Merge pull request #3424 from splunk/default_match_lookup

patel-bhavin · web-flow · commit cb9655f2995d · 2025-03-28T09:47:15.000-07:00
Removing default match from lookups
diff --git a/lookups/3cx_ioc_domains.yml b/lookups/3cx_ioc_domains.yml
@@ -5,7 +5,6 @@ id: 65c25399-4081-4ef1-b791-86f497d3380d
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of domains from the 3CX supply chain attack.
-default_match: false
 match_type: 
 - WILDCARD(domain)
 min_matches: 1
diff --git a/lookups/__mlspl_unusual_commandline_detection.yml b/lookups/__mlspl_unusual_commandline_detection.yml
@@ -7,4 +7,3 @@ lookup_type: mlmodel
 description: An MLTK model for detecting malicious commandlines
 case_sensitive_match: false
 min_matches: 1
-default_match: false
diff --git a/lookups/advanced_audit_policy_guids.yml b/lookups/advanced_audit_policy_guids.yml
@@ -5,7 +5,6 @@ id: e2581a3a-1254-4b93-ae8f-ccde22362f0c
 author: Splunk Threat Research Team
 lookup_type: csv
 description: List of GUIDs associated with Windows advanced audit policies
-default_match: false
 match_type: 
 - WILDCARD(GUID)
 min_matches: 1
diff --git a/lookups/applockereventcodes.yml b/lookups/applockereventcodes.yml
@@ -5,7 +5,6 @@ id: 2fd8cc84-f4c8-4ab6-bd57-596f714a315f
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A csv of the ID and rule name for AppLocker event codes.
-default_match: false
 match_type: 
 - WILDCARD(AppLocker_Event_Code)
 min_matches: 1
diff --git a/lookups/asr_rules.yml b/lookups/asr_rules.yml
@@ -5,7 +5,6 @@ id: 3886d687-ae77-4a61-99eb-e745083e391e
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.
-default_match: false
 match_type: 
 - WILDCARD(ASR_Rule)
 min_matches: 1
diff --git a/lookups/attacker_tools.yml b/lookups/attacker_tools.yml
@@ -5,7 +5,6 @@ id: 72620fe1-26cb-4cee-a6ee-8c6127056d81
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of tools used by attackers
-default_match: false
 match_type: 
 - WILDCARD(attacker_tool_names)
 min_matches: 1
diff --git a/lookups/brandmonitoring_lookup.yml b/lookups/brandmonitoring_lookup.yml
@@ -4,7 +4,6 @@ version: 2
 id: 6fff763a-d654-42dc-8e56-92c8e255ac55
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A file that contains look-a-like domains for brands that you want to
   monitor
 match_type: 
diff --git a/lookups/browser_app_list.yml b/lookups/browser_app_list.yml
@@ -4,8 +4,8 @@ version: 2
 id: a80ccd19-e46f-4a12-9ad7-e653ad646347
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A list of known browser application being targeted for credential extraction.
+default_match: false
 match_type: 
 - WILDCARD(browser_process_name)
 - WILDCARD(browser_object_path)
diff --git a/lookups/char_conversion_matrix.yml b/lookups/char_conversion_matrix.yml
@@ -5,7 +5,6 @@ id: 0177cf7b-8cf9-412a-9919-d1919b8d59dc
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding.
-default_match: false
 match_type: 
 - WILDCARD(data)
 min_matches: 1
diff --git a/lookups/cloud_instances_enough_data.yml b/lookups/cloud_instances_enough_data.yml
@@ -4,7 +4,6 @@ version: 2
 id: 2aabac97-9782-4156-9dfd-7c1fb7aab2a6
 author: Splunk Threat Research Team
 lookup_type: kvstore
-default_match: false
 description: A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches
 fields: 
  - _key
diff --git a/lookups/decommissioned_buckets.yml b/lookups/decommissioned_buckets.yml
@@ -4,7 +4,6 @@ version: 1
 id: b3a95eff-87cf-40f3-b6e0-5b1a11eed68f
 author: Bhavin Patel
 lookup_type: kvstore
-default_match: false
 description: A lookup table of decommissioned S3 buckets created by baseline - Baseline of Open S3 Bucket Decommissioning. This lookup table is used by detections searches to trigger alerts when decommissioned buckets are detected.
