From bd3647612538ccdec4f70a3f295e070458213ba9 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Wed, 15 Jan 2025 11:06:33 +0000
Subject: [PATCH] page(threat-hunting): some queries require custom data model

---
 source/threat-hunting/index.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 2f5cafc..21b1ba8 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -634,6 +634,7 @@ SPL:
 ## Heavy Forwarder Status Monitor
 
 Description: heavy_fwd is either down or unable to forward logs to Splunk Cloud for more than 15 minutes.
+Caveat: Require custom [data model](https://gitlab.com/curben/splunk-scripts/-/blob/main/threat-hunting/datamodels.json).
 SPL:
 
 ```spl
@@ -1287,6 +1288,7 @@ SPL:
 ## Splunk License Monitoring
 
 Description: Alert when Splunk is ingesting more than 90% of license. License rollover at 00:00 UTC (Cloud) or timezone of the license master (Enterprise). Pay attention to the timezones of the app's owner and the license master. Adjust `cron_schedule` and also `earliest_time` to account for daylight saving.
+Caveat: Require custom [data model](https://gitlab.com/curben/splunk-scripts/-/blob/main/threat-hunting/datamodels.json).
 SPL:
 
 ```spl