We have a need to change an out of the box lookup file within Splunk_TA_Windows, this lookup file (windows_signatures.csv) has a column called "action" that is only filled out on Windows 2003 events. Actions such as created, modified, deleted, etc.
These actions are needed to be set in order to show up within the Network Changes dashboard in Splunk Enterprise Security.
If we were to ever update this app in the future to a later version, will it overwrite our lookup file changes?
Yes, upgrading app overrides the changes.
I did a quick test. Downloaded and installed version 4.6.6. Made some changes to the CSV file that you mentioned. Downloaded the version 4.6.7 and upgraded the app. The changes made by me were overwritten.
Yes, upgrading app overrides the changes.
I did a quick test. Downloaded and installed version 4.6.6. Made some changes to the CSV file that you mentioned. Downloaded the version 4.6.7 and upgraded the app. The changes made by me were overwritten.
I suppose this will be the case with all the app upgrades.