diff --git a/lookups/3cx_ioc_domains.yml b/lookups/3cx_ioc_domains.yml index 3b82b2cb5f..2107a08252 100644 --- a/lookups/3cx_ioc_domains.yml +++ b/lookups/3cx_ioc_domains.yml @@ -5,7 +5,6 @@ id: 65c25399-4081-4ef1-b791-86f497d3380d author: Splunk Threat Research Team lookup_type: csv description: A list of domains from the 3CX supply chain attack. -default_match: false match_type: - WILDCARD(domain) min_matches: 1 diff --git a/lookups/__mlspl_unusual_commandline_detection.yml b/lookups/__mlspl_unusual_commandline_detection.yml index b61270c65f..74558efe01 100644 --- a/lookups/__mlspl_unusual_commandline_detection.yml +++ b/lookups/__mlspl_unusual_commandline_detection.yml @@ -7,4 +7,3 @@ lookup_type: mlmodel description: An MLTK model for detecting malicious commandlines case_sensitive_match: false min_matches: 1 -default_match: false diff --git a/lookups/advanced_audit_policy_guids.yml b/lookups/advanced_audit_policy_guids.yml index fab6f56b80..9b5295a51b 100644 --- a/lookups/advanced_audit_policy_guids.yml +++ b/lookups/advanced_audit_policy_guids.yml @@ -5,7 +5,6 @@ id: e2581a3a-1254-4b93-ae8f-ccde22362f0c author: Splunk Threat Research Team lookup_type: csv description: List of GUIDs associated with Windows advanced audit policies -default_match: false match_type: - WILDCARD(GUID) min_matches: 1 diff --git a/lookups/applockereventcodes.yml b/lookups/applockereventcodes.yml index 10b797958e..e16dbb04d3 100644 --- a/lookups/applockereventcodes.yml +++ b/lookups/applockereventcodes.yml @@ -5,7 +5,6 @@ id: 2fd8cc84-f4c8-4ab6-bd57-596f714a315f author: Splunk Threat Research Team lookup_type: csv description: A csv of the ID and rule name for AppLocker event codes. -default_match: false match_type: - WILDCARD(AppLocker_Event_Code) min_matches: 1 diff --git a/lookups/asr_rules.yml b/lookups/asr_rules.yml index ad1a4603d7..70ccb5b72c 100644 --- a/lookups/asr_rules.yml +++ b/lookups/asr_rules.yml @@ -5,7 +5,6 @@ id: 3886d687-ae77-4a61-99eb-e745083e391e author: Splunk Threat Research Team lookup_type: csv description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules. -default_match: false match_type: - WILDCARD(ASR_Rule) min_matches: 1 diff --git a/lookups/attacker_tools.yml b/lookups/attacker_tools.yml index 58f8dcd904..19fa30b2f3 100644 --- a/lookups/attacker_tools.yml +++ b/lookups/attacker_tools.yml @@ -5,7 +5,6 @@ id: 72620fe1-26cb-4cee-a6ee-8c6127056d81 author: Splunk Threat Research Team lookup_type: csv description: A list of tools used by attackers -default_match: false match_type: - WILDCARD(attacker_tool_names) min_matches: 1 diff --git a/lookups/brandmonitoring_lookup.yml b/lookups/brandmonitoring_lookup.yml index 39a7f8e701..2dfd034137 100644 --- a/lookups/brandmonitoring_lookup.yml +++ b/lookups/brandmonitoring_lookup.yml @@ -4,7 +4,6 @@ version: 2 id: 6fff763a-d654-42dc-8e56-92c8e255ac55 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A file that contains look-a-like domains for brands that you want to monitor match_type: diff --git a/lookups/browser_app_list.yml b/lookups/browser_app_list.yml index 5fe50536ba..850f4b38c1 100644 --- a/lookups/browser_app_list.yml +++ b/lookups/browser_app_list.yml @@ -4,8 +4,8 @@ version: 2 id: a80ccd19-e46f-4a12-9ad7-e653ad646347 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A list of known browser application being targeted for credential extraction. +default_match: false match_type: - WILDCARD(browser_process_name) - WILDCARD(browser_object_path) diff --git a/lookups/char_conversion_matrix.yml b/lookups/char_conversion_matrix.yml index c75b0c8542..aef5f62e76 100644 --- a/lookups/char_conversion_matrix.yml +++ b/lookups/char_conversion_matrix.yml @@ -5,7 +5,6 @@ id: 0177cf7b-8cf9-412a-9919-d1919b8d59dc author: Splunk Threat Research Team lookup_type: csv description: A simple conversion matrix for converting to and from UTF8/16 base64/hex/decimal encoding. Created mosty from https://community.splunk.com/t5/Splunk-Search/base64-decoding-in-search/m-p/27572#M177741, with small modifications for UTF16LE parsing for powershell encoding. -default_match: false match_type: - WILDCARD(data) min_matches: 1 diff --git a/lookups/cloud_instances_enough_data.yml b/lookups/cloud_instances_enough_data.yml index 68dd5d4249..384d8b1bf6 100644 --- a/lookups/cloud_instances_enough_data.yml +++ b/lookups/cloud_instances_enough_data.yml @@ -4,7 +4,6 @@ version: 2 id: 2aabac97-9782-4156-9dfd-7c1fb7aab2a6 author: Splunk Threat Research Team lookup_type: kvstore -default_match: false description: A lookup to determine if you have a sufficient amount of time has passed to collect cloud instance data for behavioral searches fields: - _key diff --git a/lookups/decommissioned_buckets.yml b/lookups/decommissioned_buckets.yml index 78354e2500..db70d5d42c 100644 --- a/lookups/decommissioned_buckets.yml +++ b/lookups/decommissioned_buckets.yml @@ -4,7 +4,6 @@ version: 1 id: b3a95eff-87cf-40f3-b6e0-5b1a11eed68f author: Bhavin Patel lookup_type: kvstore -default_match: false description: A lookup table of decommissioned S3 buckets created by baseline - Baseline of Open S3 Bucket Decommissioning. This lookup table is used by detections searches to trigger alerts when decommissioned buckets are detected. min_matches: 1 fields: diff --git a/lookups/deprecation_info.yml b/lookups/deprecation_info.yml index dab74f8b34..e39c95d51c 100644 --- a/lookups/deprecation_info.yml +++ b/lookups/deprecation_info.yml @@ -4,6 +4,5 @@ version: 1 id: d83dad4f-7bce-4979-bf07-a88c610da5f6 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A lookup file for deprecation information min_matches: 1 diff --git a/lookups/discovered_dns_records.yml b/lookups/discovered_dns_records.yml index bc014779db..878fd1c525 100644 --- a/lookups/discovered_dns_records.yml +++ b/lookups/discovered_dns_records.yml @@ -4,6 +4,5 @@ version: 2 id: ebf80033-0cc1-4256-a1cb-730ccbda36af author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A placeholder for a list of discovered DNS records generated by the baseline discover_dns_records min_matches: 1 diff --git a/lookups/hijacklibs.yml b/lookups/hijacklibs.yml index 39678bdb26..35278498c7 100644 --- a/lookups/hijacklibs.yml +++ b/lookups/hijacklibs.yml @@ -5,7 +5,6 @@ id: 00990d97-e923-4ae7-9fa0-b5033a8b0164 author: Splunk Threat Research Team lookup_type: csv description: A list of potentially abused libraries in Windows -default_match: false match_type: - WILDCARD(library) min_matches: 1 diff --git a/lookups/is_net_windows_file.yml b/lookups/is_net_windows_file.yml index 4a805b52e6..e6c1f72dc5 100644 --- a/lookups/is_net_windows_file.yml +++ b/lookups/is_net_windows_file.yml @@ -4,7 +4,6 @@ version: 2 id: 891cfb79-06cd-455d-9cf8-b4d4de2bff25 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A full baseline of executable files in \Windows\, including sub-directories from Server 2016 and Windows 11. Certain .net binaries may not have been captured due to different Windows SDK's or developer utilities not installed during baseline. min_matches: 1 case_sensitive_match: false \ No newline at end of file diff --git a/lookups/is_nirsoft_software.yml b/lookups/is_nirsoft_software.yml index 64210f6035..12337fbbca 100644 --- a/lookups/is_nirsoft_software.yml +++ b/lookups/is_nirsoft_software.yml @@ -4,7 +4,6 @@ version: 2 id: 28966a08-55e4-4ccb-a20d-dc4cc154b09c author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A subset of utilities provided by NirSoft that may be used by adversaries. min_matches: 1 case_sensitive_match: false \ No newline at end of file diff --git a/lookups/is_windows_system_file.yml b/lookups/is_windows_system_file.yml index 59b4d90c5d..14303d0a39 100644 --- a/lookups/is_windows_system_file.yml +++ b/lookups/is_windows_system_file.yml @@ -4,7 +4,6 @@ version: 2 id: ce238622-4d8f-41a4-a747-5d0adab9c854 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10. min_matches: 1 case_sensitive_match: false \ No newline at end of file diff --git a/lookups/linux_tool_discovery_process.yml b/lookups/linux_tool_discovery_process.yml index 3ca56a079f..75bc54c288 100644 --- a/lookups/linux_tool_discovery_process.yml +++ b/lookups/linux_tool_discovery_process.yml @@ -5,7 +5,6 @@ id: f0d8b1c8-4ca0-4765-858a-ab0dea68c399 author: Splunk Threat Research Team lookup_type: csv description: A list of suspicious bash commonly used by attackers via scripts -default_match: false match_type: - WILDCARD(process) min_matches: 1 diff --git a/lookups/local_file_inclusion_paths.yml b/lookups/local_file_inclusion_paths.yml index 15638c2135..0342bfd491 100644 --- a/lookups/local_file_inclusion_paths.yml +++ b/lookups/local_file_inclusion_paths.yml @@ -5,7 +5,6 @@ id: 10efe0a8-ec54-4f86-8d11-677a7ac65d64 author: Splunk Threat Research Team lookup_type: csv description: A list of interesting files in a local file inclusion attack -default_match: false match_type: - WILDCARD(local_file_inclusion_paths) min_matches: 1 diff --git a/lookups/loldrivers.yml b/lookups/loldrivers.yml index 412e1a069a..c8f78dfbd0 100644 --- a/lookups/loldrivers.yml +++ b/lookups/loldrivers.yml @@ -5,7 +5,6 @@ id: a4c71880-bb4a-4e2c-9b44-be70cf181fb3 author: Splunk Threat Research Team lookup_type: csv description: A list of known vulnerable drivers -default_match: false match_type: - WILDCARD(driver_name) min_matches: 1 diff --git a/lookups/lookup_rare_process_allow_list_default.yml b/lookups/lookup_rare_process_allow_list_default.yml index 1474969aa6..5603f2135a 100644 --- a/lookups/lookup_rare_process_allow_list_default.yml +++ b/lookups/lookup_rare_process_allow_list_default.yml @@ -5,7 +5,6 @@ id: fc0c452e-47b1-4931-ba41-de5b7c6ed92b author: Splunk Threat Research Team lookup_type: csv case_sensitive_match: false -default_match: false description: A list of rare processes that are legitimate that is provided by Splunk match_type: - WILDCARD(process) diff --git a/lookups/lookup_rare_process_allow_list_local.yml b/lookups/lookup_rare_process_allow_list_local.yml index 16b9681815..cf4f3c4c7b 100644 --- a/lookups/lookup_rare_process_allow_list_local.yml +++ b/lookups/lookup_rare_process_allow_list_local.yml @@ -5,7 +5,6 @@ id: 7aec9c17-69b8-4a0b-8f8d-d3ea9b0e2adb author: Splunk Threat Research Team lookup_type: csv case_sensitive_match: false -default_match: false description: A list of rare processes that are legitimate provided by the end user match_type: - WILDCARD(process) diff --git a/lookups/privileged_azure_ad_roles.yml b/lookups/privileged_azure_ad_roles.yml index 0e38bee0db..3d2d5ab7d5 100644 --- a/lookups/privileged_azure_ad_roles.yml +++ b/lookups/privileged_azure_ad_roles.yml @@ -5,7 +5,6 @@ id: 4dbf0357-b5fc-4be2-9058-804d6a60b126 author: Splunk Threat Research Team lookup_type: csv description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs. -default_match: false match_type: - WILDCARD(azureadrole) - WILDCARD(azuretemplateid) diff --git a/lookups/ransomware_extensions_lookup.yml