Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Security Essentials - macro 'summariesonly_config' cannot be found

corti77
Communicator
‎08-30-2024 03:40 AM

Hi,

I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents:

  • Unknown Process Using The Kerberos Protocol
  • Windows Steal or Forge Kerberos Tickets Klist
  • ServicePrincipalNames Discovery with SetSPN
  • Rubeus Command Line Parameters
  • Mimikatz PassTheTicket CommandLine Parameters

In all cases above, I get two errors:

  •  "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as
    • Splunk Add-on for Microsoft Windows 8.9.0
    • Palo Alto Networks Add-on for Splunk 8.1.1
  • Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found. 
    I searched that missing macro and indeed it does not exist. Should I create it manually? With which value?

Do you have any idea how to fix those two errors?

Many thanks

Labels (2)
Preview file
102 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2024 07:40 AM

Installing add-ons is not enough to populate a datamodel.  You must have indexed data that matches what the datamodel looks for and is tagged appropriately.

None of the listed SE content uses a macro called `summariesonly_config`.  Creating one is likely to be the easiest way around this error.  I would set the definition to 'summariesonly=true'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Communicator
‎09-02-2024 02:34 AM

Hi @richgalloway ,

you were right.

The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty.

I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data.
any idea of what might be happening here?

Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config".

I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown.

thanks

 

Preview file
129 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2024 08:17 AM

Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expected by the DM.  Use field aliases and EVALs in props.conf to create the fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Communicator
‎09-02-2024 08:58 AM

hi again @richgalloway ,

the model is accelerated and contains data. 

corti77_0-1725292600523.png

and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant.

corti77_1-1725292656162.png

any other idea?

many thanks

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...