Splunk Enterprise Security

Missed macro ec2_excessive_terminateinstances_mltk_input_filter

evelenke
Contributor

Hi Splunkers,

in ES Content Update there's detection rule that requires a prebuild MLTK model that is formed by a search "ESCU - Baseline of Excessive AWS Instances Terminated by User - MLTK". And the search uses macro ec2_excessive_terminateinstances_mltk_input_filter , that can not be found neither in ESCU nor other apps.

Is it more a Support case or someone may help with this macro?

 

Tags (2)
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!