updating research.splunk.com site bits [ci skip]

splunk · Mar 4, 2024 · df15894 · df15894
1 parent 09a39f0
commit df15894
Show file tree

Hide file tree

Showing 859 changed files with 918 additions and 918 deletions.
diff --git a/_posts/2017-01-07-354be8e0-32cd-4da0-8c47-796de13b60ea.md b/_posts/2017-01-07-354be8e0-32cd-4da0-8c47-796de13b60ea.md
@@ -105,8 +105,8 @@ The search is used to detect systems that are still vulnerable to the Spectre an
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **spectre_and_meltdown_vulnerable_systems_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-12-a34aae96-ccf8-4aaa-952c-3ea21444444f.md b/_posts/2017-09-12-a34aae96-ccf8-4aaa-952c-3ea21444444f.md
@@ -99,8 +99,8 @@ This search gives you the hosts where a backup was attempted and then failed.
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [netbackup](https://github.com/splunk/security_content/blob/develop/macros/netbackup.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **unsuccessful_netbackup_backups_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-12-a34aae96-ccf8-4aef-952c-3ea214444440.md b/_posts/2017-09-12-a34aae96-ccf8-4aef-952c-3ea214444440.md
@@ -100,8 +100,8 @@ This search returns a list of hosts that have not successfully completed a backu
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [netbackup](https://github.com/splunk/security_content/blob/develop/macros/netbackup.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **extended_period_without_successful_netbackup_backups_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-12-bce3ed7c-9b1f-42a0-abdf-d8b123a34836.md b/_posts/2017-09-12-bce3ed7c-9b1f-42a0-abdf-d8b123a34836.md
@@ -100,8 +100,8 @@ The search queries the authentication logs for assets that are categorized as ro
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_new_login_attempts_to_routers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-15-1a77c08c-2f56-409c-a2d3-7d64617edd4f.md b/_posts/2017-09-15-1a77c08c-2f56-409c-a2d3-7d64617edd4f.md
@@ -103,8 +103,8 @@ This search looks for Windows endpoints that have not generated an event indicat
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **no_windows_updates_in_a_time_frame_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-23-104658f4-afdc-499e-9719-17243f982681.md b/_posts/2017-09-23-104658f4-afdc-499e-9719-17243f982681.md
@@ -115,8 +115,8 @@ This search looks for specific GET or HEAD requests to web servers that are indi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_attackers_scanning_for_vulnerable_jboss_servers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-23-134da869-e264-4a8f-8d7e-fcd0ec88f301.md b/_posts/2017-09-23-134da869-e264-4a8f-8d7e-fcd0ec88f301.md
@@ -98,8 +98,8 @@ This search looks for Web requests to faux domains similar to the one that you w
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [brand_abuse_web](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_web.yml)
 
 > :information_source:

diff --git a/_posts/2017-09-23-24dd17b1-e2fb-4c31-878c-d4f746595bfa.md b/_posts/2017-09-23-24dd17b1-e2fb-4c31-878c-d4f746595bfa.md
@@ -99,9 +99,9 @@ This search looks for DNS requests for faux domains similar to the domains that
 
 #### Macros
 The SPL above uses the following Macros:
+* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [brand_abuse_dns](https://github.com/splunk/security_content/blob/develop/macros/brand_abuse_dns.yml)
-* [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
 
 > :information_source:
 > **monitor_dns_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-09-23-c8bff7a4-11ea-4416-a27d-c5bca472913d.md b/_posts/2017-09-23-c8bff7a4-11ea-4416-a27d-c5bca472913d.md
@@ -100,8 +100,8 @@ This search is used to detect malicious HTTP requests crafted to exploit jmx-con
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_malicious_requests_to_exploit_jboss_servers_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2017-11-27-104658f4-afdc-499f-9719-17a43f9826f5.md b/_posts/2017-11-27-104658f4-afdc-499f-9719-17a43f9826f5.md
@@ -100,8 +100,8 @@ The search is used to detect hosts that generate Windows Event ID 4663 for succe
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_usb_device_insertion_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-01-05-b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8.md b/_posts/2018-01-05-b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8.md
@@ -103,8 +103,8 @@ This search looks for emails claiming to be sent from a domain similar to one th
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **monitor_email_for_brand_abuse_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-02-23-ada0f478-84a8-4641-a3f3-d82362d6fd75.md b/_posts/2018-02-23-ada0f478-84a8-4641-a3f3-d82362d6fd75.md
@@ -112,8 +112,8 @@ This search looks for AWS CloudTrail events where an instance is started in a pa
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **ec2_instance_started_in_previously_unseen_region_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-03-12-347ec301-601b-48b9-81aa-9ddf9c829dd3.md b/_posts/2018-03-12-347ec301-601b-48b9-81aa-9ddf9c829dd3.md
@@ -107,8 +107,8 @@ This search looks for EC2 instances being created with previously unseen AMIs.
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **ec2_instance_started_with_previously_unseen_ami_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-04-16-22773e84-bac0-4595-b086-20d3f335b4f1.md b/_posts/2018-04-16-22773e84-bac0-4595-b086-20d3f335b4f1.md
@@ -122,8 +122,8 @@ This search detects new API calls that have either never been seen before or tha
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_new_api_calls_from_user_roles_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-05-17-4d46e8bd-4072-48e4-92db-0325889ef894.md b/_posts/2018-05-17-4d46e8bd-4072-48e4-92db-0325889ef894.md
@@ -101,8 +101,8 @@ This search looks for AWS CloudTrail events where a user logged into the AWS acc
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_api_activity_from_users_without_mfa_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-05-21-ada0f478-84a8-4641-a1f1-e32372d4bd53.md b/_posts/2018-05-21-ada0f478-84a8-4641-a1f1-e32372d4bd53.md
@@ -122,8 +122,8 @@ This search will detect users creating spikes in API activity related to network
 
