Many rules in Splunk Security Content Repo (ESCU) use this macro "read_ssa_enriched_events", but no macro with this name has been developed in ESCU app or Splunk Security Essentials. So many rules are not ready to deploy on Splunk Environment.
I leave here an example of rule using this macro: https://github.com/splunk/security_content/blob/develop/detections/endpoint/ssa___applying_stolen_cr...
Someone helps?