 min_matches: 1
 fields: 
diff --git a/lookups/deprecation_info.yml b/lookups/deprecation_info.yml
@@ -4,6 +4,5 @@ version: 1
 id: d83dad4f-7bce-4979-bf07-a88c610da5f6
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A lookup file for deprecation information
 min_matches: 1
diff --git a/lookups/discovered_dns_records.yml b/lookups/discovered_dns_records.yml
@@ -4,6 +4,5 @@ version: 2
 id: ebf80033-0cc1-4256-a1cb-730ccbda36af
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records
 min_matches: 1
diff --git a/lookups/hijacklibs.yml b/lookups/hijacklibs.yml
@@ -5,7 +5,6 @@ id: 00990d97-e923-4ae7-9fa0-b5033a8b0164
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of potentially abused libraries in Windows
-default_match: false
 match_type: 
 - WILDCARD(library)
 min_matches: 1
diff --git a/lookups/is_net_windows_file.yml b/lookups/is_net_windows_file.yml
@@ -4,7 +4,6 @@ version: 2
 id: 891cfb79-06cd-455d-9cf8-b4d4de2bff25
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A full baseline of executable files in \Windows\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline.
 min_matches: 1
 case_sensitive_match: false
diff --git a/lookups/is_nirsoft_software.yml b/lookups/is_nirsoft_software.yml
@@ -4,7 +4,6 @@ version: 2
 id: 28966a08-55e4-4ccb-a20d-dc4cc154b09c
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A subset of utilities provided by NirSoft that may be used by adversaries.
 min_matches: 1
 case_sensitive_match: false
diff --git a/lookups/is_windows_system_file.yml b/lookups/is_windows_system_file.yml
@@ -4,7 +4,6 @@ version: 2
 id: ce238622-4d8f-41a4-a747-5d0adab9c854
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10.
 min_matches: 1
 case_sensitive_match: false
diff --git a/lookups/linux_tool_discovery_process.yml b/lookups/linux_tool_discovery_process.yml
@@ -5,7 +5,6 @@ id: f0d8b1c8-4ca0-4765-858a-ab0dea68c399
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of suspicious bash commonly used by attackers via scripts
-default_match: false
 match_type: 
 - WILDCARD(process)
 min_matches: 1
diff --git a/lookups/local_file_inclusion_paths.yml b/lookups/local_file_inclusion_paths.yml
@@ -5,7 +5,6 @@ id: 10efe0a8-ec54-4f86-8d11-677a7ac65d64
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of interesting files in a local file inclusion attack
-default_match: false
 match_type: 
 - WILDCARD(local_file_inclusion_paths)
 min_matches: 1
diff --git a/lookups/loldrivers.yml b/lookups/loldrivers.yml
@@ -5,7 +5,6 @@ id: a4c71880-bb4a-4e2c-9b44-be70cf181fb3
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of known vulnerable drivers
-default_match: false
 match_type: 
 - WILDCARD(driver_name)
 min_matches: 1
diff --git a/lookups/lookup_rare_process_allow_list_default.yml b/lookups/lookup_rare_process_allow_list_default.yml
@@ -5,7 +5,6 @@ id: fc0c452e-47b1-4931-ba41-de5b7c6ed92b
 author: Splunk Threat Research Team
 lookup_type: csv
 case_sensitive_match: false
-default_match: false
 description: A list of rare processes that are legitimate that is provided by Splunk
 match_type: 
 - WILDCARD(process)
diff --git a/lookups/lookup_rare_process_allow_list_local.yml b/lookups/lookup_rare_process_allow_list_local.yml
@@ -5,7 +5,6 @@ id: 7aec9c17-69b8-4a0b-8f8d-d3ea9b0e2adb
 author: Splunk Threat Research Team
 lookup_type: csv
 case_sensitive_match: false
-default_match: false
 description: A list of rare processes that are legitimate provided by the end user
 match_type: 
 - WILDCARD(process)
diff --git a/lookups/privileged_azure_ad_roles.yml b/lookups/privileged_azure_ad_roles.yml
@@ -5,7 +5,6 @@ id: 4dbf0357-b5fc-4be2-9058-804d6a60b126
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs.
