Splunk Enterprise Security

Missed macro ec2_excessive_terminateinstances_mltk_input_filter


Hi Splunkers,

in ES Content Update there's detection rule that requires a prebuild MLTK model that is formed by a search "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK". And the search uses macro ec2_excessive_terminateinstances_mltk_input_filter , that can not be found neither in ESCU nor other apps.

Is it more a Support case or someone may help with this macro?


Tags (2)
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...