 #### Macros
 The SPL above uses the following Macros:
-* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 * [network_acl_events](https://github.com/splunk/security_content/blob/develop/macros/network_acl_events.yml)
+* [cloudtrail](https://github.com/splunk/security_content/blob/develop/macros/cloudtrail.yml)
 
 > :information_source:
 > **detect_spike_in_network_acl_activity_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-06-01-e9c102de-4d43-42a7-b1c8-8062ea297419.md b/_posts/2018-06-01-e9c102de-4d43-42a7-b1c8-8062ea297419.md
@@ -109,8 +109,8 @@ This search looks for outbound ICMP packets with a packet size larger than 1,000
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **detect_large_outbound_icmp_packets_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-10-23-38cbd42c-1098-41bb-99cf-9d6d2b296d83.md b/_posts/2018-10-23-38cbd42c-1098-41bb-99cf-9d6d2b296d83.md
@@ -109,8 +109,8 @@ The following analytic detects the creation of WMI temporary event subscriptions
 
 #### Macros
 The SPL above uses the following Macros:
-* [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
 
 > :information_source:
 > **wmi_temporary_event_subscription_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-10-23-71bfdb13-f200-4c6c-b2c9-a2e07adf437d.md b/_posts/2018-10-23-71bfdb13-f200-4c6c-b2c9-a2e07adf437d.md
@@ -110,8 +110,8 @@ The following analytic detects the creation of permanent event subscriptions usi
 
 #### Macros
 The SPL above uses the following Macros:
-* [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
 * [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
+* [wmi](https://github.com/splunk/security_content/blob/develop/macros/wmi.yml)
 
 > :information_source:
 > **wmi_permanent_event_subscription_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-11-02-06a6fc63-a72d-41dc-8736-7e3dd9612116.md b/_posts/2018-11-02-06a6fc63-a72d-41dc-8736-7e3dd9612116.md
@@ -100,8 +100,8 @@ The search looks for modifications to the hosts file on all Windows endpoints ac
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **windows_hosts_file_modification_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-12-03-b6e0ff70-b122-4227-9368-4cf322ab43c3.md b/_posts/2018-12-03-b6e0ff70-b122-4227-9368-4cf322ab43c3.md
@@ -107,8 +107,8 @@ The fsutil.exe application is a legitimate Windows utility used to perform tasks
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **usn_journal_deletion_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-12-14-02c6cfc2-ae66-4735-bfc7-6291da834cbf.md b/_posts/2018-12-14-02c6cfc2-ae66-4735-bfc7-6291da834cbf.md
@@ -98,8 +98,8 @@ The following analytic detects file writes with extensions that are consistent w
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **file_with_samsam_extension_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2018-12-14-493a879d-519d-428f-8f57-a06a0fdc107e.md b/_posts/2018-12-14-493a879d-519d-428f-8f57-a06a0fdc107e.md
@@ -106,8 +106,8 @@ The search looks for a file named &#34;test.txt&#34; written to the windows syst
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **samsam_test_file_write_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-02-27-61a7d1e6-f5d4-41d9-a9be-39a1ffe69459.md b/_posts/2019-02-27-61a7d1e6-f5d4-41d9-a9be-39a1ffe69459.md
@@ -110,8 +110,8 @@ The search looks for command-line arguments used to hide a file or directory usi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **reg_exe_used_to_hide_files_directories_via_registry_keys_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-04-01-ec3b7601-689a-4463-94e0-c9f45638efb9.md b/_posts/2019-04-01-ec3b7601-689a-4463-94e0-c9f45638efb9.md
@@ -108,8 +108,8 @@ The following analytic detects suspicious processes on systems labeled as web se
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **web_servers_executing_suspicious_processes_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-04-25-57f76b8a-32f0-42ed-b358-d9fa3ca7bac8.md b/_posts/2019-04-25-57f76b8a-32f0-42ed-b358-d9fa3ca7bac8.md
@@ -100,8 +100,8 @@ The search looks for files created with names that have been linked to malicious
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [suspicious_writes](https://github.com/splunk/security_content/blob/develop/macros/suspicious_writes.yml)
 
 > :information_source:

diff --git a/_posts/2019-05-08-57edaefa-a73b-45e5-bbae-f39c1473f941.md b/_posts/2019-05-08-57edaefa-a73b-45e5-bbae-f39c1473f941.md
@@ -104,8 +104,8 @@ Command lines that are extremely long may be indicative of malicious activity on
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **unusually_long_command_line_-_mltk_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2019-10-11-a51bfe1a-94f0-48cc-b4e4-b6ae50145893.md b/_posts/2019-10-11-a51bfe1a-94f0-48cc-b4e4-b6ae50145893.md
@@ -100,8 +100,8 @@ This search looks for applications on the endpoint that you have marked as prohi
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **prohibited_software_on_endpoint_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

diff --git a/_posts/2020-01-22-85fbcfe8-9718-4911-adf6-7000d077a3a9.md b/_posts/2020-01-22-85fbcfe8-9718-4911-adf6-7000d077a3a9.md
@@ -119,8 +119,8 @@ This search allows you to identify DNS requests that are unusually large for the
 
 #### Macros
 The SPL above uses the following Macros:
-* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 * [security_content_summariesonly](https://github.com/splunk/security_content/blob/develop/macros/security_content_summariesonly.yml)
+* [security_content_ctime](https://github.com/splunk/security_content/blob/develop/macros/security_content_ctime.yml)
 
 > :information_source:
 > **dns_query_length_outliers_-_mltk_filter** is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.