Installation

"Windows Event Code Security Analysis" not work

hamanako
Explorer

Hi, my name is hamanako.

I would like to use "Windows Event Code Security Analysis", but when I select the "Lookup OverView" or "Table Analysis" menu, I get the following error.

Please let me know how to solve this problem.

Error message:
  The app you requested is not available on "splunk_wineventcode_secanalysis".
  The app you requested is not available on this system. Check the spelling of the app, or choose another from the following list:

Environment:
  OS:  Windows 2012
  Splunk Enterprise 8.1.2 (Free)

  Windows Event Code Security Analysis Version 1.3
    file name: splunk_wineventcode_secanalysis
https://github.com/stressboi/splunk_wineventcode_secanalysis

 

 

Labels (1)
0 Karma
1 Solution

mamesuke
Explorer

I didn't explain it well enough.


1) Remove the current app
      opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github

3) Extract the file. and rename the folders in the folder.
 splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)

splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)

4) Compress the folder
 splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip

5) Import splunk_wineventcode_secanalysis.zip from "install app from file".

Your environment is fine.

I hope your problem is solved soon.

View solution in original post

mamesuke
Explorer

Please change the link to the following.

https://<hostname>/en-US/app/splunk_wineventcode_secanalysis/lookup_overview? 

https://<hostname>/en-US/app/splunk_wineventcode_secanalysis-master/lookup_overview?

hamanako
Explorer

>> mamesuke 

Thank you very much for your answer.
I was able to show the "Lookup Overview" by adding "-master" to the link.

How can I get the "Lookup Overview" to appear when I click the "Lookup Overview" menu from the "Windows Event Code Security Analysis" screen?

 

 

0 Karma

mamesuke
Explorer

Please remove the app and install it again.

If you download it from github, it will be named "splunk_wineventcode_secanalysis-master.zip".

But when you add it to your splunk app, rename the zip file as follows

splunk_wineventcode_secanalysis-master.zip

↓   remove "-master"

splunk_wineventcode_secanalysis.zip

0 Karma

hamanako
Explorer

>> mamesuke

I followed the instructions you provided, but to no avail.

 1) Remove the current app
      opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
 2) Download new splunk_wineventcode_secanalysis-master.zip from github
 3) Rename the file to "splunk_wineventcode_secanalysis.zip"
 4) Import splunk_wineventcode_secanalysis.zip from "install app from file".

On github, there is the following description
"I haven't done anything with the "properly populated signature_id field!" because I don't know how to do that, is this relevant here?

 "REQUIRES COMMON INFORMATION MODEL 4.14+ with properly populated signature_id field!"

Environment:
# /opt/splunk/bin/splunk display app
  Splunk_SA_CIM CONFIGURED ENABLED INVISIBLE
  Splunk_TA_windows UNCONFIGURED ENABLED INVISIBLE
  splunk_wineventcode_secanalysis-master UNCONFIGURED ENABLED VISIBLE

0 Karma

mamesuke
Explorer

I didn't explain it well enough.


1) Remove the current app
      opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github

3) Extract the file. and rename the folders in the folder.
 splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)

splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)

4) Compress the folder
 splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip

5) Import splunk_wineventcode_secanalysis.zip from "install app from file".

Your environment is fine.

I hope your problem is solved soon.

hamanako
Explorer

>> mamesuke

Special Thanks!

By following the instructions you provided, the app worked as expected.
I was finally able to solve the problem.

I apologize for the late reply.
Thank you very much for your detailed explanation.

 

 

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...