Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Security Essentials - macro 'summariesonly_config' cannot be found

corti77
Contributor
‎08-30-2024 03:40 AM

Hi,

I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents:

  • Unknown Process Using The Kerberos Protocol
  • Windows Steal or Forge Kerberos Tickets Klist
  • ServicePrincipalNames Discovery with SetSPN
  • Rubeus Command Line Parameters
  • Mimikatz PassTheTicket CommandLine Parameters

In all cases above, I get two errors:

  •  "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as
    • Splunk Add-on for Microsoft Windows 8.9.0
    • Palo Alto Networks Add-on for Splunk 8.1.1
  • Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found. 
    I searched that missing macro and indeed it does not exist. Should I create it manually? With which value?

Do you have any idea how to fix those two errors?

Many thanks

Labels (2)
Preview file
102 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2024 07:40 AM

Installing add-ons is not enough to populate a datamodel.  You must have indexed data that matches what the datamodel looks for and is tagged appropriately.

None of the listed SE content uses a macro called `summariesonly_config`.  Creating one is likely to be the easiest way around this error.  I would set the definition to 'summariesonly=true'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Contributor
‎09-02-2024 02:34 AM

Hi @richgalloway ,

you were right.

The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty.

I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data.
any idea of what might be happening here?

Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config".

I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown.

thanks

 

Preview file
129 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2024 08:17 AM

Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expected by the DM.  Use field aliases and EVALs in props.conf to create the fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Contributor
‎09-02-2024 08:58 AM

hi again @richgalloway ,

the model is accelerated and contains data. 

corti77_0-1725292600523.png

and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant.

corti77_1-1725292656162.png

any other idea?

many thanks

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...