splunk
diff --git a/‎baselines/baseline_of_blocked_outbound_traffic_from_aws.yml
+1 b/‎baselines/baseline_of_blocked_outbound_traffic_from_aws.yml
+1
diff --git a/‎baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml
+1 b/‎baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml
+1
diff --git a/‎baselines/baseline_of_cloud_instances_destroyed.yml
+1 b/‎baselines/baseline_of_cloud_instances_destroyed.yml
+1
diff --git a/‎baselines/baseline_of_cloud_instances_launched.yml
+1 b/‎baselines/baseline_of_cloud_instances_launched.yml
+1
diff --git a/‎baselines/baseline_of_cloud_security_group_api_calls_per_user.yml
+1 b/‎baselines/baseline_of_cloud_security_group_api_calls_per_user.yml
+1
diff --git a/‎baselines/baseline_of_command_line_length___mltk.yml
+1 b/‎baselines/baseline_of_command_line_length___mltk.yml
+1
diff --git a/‎baselines/baseline_of_dns_query_length___mltk.yml
+1 b/‎baselines/baseline_of_dns_query_length___mltk.yml
+1
diff --git a/‎baselines/baseline_of_kubernetes_container_network_io.yml
+1 b/‎baselines/baseline_of_kubernetes_container_network_io.yml
+1
diff --git a/‎baselines/baseline_of_kubernetes_container_network_io_ratio.yml
+1 b/‎baselines/baseline_of_kubernetes_container_network_io_ratio.yml
+1
diff --git a/‎baselines/baseline_of_kubernetes_process_resource.yml
+1 b/‎baselines/baseline_of_kubernetes_process_resource.yml
+1
diff --git a/‎baselines/baseline_of_kubernetes_process_resource_ratio.yml
+1 b/‎baselines/baseline_of_kubernetes_process_resource_ratio.yml
+1
diff --git a/‎baselines/baseline_of_network_acl_activity_by_arn.yml
+1 b/‎baselines/baseline_of_network_acl_activity_by_arn.yml
+1
diff --git a/‎baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml
+1 b/‎baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml
+1
diff --git a/‎baselines/baseline_of_security_group_activity_by_arn.yml
+1 b/‎baselines/baseline_of_security_group_activity_by_arn.yml
+1
diff --git a/‎baselines/baseline_of_smb_traffic___mltk.yml
+1 b/‎baselines/baseline_of_smb_traffic___mltk.yml
+1
diff --git a/‎baselines/count_of_assets_by_category.yml
+1 b/‎baselines/count_of_assets_by_category.yml
+1
diff --git a/‎baselines/count_of_unique_ips_connecting_to_ports.yml
+1 b/‎baselines/count_of_unique_ips_connecting_to_ports.yml
+1
diff --git a/‎baselines/create_a_list_of_approved_aws_service_accounts.yml
+1 b/‎baselines/create_a_list_of_approved_aws_service_accounts.yml
+1
diff --git a/‎baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml
+1 b/‎baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml
+1
diff --git a/‎baselines/deprecated/baseline_of_api_calls_per_user_arn.yml
+1 b/‎baselines/deprecated/baseline_of_api_calls_per_user_arn.yml
+1
diff --git a/‎baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml
+1 b/‎baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml
+1
diff --git a/‎baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml
+1 b/‎baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml
+1
diff --git a/‎baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml
+1 b/‎baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml
+1
diff --git a/‎baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml
+1 b/‎baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml
+1
diff --git a/‎baselines/deprecated/previously_seen_ec2_amis.yml
+1 b/‎baselines/deprecated/previously_seen_ec2_amis.yml
+1
diff --git a/‎baselines/deprecated/previously_seen_ec2_instance_types.yml
+1 b/‎baselines/deprecated/previously_seen_ec2_instance_types.yml
+1
diff --git a/‎baselines/deprecated/previously_seen_ec2_launches_by_user.yml
+1 b/‎baselines/deprecated/previously_seen_ec2_launches_by_user.yml
+1
diff --git a/‎baselines/deprecated/previously_seen_users_in_cloudtrail.yml
+1 b/‎baselines/deprecated/previously_seen_users_in_cloudtrail.yml
+1
diff --git a/‎baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml
+1 b/‎baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml
+1
diff --git a/‎baselines/discover_dns_records.yml
+1 b/‎baselines/discover_dns_records.yml
+1
diff --git a/‎baselines/dnstwist_domain_names.yml
+1 b/‎baselines/dnstwist_domain_names.yml