-default_match: false
 match_type: 
 - WILDCARD(azureadrole)
 - WILDCARD(azuretemplateid)
diff --git a/lookups/ransomware_extensions_lookup.yml b/lookups/ransomware_extensions_lookup.yml
@@ -4,7 +4,6 @@ version: 2
 id: eaf9e6bb-55fa-4bab-89a5-b0229638c526
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A list of file extensions that are associated with ransomware
 match_type: 
 - WILDCARD(Extensions)
diff --git a/lookups/ransomware_notes_lookup.yml b/lookups/ransomware_notes_lookup.yml
@@ -4,7 +4,6 @@ version: 3
 id: 93d9fb06-035e-496c-91d5-7a79543ce1e1
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A list of file names that are ransomware note files
 match_type: 
 - WILDCARD(ransomware_notes)
diff --git a/lookups/remote_access_software.yml b/lookups/remote_access_software.yml
@@ -5,7 +5,6 @@ id: f3b92ff9-667c-481f-b29d-458e10d48508
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of Remote Access Software
-default_match: false
 match_type: 
 - WILDCARD(remote_utility)
 - WILDCARD(remote_domain)
diff --git a/lookups/security_services_lookup.yml b/lookups/security_services_lookup.yml
@@ -4,7 +4,6 @@ version: 4
 id: c9038bad-c77b-4caa-9df2-09dc4454ac77
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A list of services that deal with security, such as Antivirus, Endpoint Detection and Response, etc.
 match_type: 
 - WILDCARD(service)
diff --git a/lookups/suspicious_writes_lookup.yml b/lookups/suspicious_writes_lookup.yml
@@ -4,7 +4,6 @@ version: 2
 id: 4a189c42-84d1-49b6-817e-7bc59318f960
 author: Splunk Threat Research Team
 lookup_type: csv
-default_match: false
 description: A list of suspicious file names
 match_type: 
 - WILDCARD(file)
diff --git a/lookups/windows_protocol_handlers.yml b/lookups/windows_protocol_handlers.yml
@@ -5,7 +5,6 @@ id: d7a6399f-9f59-4d16-a637-3353e6d4e3d1
 author: Splunk Threat Research Team
 lookup_type: csv
 description: A list of Windows Protocol Handlers
-default_match: false
 match_type: 
 - WILDCARD(handler)
 min_matches: 1
diff --git a/lookups/windows_suspicious_services.yml b/lookups/windows_suspicious_services.yml
@@ -5,10 +5,9 @@ id: 8c214005-2b4e-49c8-bba6-747005f11296
 author: Steven Dick
 lookup_type: csv
 description: A list of suspicious Windows Service names and locations
-default_match: false
 match_type: 
 - WILDCARD(service_name)
 - WILDCARD(service_path)
 min_matches: 1
 max_matches: 1
-case_sensitive_match: false
+case_sensitive_match: false
diff --git a/lookups/windows_suspicious_tasks.yml b/lookups/windows_suspicious_tasks.yml
@@ -5,7 +5,6 @@ id: 928cba69-be80-4601-9b0d-3ec81f714338
 author: Steven Dick
 lookup_type: csv
 description: A list of suspicious Windows Scheduled Task names and locations
-default_match: false
 match_type: 
 - WILDCARD(task_name)
 - WILDCARD(task_command)
