I have recently enabled a new correlation search in my Splunk ES. This search looks for possible Ransomware file based on their extension. I have Splunk 8.1.4 running on Windows 2016 and Splunk ES 6.4.1. ES Content Update (the app where the search is defined) is at version 3.20.0. The original search was working good and it detected a suspicious file on one server. Since such file is expected, I put a whitelist in the correlation search just redefining a macro already available. This is the search:
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name
| rex field=file_name "(?<file_extension>\.[^\.]+)$"
And I redefined the last macro as follows:
search NOT [ | inputlookup ransomware_ext_file_wl ]
The lookup defined contains only one column (file_name) and one row (the file name I want to white-list).
If I run this search in a search panel, I got no results and this is the expected behavior. But when the search is executed by the scheduler, I always get a result (and a notable event) for such file that I put into whitelist. It's like the macro is not expanded correctly or the lookup is empty.
Does anybody have any idea about the reason of getting different results?