Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Security Essentials - macro 'summariesonly_config' cannot be found

corti77
Communicator
‎08-30-2024 03:40 AM

Hi,

I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents:

  • Unknown Process Using The Kerberos Protocol
  • Windows Steal or Forge Kerberos Tickets Klist
  • ServicePrincipalNames Discovery with SetSPN
  • Rubeus Command Line Parameters
  • Mimikatz PassTheTicket CommandLine Parameters

In all cases above, I get two errors:

  •  "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as
    • Splunk Add-on for Microsoft Windows 8.9.0
    • Palo Alto Networks Add-on for Splunk 8.1.1
  • Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found. 
    I searched that missing macro and indeed it does not exist. Should I create it manually? With which value?

Do you have any idea how to fix those two errors?

Many thanks

Labels (2)
Preview file
102 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2024 07:40 AM

Installing add-ons is not enough to populate a datamodel.  You must have indexed data that matches what the datamodel looks for and is tagged appropriately.

None of the listed SE content uses a macro called `summariesonly_config`.  Creating one is likely to be the easiest way around this error.  I would set the definition to 'summariesonly=true'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Communicator
‎09-02-2024 02:34 AM

Hi @richgalloway ,

you were right.

The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty.

I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data.
any idea of what might be happening here?

Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config".

I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown.

thanks

 

Preview file
129 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2024 08:17 AM

Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expected by the DM.  Use field aliases and EVALs in props.conf to create the fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Communicator
‎09-02-2024 08:58 AM

hi again @richgalloway ,

the model is accelerated and contains data. 

corti77_0-1725292600523.png

and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant.

corti77_1-1725292656162.png

any other idea?

many thanks

 

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...