Splunk Enterprise Security

Missed macro ec2_excessive_terminateinstances_mltk_input_filter

evelenke
Contributor

Hi Splunkers,

in ES Content Update there's detection rule that requires a prebuild MLTK model that is formed by a search "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK". And the search uses macro ec2_excessive_terminateinstances_mltk_input_filter , that can not be found neither in ESCU nor other apps.

Is it more a Support case or someone may help with this macro?

 

Tags (2)
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...