https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/651271#M11628 <P>Hello, Just checking through if the issue was resolved or you have any further questions?</P> Thu, 20 Jul 2023 11:13:19 GMT meetmshah 2023-07-20T11:13:19Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/649032#M11579 <P>Hi All..&nbsp;</P> <P>As you may be aware of Splunk's Security Content.. for example, for linux user creation&nbsp;<A href="https://research.splunk.com/endpoint/51fbcaf2-6259-11ec-b0f3-acde48001122/" target="_blank" rel="noopener">https://research.splunk.com/endpoint/51fbcaf2-6259-11ec-b0f3-acde48001122/</A><BR />on this, there are 2 macros they use.. one macro is:</P> <P><A href="https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml" target="_blank" rel="noopener">https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml</A></P> <P>actually how to implement/create this macro please.&nbsp;</P> <P>&nbsp;</P> Fri, 07 Jul 2023 16:33:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/649032#M11579 inventsekar 2023-07-07T16:33:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/649034#M11581 <P>But what's the problem? You implement this macro as if you did with any other macro.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Definesearchmacros</A></P> Mon, 03 Jul 2023 18:19:05 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/649034#M11581 PickleRick 2023-07-03T18:19:05Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/649198#M11593 <P>More often than not, you will have macro already available from the app (ESCU/SSE/ES), all you need to do is update the parameters from Settings -&gt; Advance Search -&gt; Search macros -&gt; Select Macro and update the same.</P><P>&nbsp;</P><P>Please note that in the cases like whitelisting indexes for CIM or other such applications, there would be configuration page where it will ask you for the list of indexes and it will automatically update the Macro.</P><P>&nbsp;</P><P>If this answer have helped you, feel free to accept the same <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 04 Jul 2023 17:48:30 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/649198#M11593 meetmshah 2023-07-04T17:48:30Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/651271#M11628 <P>Hello, Just checking through if the issue was resolved or you have any further questions?</P> Thu, 20 Jul 2023 11:13:19 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Security-Content-How-to-implement-create-macros/m-p/651271#M11628 meetmshah 2023-07-20T11:13:19Z