FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
This article describes how to fix the 401 HMAC authentication error when using the Splunk Add-on to create records in FortiSOAR.
Scope
FortiSOAR.
Solution
When attempting to create an alert in FortiSOAR using the Splunk Add-On, it consistently shows a 401 HMAC Authentication Error even after regenerating a new Public/Private Key Pair.
Many times, the time between FortiSOAR and Splunk does not remain constant, which could be due to an NTP sync issue
Error Logs:
xxxx-xx-xx 07:18:14,374 INFO pid=258830 tid=MainThread file=connection.py:__get_headers:135 | timestamp:xxxx-xx-xx 03:18:13 2023-12-15 07:18:14,508 INFO pid=258830 tid=MainThread file=connection.py:postUrl:174 | End post url 2023-12-15 07:18:14,508 INFO pid=258830 tid=MainThread file=connection.py:_checkRequest:159 | Start check request 2023-12-15 07:18:14,508 ERROR pid=258830 tid=MainThread file=connection.py:_checkRequest:163 | Status Code: 401 2023-12-15 07:18:14,509 ERROR pid=258830 tid=MainThread file=connection.py:_checkRequest:164 | Returned Data: {"message":"An authentication exception occurred."}
Verify the Date and time on both environments (Splunk and FortiSOAR) and match the time manually or sync them with the NTP server.
