Skip to content

Commit ff9a327

Browse files
[Test Rules] [PR sublime-security#4579] modified rule: Attachment: PDF Attachment with links to workers.dev
1 parent 7195c33 commit ff9a327

1 file changed

Lines changed: 2 additions & 3 deletions

File tree

detection-rules/4579_attachment_pdf_workersdev.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,11 @@ severity: "medium"
55
source: |
66
type.inbound
77
and any(filter(attachments, .file_type == "pdf"),
8-
beta.parse_exif(.).page_count < 5
8+
beta.parse_exif(.).page_count <= 2
99
and any(file.explode(.),
1010
any(.scan.url.urls, .domain.root_domain == "workers.dev")
1111
)
1212
)
13-
1413
attack_types:
1514
- "Credential Phishing"
1615
tactics_and_techniques:
@@ -24,4 +23,4 @@ detection_methods:
2423
id: "0a6801b4-63c5-5662-91de-b797c0f396a3"
2524
og_id: "e8be2515-8b3d-5222-80da-6ecfad58341a"
2625
testing_pr: 4579
27-
testing_sha: 06a2e456d8c09b148eb7076205280ec13eca01ce
26+
testing_sha: ae169673e9f80695dc566cb5ca88a609f234ca65

0 commit comments

Comments
 (0)