From 566b6b54eac547778ad6dcbdb4ea25979a7104fd Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bhavin.j.patel91@gmail.com>
Date: Fri, 8 Sep 2023 10:13:28 -0700
Subject: [PATCH] update baseline time and text

---
 baselines/baseline_of_smb_traffic___mltk.yml    | 2 +-
 detections/network/smb_traffic_spike___mltk.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/baseline_of_smb_traffic___mltk.yml
index 7ea60c16d6..ce1fefe218 100644
--- a/baselines/baseline_of_smb_traffic___mltk.yml
+++ b/baselines/baseline_of_smb_traffic___mltk.yml
@@ -14,7 +14,7 @@ description: This search is used to build a Machine Learning Toolkit (MLTK) mode
   week.
 search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic
   where All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app=smb
-  by _time span=10m, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
+  by _time span=1h, All_Traffic.src | eval HourOfDay=strftime(_time, "%H") | eval
   DayOfWeek=strftime(_time, "%A") | `drop_dm_object_name("All_Traffic")` | fit DensityFunction
   count by "HourOfDay,DayOfWeek" into smb_pdfmodel'
 how_to_implement: You must be ingesting network traffic and populating the Network_Traffic
diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml
index f0ca4f0bfc..9d35639205 100644
--- a/detections/network/smb_traffic_spike___mltk.yml
+++ b/detections/network/smb_traffic_spike___mltk.yml
@@ -16,8 +16,8 @@ search: '| tstats `security_content_summariesonly` count values(All_Traffic.dest
   | rename "IsOutlier(count)" as isOutlier | search isOutlier > 0 | sort -count |
   table _time src dest port count | `smb_traffic_spike___mltk_filter` '
 how_to_implement: 'To successfully implement this search, you will need to ensure
-  that DNS data is populating the Network_Resolution data model. In addition, the
-  Machine Learning Toolkit (MLTK) version 4.2 or greater must be installed on your
+  that DNS data is populating the Network_Traffic data model. In addition, the latest version of
+  Machine Learning Toolkit (MLTK) must be installed on your
   search heads, along with any required dependencies. Finally, the support search
   "Baseline of SMB Traffic - MLTK" must be executed before this detection search,
   because it builds a machine-learning (ML) model over the historical data used by