Is your feature request related to a problem? Please describe.ransomware_extensions_lookup should have its entries prefixed w/ an asterisk
Describe the solution you'd like
From the UserGroups Slack:
"I'd like to file an improvement request for the ransomware_extensions_lookup that is included at least in Security Essentials.
That lookup is a regular lookup ("exact" match), but IMHO it should've been a wildcard lookup. It's hard to properly extract the "file extensions" to match against that lookup, because currently 3 values contain another . in the extension (.Where_my_files.txt , .bart.zip, .helpdecrypt@ukr.net).
So you can't just use "the part after the last dot in a filename" to run against this lookup. If this was a wildcard lookup, and those values would be prefixed with a * , you could just run them against the filename..."
Describe alternatives you've considered
Since this is a lookup we ship, its on us to make it usable- customer in-place modifications would be destroyed.
Is your feature request related to a problem? Please describe.
ransomware_extensions_lookup
should have its entries prefixed w/ an asteriskDescribe the solution you'd like From the UserGroups Slack: "I'd like to file an improvement request for the ransomware_extensions_lookup that is included at least in Security Essentials. That lookup is a regular lookup ("exact" match), but IMHO it should've been a wildcard lookup. It's hard to properly extract the "file extensions" to match against that lookup, because currently 3 values contain another . in the extension (.Where_my_files.txt , .bart.zip, .helpdecrypt@ukr.net). So you can't just use "the part after the last dot in a filename" to run against this lookup. If this was a wildcard lookup, and those values would be prefixed with a * , you could just run them against the filename..."
Describe alternatives you've considered Since this is a lookup we ship, its on us to make it usable- customer in-place modifications would be destroyed.
Additional context Original request: https://splunk-usergroups.slack.com/archives/C78NT6CQ7/p1726575689193469