[community request] Update Ransomware Extensions Lookup #3131
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
ransomware_extensions_lookupshould have its entries prefixed w/ an asteriskDescribe the solution you'd like
From the UserGroups Slack:
"I'd like to file an improvement request for the ransomware_extensions_lookup that is included at least in Security Essentials.
That lookup is a regular lookup ("exact" match), but IMHO it should've been a wildcard lookup. It's hard to properly extract the "file extensions" to match against that lookup, because currently 3 values contain another . in the extension (.Where_my_files.txt , .bart.zip, .[email protected]).
So you can't just use "the part after the last dot in a filename" to run against this lookup. If this was a wildcard lookup, and those values would be prefixed with a * , you could just run them against the filename..."
Describe alternatives you've considered
Since this is a lookup we ship, its on us to make it usable- customer in-place modifications would be destroyed.
Additional context
Original request: https://splunk-usergroups.slack.com/archives/C78NT6CQ7/p1726575689193469
The text was updated successfully, but these errors were encountered: