Splunk Enterprise Security

Error in 'apply' command: Failed to load model "smb_pdfmodel": Model does not exist.

BenzSann
Splunk Employee
Splunk Employee

I tried to enable some use cases from Splunk ESCU and then I copied SPL command and run searching to test.  It seems that some use cases show error due to MLTK.  

Any idea how to solve this?     I use Splunk Core 8.0.4 with ES 6.2.0

0 Karma

Pcktech
Explorer

Not sure if you still have this question, but I had the same one and don't like unanswered forum questions (never know who is in need of an answer)...

Go to Search, Reports, & Alerts, and find "ESCU - Baseline of SMB Traffic - MLTK" (thanks to https://docs.splunksecurityessentials.com/content-detail/smb_traffic_spike_-_mltk/ for this thread to pull). Enable this saved search, and schedule it hourly (or change its time window from -70/-10min to whatever you like).

If you run it manually, be aware that it will save smb_pdfmodel under your user context. So, if you want to test the Correlation Rule before the next scheduled run time: run the saved search "ESCU - Baseline of SMB Traffic - MLTK" and then go to Lookups > Lookup Tables. Look for "smb_pdfmodel" under all Apps and Owners. Click Change Permissions and set it to Global with desired permissions (E.g. everyone read). This should move the smb_pdfmodel to the DA-ESS-ContentUpdate app context.

Now the Correlation Rule "SMB Traffic Spike - MLTK" will run successfully.

 

FYI: You can also find the file at /opt/splunk/etc/apps/DA-ESS-ContentUpdate/lookups/__mlspl_smb_pdfmodel.mlmodel

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...