b/lookups/ransomware_extensions_lookup.yml index f094df6158..6eb5f6be2c 100644 --- a/lookups/ransomware_extensions_lookup.yml +++ b/lookups/ransomware_extensions_lookup.yml @@ -4,7 +4,6 @@ version: 2 id: eaf9e6bb-55fa-4bab-89a5-b0229638c526 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A list of file extensions that are associated with ransomware match_type: - WILDCARD(Extensions) diff --git a/lookups/ransomware_notes_lookup.yml b/lookups/ransomware_notes_lookup.yml index 21ec31a3bf..fd3a741f5e 100644 --- a/lookups/ransomware_notes_lookup.yml +++ b/lookups/ransomware_notes_lookup.yml @@ -4,7 +4,6 @@ version: 3 id: 93d9fb06-035e-496c-91d5-7a79543ce1e1 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A list of file names that are ransomware note files match_type: - WILDCARD(ransomware_notes) diff --git a/lookups/remote_access_software.yml b/lookups/remote_access_software.yml index 0819c7ffad..ad4f0abcb8 100644 --- a/lookups/remote_access_software.yml +++ b/lookups/remote_access_software.yml @@ -5,7 +5,6 @@ id: f3b92ff9-667c-481f-b29d-458e10d48508 author: Splunk Threat Research Team lookup_type: csv description: A list of Remote Access Software -default_match: false match_type: - WILDCARD(remote_utility) - WILDCARD(remote_domain) diff --git a/lookups/security_services_lookup.yml b/lookups/security_services_lookup.yml index 96069235ee..e2acc725b9 100644 --- a/lookups/security_services_lookup.yml +++ b/lookups/security_services_lookup.yml @@ -4,7 +4,6 @@ version: 4 id: c9038bad-c77b-4caa-9df2-09dc4454ac77 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A list of services that deal with security, such as Antivirus, Endpoint Detection and Response, etc. match_type: - WILDCARD(service) diff --git a/lookups/suspicious_writes_lookup.yml b/lookups/suspicious_writes_lookup.yml index f8a13e65fe..c9407a56f3 100644 --- a/lookups/suspicious_writes_lookup.yml +++ b/lookups/suspicious_writes_lookup.yml @@ -4,7 +4,6 @@ version: 2 id: 4a189c42-84d1-49b6-817e-7bc59318f960 author: Splunk Threat Research Team lookup_type: csv -default_match: false description: A list of suspicious file names match_type: - WILDCARD(file) diff --git a/lookups/windows_protocol_handlers.yml b/lookups/windows_protocol_handlers.yml index cbefef155a..756f988916 100644 --- a/lookups/windows_protocol_handlers.yml +++ b/lookups/windows_protocol_handlers.yml @@ -5,7 +5,6 @@ id: d7a6399f-9f59-4d16-a637-3353e6d4e3d1 author: Splunk Threat Research Team lookup_type: csv description: A list of Windows Protocol Handlers -default_match: false match_type: - WILDCARD(handler) min_matches: 1 diff --git a/lookups/windows_suspicious_services.yml b/lookups/windows_suspicious_services.yml index cf85cbbf98..7717773be0 100644 --- a/lookups/windows_suspicious_services.yml +++ b/lookups/windows_suspicious_services.yml @@ -5,10 +5,9 @@ id: 8c214005-2b4e-49c8-bba6-747005f11296 author: Steven Dick lookup_type: csv description: A list of suspicious Windows Service names and locations -default_match: false match_type: - WILDCARD(service_name) - WILDCARD(service_path) min_matches: 1 max_matches: 1 -case_sensitive_match: false \ No newline at end of file +case_sensitive_match: false diff --git a/lookups/windows_suspicious_tasks.yml b/lookups/windows_suspicious_tasks.yml index 68cc6d0fee..9de81d1077 100644 --- a/lookups/windows_suspicious_tasks.yml +++ b/lookups/windows_suspicious_tasks.yml @@ -5,7 +5,6 @@ id: 928cba69-be80-4601-9b0d-3ec81f714338 author: Steven Dick lookup_type: csv description: A list of suspicious Windows Scheduled Task names and locations -default_match: false match_type: - WILDCARD(task_name) - WILDCARD(task_command)