Splunk Enterprise Security

Missed macro ec2_excessive_terminateinstances_mltk_input_filter

evelenke
Contributor

Hi Splunkers,

in ES Content Update there's detection rule that requires a prebuild MLTK model that is formed by a search "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK". And the search uses macro ec2_excessive_terminateinstances_mltk_input_filter , that can not be found neither in ESCU nor other apps.

Is it more a Support case or someone may help with this macro?

 

Tags (2)
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...