The -type parameter doesn't have a leading wildcard, so it won't hit on e.g. "nslookup.exe -type=MX".
Expected behavior
It should also hit on nslookup.exe usage with the -type parameter. This will only work if the -type parameter has both a leading and trailing wildcard like the other parameters.
The -type parameter doesn't have a leading wildcard, so it won't hit on e.g. "nslookup.exe -type=MX".
Expected behavior
It should also hit on nslookup.exe usage with the -type parameter. This will only work if the -type parameter has both a leading and trailing wildcard like the other parameters.
I've created a PR here:
https://github.com/splunk/security_content/pull/3170