In splunk, some endpoint logs shows the action as deferred where index is checkpoint, what dos it mean? i am new to this security profile.
A concrete example of such a log would be helpful.
Deferred is an action for various tags as part of the Endpoint Datamodel:Endpoint - Splunk Documentation These are defined in Enterprise Security > Settings >Data Models > EndpointUsually with an eval.
I meant a concrete example of an actual log you received that's tagged this way.
That said, if this tag is coming from Splunk, it might make more sense to ask on the Splunk Answers community.
Sorry! I meant to reply to original post.But yes, you're right.. This is something for the Splunk Answers Community.
Retrieving data ...