+1
diff --git a/‎baselines/identify_systems_creating_remote_desktop_traffic.yml
+1 b/‎baselines/identify_systems_creating_remote_desktop_traffic.yml
+1
diff --git a/‎baselines/identify_systems_receiving_remote_desktop_traffic.yml
+1 b/‎baselines/identify_systems_receiving_remote_desktop_traffic.yml
+1
diff --git a/‎baselines/identify_systems_using_remote_desktop.yml
+1 b/‎baselines/identify_systems_using_remote_desktop.yml
+1
diff --git a/‎baselines/monitor_successful_backups.yml
+1 b/‎baselines/monitor_successful_backups.yml
+1
diff --git a/‎baselines/monitor_unsuccessful_backups.yml
+1 b/‎baselines/monitor_unsuccessful_backups.yml
+1
diff --git a/‎baselines/previously_seen_aws_cross_account_activity.yml
+1 b/‎baselines/previously_seen_aws_cross_account_activity.yml
+1
diff --git a/‎baselines/previously_seen_aws_cross_account_activity___initial.yml
+1 b/‎baselines/previously_seen_aws_cross_account_activity___initial.yml
+1
diff --git a/‎baselines/previously_seen_aws_cross_account_activity___update.yml
+1 b/‎baselines/previously_seen_aws_cross_account_activity___update.yml
+1
diff --git a/‎baselines/previously_seen_aws_regions.yml
+1 b/‎baselines/previously_seen_aws_regions.yml
+1
diff --git a/‎baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml
+1 b/‎baselines/previously_seen_cloud_api_calls_per_user_role___initial.yml
+1
diff --git a/‎baselines/previously_seen_cloud_api_calls_per_user_role___update.yml
+1 b/‎baselines/previously_seen_cloud_api_calls_per_user_role___update.yml
+1
diff --git a/‎baselines/previously_seen_cloud_compute_creations_by_user___initial.yml
+1 b/‎baselines/previously_seen_cloud_compute_creations_by_user___initial.yml
+1
diff --git a/‎baselines/previously_seen_cloud_compute_creations_by_user___update.yml
+1 b/‎baselines/previously_seen_cloud_compute_creations_by_user___update.yml
+1
diff --git a/‎baselines/previously_seen_cloud_compute_images___initial.yml
+1 b/‎baselines/previously_seen_cloud_compute_images___initial.yml
+1
diff --git a/‎baselines/previously_seen_cloud_compute_images___update.yml
+1 b/‎baselines/previously_seen_cloud_compute_images___update.yml
+1
diff --git a/‎baselines/previously_seen_cloud_compute_instance_types___initial.yml
+1 b/‎baselines/previously_seen_cloud_compute_instance_types___initial.yml
+1
diff --git a/‎baselines/previously_seen_cloud_compute_instance_types___update.yml
+1 b/‎baselines/previously_seen_cloud_compute_instance_types___update.yml
+1
diff --git a/‎baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml
+1 b/‎baselines/previously_seen_cloud_instance_modifications_by_user___initial.yml
+1
diff --git a/‎baselines/previously_seen_cloud_instance_modifications_by_user___update.yml
+1 b/‎baselines/previously_seen_cloud_instance_modifications_by_user___update.yml
+1
@@ -4,6 +4,7 @@ version: 1
 date: '2018-05-07'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation of the number of outbound connections blocked in your VPC flow logs by
   each source IP address (IP address of your EC2 instances). Also recorded is the
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-09-07'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many API calls are performed by each user. By default, the search uses the
   last 90 days of data to build the model and the model is rebuilt weekly. The model
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-25'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many instances are destroyed in the environment. By default, the search
   uses the last 90 days of data to build the model and the model is rebuilt weekly.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-14'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many instances are created in the environment. By default, the search uses
   the last 90 days of data to build the model and the model is rebuilt weekly. The
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-09-07'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many API calls for security groups are performed by each user. By default,
   the search uses the last 90 days of data to build the model and the model is rebuilt
 
