Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Security Essentials - macro 'summariesonly_config' cannot be found

corti77
Contributor
‎08-30-2024 03:40 AM

Hi,

I am testing the Security Essentials App 3.8.0 in Splunk 9.0.8, and I found the same issue while trying to activate the following contents:

  • Unknown Process Using The Kerberos Protocol
  • Windows Steal or Forge Kerberos Tickets Klist
  • ServicePrincipalNames Discovery with SetSPN
  • Rubeus Command Line Parameters
  • Mimikatz PassTheTicket CommandLine Parameters

In all cases above, I get two errors:

  •  "Must have data in data model Endpoint.Processes" is in red even though I have installed several Add-ons suggested as compatible such as
    • Splunk Add-on for Microsoft Windows 8.9.0
    • Palo Alto Networks Add-on for Splunk 8.1.1
  • Error in 'SearchParser': The search specifies a macro 'summariesonly_config' that cannot be found. 
    I searched that missing macro and indeed it does not exist. Should I create it manually? With which value?

Do you have any idea how to fix those two errors?

Many thanks

Labels (2)
Preview file
102 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2024 07:40 AM

Installing add-ons is not enough to populate a datamodel.  You must have indexed data that matches what the datamodel looks for and is tagged appropriately.

None of the listed SE content uses a macro called `summariesonly_config`.  Creating one is likely to be the easiest way around this error.  I would set the definition to 'summariesonly=true'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Contributor
‎09-02-2024 02:34 AM

Hi @richgalloway ,

you were right.

The datamodel "Endpoint" was not properly configured, whitelisted indexers were empty.

I added the index wineventlog but it still appears in red. But whenever I click on the "open search" link next to the red icon, that query does get data.
any idea of what might be happening here?

Also, I created the macro "summaryonly_config" as you suggested but new errors appeared related to the other two missing macros "oldsummaries_config" and "fillnull_config".

I also created these macros with a true value in both cases. that seems to solve the issue with the search, no more errors are shown.

thanks

 

Preview file
129 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2024 08:17 AM

Is the Endpoint DM accelerated?  If not, then setting indexes won't accomplish anything.  Also, the data in the wineventlog index must be CIM-compliant.  See the CIM Manual for the field names expected by the DM.  Use field aliases and EVALs in props.conf to create the fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

corti77
Contributor
‎09-02-2024 08:58 AM

hi again @richgalloway ,

the model is accelerated and contains data. 

corti77_0-1725292600523.png

and I use the latest version of the Microsoft add-on 8.9.0 which is CIM compliant.

corti77_1-1725292656162.png

any other idea?

many thanks

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...