Merge pull request #2845 from splunk/smb_mltk

update baseline time and text

baselines/baseline_of_smb_traffic___mltk.yml

@@ -14,7 +14,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode
   week.
 search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic
   where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb
-  by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
+  by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
   DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction
   count by "HourOfDay,DayOfWeek" into smb_pdfmodel'
 how_to_implement: You must be ingesting network traffic and populating the Network_Traffic

detections/network/smb_traffic_spike___mltk.yml

@@ -16,8 +16,8 @@ search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest
   | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count |
   table _time src dest port count | `smb_traffic_spike___mltk_filter` '
 how_to_implement: 'To successfully implement this search, you will need to ensure
-  that DNS data is populating the Network_Resolution data model. In addition, the
-  Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your
+  that DNS data is populating the Network_Traffic data model. In addition, the latest version of
+  Machine Learning Toolkit (MLTK) must be installed on your
   search heads, along with any required dependencies. Finally, the support search
   "Baseline of SMB Traffic - MLTK" must be executed before this detection search,
   because it builds a machine-learning (ML) model over the historical data used by