Splunk app user is not authenticated or receives error codes 401 or 403
Article ID: 291982
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Logs show “Received error code 403”, “User is not authenticated”, or “Check your API credentials”
Environment
- Carbon Black Cloud: All supported versions
- VMware App for Splunk: All supported versions
- Splunk: 8.x
Cause
The user’s API token did not have the correct permissions or the Org Key was configured incorrectly
Resolution
Create an API token with the correct permissions
Additional Information
- For more information see the documentation and our Youtube video
- Making sure the API key is applied consistently on the App and restarting the Splunk services may be helpful
Feedback
Yes
No
Powered by