@@ -4,6 +4,7 @@ version: 1
 date: '2019-05-08'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   to characterize the length of the command lines observed for each user in the environment.
   By default, the search uses the last 30 days of data to build the model. The model
 
@@ -4,6 +4,7 @@ version: 1
 date: '2019-05-08'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   to characterize the length of the DNS queries for each DNS record type observed
   in the environment. By default, the search uses the last 30 days of data to build
 
@@ -4,6 +4,7 @@ version: 4
 date: '2024-09-24'
 author: Matthew Moore, Splunk
 type: Baseline
+status: production
 description: This baseline rule calculates the average and standard deviation of inbound
   and outbound network IO for each Kubernetes container. It uses metrics from the
   Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule generates
 
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Matthew Moore, Splunk
 type: Baseline
+status: production
 description: This baseline rule calculates the average ratio of inbound to outbound
   network IO for each Kubernetes container. It uses metrics from the Kubernetes API
   and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup table
 
@@ -4,6 +4,7 @@ version: 1
 date: '2023-12-18'
 author: Matthew Moore, Splunk
 type: Baseline
+status: production
 description: This baseline rule calculates the average and standard deviation of various
   process resources in a Kubernetes environment. It uses metrics from the Kubernetes
   API and the Splunk Infrastructure Monitoring Add-on. The rule generates a lookup
 
@@ -4,6 +4,7 @@ version: 2
 date: '2024-09-24'
 author: Matthew Moore, Splunk
 type: Baseline
+status: production
 description: This baseline rule calculates the average and standard deviation of the
   ratio of various process resources in a Kubernetes environment. It uses metrics
   from the Kubernetes API and the Splunk Infrastructure Monitoring Add-on. The rule
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-05-21'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation of the number of API calls that were related to network ACLs made by each
   user. Also recorded is the number of data points for each user. This table is then
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-07-17'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search establishes, on a per-hour basis, the average and standard
   deviation for the number of API calls related to deleting an S3 bucket by each user.
   Also recorded is the number of data points for each user. This table is then outputted
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-04-17'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation for the number of API calls related to security groups made by each user.
   Also recorded is the number of data points for each user. This table is then outputted
 
@@ -4,6 +4,7 @@ version: 1
 date: '2019-05-08'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   to characterize the number of SMB connections observed each hour for every day of
   week. By default, the search uses the last 30 days of data to build the model. The
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-13'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search shows you every asset category you have and the assets that
   belong to those categories.
 search: '| from datamodel Identity_Management.All_Assets | stats count values(nt_host)
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-13'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: The search counts the number of times a connection was observed to each
   destination port, and the number of unique source IPs connecting to them.
 search: '| tstats `security_content_summariesonly` count dc(All_Traffic.src) as numberOfUniqueHosts
 
@@ -4,6 +4,7 @@ version: 2
 date: '2018-12-03'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search looks for successful API activity in CloudTrail within the
   last 30 days, filters out known users from the identity table, and outputs values
   of users into `aws_service_accounts.csv` lookup file.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-15'
 author: David Dorsey, Splunk
 type: Baseline
+status: deprecated
 description: This search takes the existing interesting process table from ES, filters
   out any existing additions added by ESCU and then updates the table with processes
   identified by ESCU that should be prohibited on your endpoints.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-04-09'
 author: David Dorsey, Splunk
 type: Baseline
+status: deprecated
 description: This search establishes, on a per-hour basis, the average and the standard
   deviation of the number of API calls made by each user. Also recorded is the number
   of data points for each user. This table is then outputted to a lookup file to allow
 
@@ -4,6 +4,7 @@ version: 1
 date: '2019-11-14'
 author: Jason Brewer, Splunk
 type: Baseline
+status: deprecated
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many RunInstances users do in the environment. By default, the search uses
   the last 90 days of data to build the model. The model created by this search is
 
@@ -4,6 +4,7 @@ version: 1
 date: '2019-11-14'
 author: Jason Brewer, Splunk
 type: Baseline
+status: deprecated
 description: This search is used to build a Machine Learning Toolkit (MLTK) model
   for how many TerminateInstances users do in the environment. By default, the search
   uses the last 90 days of data to build the model. The model created by this search
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-04-16'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: deprecated
 description: This search looks for successful API calls made by different user roles,
   then creates a baseline of the earliest and latest times we have encountered this
   user role. It also returns the name of the API call in our dataset--grouped by user
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-03-16'
 author: David Dorsey, Splunk
 type: Baseline
+status: deprecated
 description: This search builds a table of the first and last times seen for every
   IP address (along with its physical location) previously associated with cloud-provisioning
   activity. This is broadly defined as any event that runs or creates something.
 
