many times, the time between FortiSOAR and Splunk does not remain constant, which could be due to an NTP sync issue


Error Logs: 


xxxx-xx-xx 07:18:14,374 INFO pid=258830 tid=MainThread | timestamp:xxxx-xx-xx 03:18:13
2023-12-15 07:18:14,508 INFO pid=258830 tid=MainThread | End post url
2023-12-15 07:18:14,508 INFO pid=258830 tid=MainThread | Start check request
2023-12-15 07:18:14,508 ERROR pid=258830 tid=MainThread | Status Code: 401
2023-12-15 07:18:14,509 ERROR pid=258830 tid=MainThread | Returned Data: {"message":"An authentication exception occurred."}


Verify the Date and time on both environments (Splunk and FortiSOAR) and match the time manually or sync them with the NTP server.



timedatactl set-ntp true