Splunk Enterprise Security

Splunk Security Essentials - macro 'summariesonly_config' cannot be found

corti77
Contributor

Hi,

I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents:

  • Unknown Process Using The Kerberos Protocol
  • Windows Steal or Forge Kerberos Tickets Klist
  • ServicePrincipalNames Discovery with SetSPN
  • Rubeus Command Line Parameters
  • Mimikatz PassTheTicket CommandLine Parameters

In all cases above, I get two errors:

  •  "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as
    • Splunk Add-on for Microsoft Windows 8.9.0
    • Palo Alto Networks Add-on for Splunk 8.1.1
  • Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found. 
    I searched that missing macro and indeed it does not exist. Should I create it manually? With which value?

Do you have any idea how to fix those two errors?

Many thanks

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Installing add-ons is not enough to populate a datamodel.  You must have indexed data that matches what the datamodel looks for and is tagged appropriately.

None of the listed SE content uses a macro called `summariesonly_config`.  Creating one is likely to be the easiest way around this error.  I would set the definition to 'summariesonly=true'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

corti77
Contributor

Hi @richgalloway ,

you were right.

The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty.

I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data.
any idea of what might be happening here?

Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config".

I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown.

thanks

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expected by the DM.  Use field aliases and EVALs in props.conf to create the fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma

corti77
Contributor

hi again @richgalloway ,

the model is accelerated and contains data. 

corti77_0-1725292600523.png

and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant.

corti77_1-1725292656162.png

any other idea?

many thanks

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...