@@ -4,6 +4,7 @@ version: 2
 date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
+status: deprecated
 description: This search builds a table of previously seen AMIs used to launch EC2
   instances
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId
 
@@ -4,6 +4,7 @@ version: 2
 date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
+status: deprecated
 description: This search builds a table of previously seen EC2 instance types
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType
   as instanceType | fillnull value="m1.small" instanceType | stats earliest(_time)
 
@@ -4,6 +4,7 @@ version: 2
 date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
+status: deprecated
 description: This search builds a table of previously seen ARNs that have launched
   a EC2 instance.
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-04-30'
 author: Jason Brewer, Splunk
 type: Baseline
+status: deprecated
 description: This search looks for CloudTrail events where a user logs into the console,
   then creates a baseline of the latest and earliest times, City, Region, and Country
   we have encountered this user in our dataset, grouped by ARN, within the last 30
 
@@ -4,6 +4,7 @@ version: 2
 date: '2025-01-16'
 author: Jason Brewer, Splunk
 type: Baseline
+status: deprecated
 description: This search looks for CloudTrail events where a user logs into the console,
   then updates the baseline of the latest and earliest times, City, Region, and Country
   we have encountered this user in our dataset, grouped by ARN, within the last hour.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2025-01-16'
 author: Jose Hernandez, Splunk
 type: Baseline
+status: production
 description: The search takes corporate and common cloud provider domains configured
   under `cim_corporate_email_domains.csv`, `cim_corporate_web_domains.csv`, and `cloud_domains.csv`
   finds their responses across the last 30 days from data in the `Network_Resolution
 
@@ -4,6 +4,7 @@ version: 2
 date: '2018-10-08'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search creates permutations of your existing domains, removes the
   valid domain names and stores them in a specified lookup file so they can be checked
   for in the associated detection searches.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-15'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search counts the numbers of times the system has generated remote
   desktop traffic.
 search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-15'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search counts the numbers of times the system has created remote
   desktop traffic
 search: '| tstats `security_content_summariesonly` count from datamodel=Network_Traffic
 
@@ -4,6 +4,7 @@ version: 1
 date: '2019-04-01'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search counts the numbers of times the remote desktop process, mstsc.exe,
   has run on each system.
 search: '| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-12'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search is intended to give you a feel for how often successful backups
   are conducted in your environment. Fluctuations in these numbers will allow you
   to determine when you should investigate.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2017-09-12'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search is intended to give you a feel for how often backup failures
   happen in your environments.  Fluctuations in these numbers will allow you to determine
   when you should investigate.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-06-04'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search looks for **AssumeRole** events where the requesting account
   differs from the requested account, then writes these relationships to a lookup
   file.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2018-01-08'
 author: Bhavin Patel, Splunk
 type: Baseline
+status: production
 description: This search looks for CloudTrail events where an AWS instance is started
   and creates a baseline of most recent time (latest) and the first time (earliest)
   we've seen this region in our dataset grouped by the value awsRegion for the last
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-09-03'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search builds a table of the first and last times seen for every
   user role and command combination. This is broadly defined as any event that runs
   or creates something. This table is then cached.
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-09-03'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search updates the table of the first and last times seen for every
   user role and command combination.
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen users that have launched
   a cloud compute instance.
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-15'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen users that have launched
   a cloud compute instance.
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-10-08'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen images used to launch cloud
   compute instances
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-08-12'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen images used to launch cloud
   compute instances
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-09-03'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen cloud compute instance
   types
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-09-03'
 author: David Dorsey, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen cloud compute instance
   types
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-07-29'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search builds a table of previously seen users that have modified
   a cloud instance.
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
 
@@ -4,6 +4,7 @@ version: 1
 date: '2020-07-29'
 author: Rico Valdez, Splunk
 type: Baseline
+status: production
 description: This search updates a table of previously seen Cloud Instance modifications
   that have been made by a user
 search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen