[Test Rules] [PR #4513] modified rule: VIP / Executive impersonation (strict match, untrusted)

github-actions[bot] · github-actions[bot] · commit 0a653ebd3d93 · 2026-06-08T17:17:23.000Z
diff --git a/detection-rules/4513_vip_impersonation.yml b/detection-rules/4513_vip_impersonation.yml
@@ -15,20 +15,31 @@ source: |
   and (
     // the display name matches a name on the orgs vip list
     any($org_vips,
-        .display_name =~ sender.display_name
-        or strings.concat(.first_name, " ", .last_name) =~ sender.display_name
-        or strings.concat(.last_name, ", ", .first_name) =~ sender.display_name
+        (.display_name != "" and .display_name =~ sender.display_name)
+        or (
+          .first_name != ""
+          and .last_name != ""
+          and strings.concat(.first_name, " ", .last_name) =~ sender.display_name
+        )
+        or (
+          .first_name != ""
+          and .last_name != ""
+          and strings.concat(.last_name, ", ", .first_name) =~ sender.display_name
+        )
     )
     // or the display name starts with the name on the orgs vip list
     or (
       any($org_vips,
           (
-            strings.istarts_with(sender.display_name, .display_name)
+            .display_name != ""
+            and strings.istarts_with(sender.display_name, .display_name)
             and length(sender.display_name) > length(.display_name)
           )
           or (
-            strings.istarts_with(sender.display_name,
-                                 strings.concat(.first_name, " ", .last_name)
+            .first_name != ""
+            and .last_name != ""
+            and strings.istarts_with(sender.display_name,
+                                     strings.concat(.first_name, " ", .last_name)
             )
             and length(sender.display_name) > length(strings.concat(.first_name,
                                                                     " ",
@@ -37,8 +48,10 @@ source: |
             )
           )
           or (
-            strings.istarts_with(sender.display_name,
-                                 strings.concat(.last_name, ", ", .first_name)
+            .first_name != ""
+            and .last_name != ""
+            and strings.istarts_with(sender.display_name,
+                                     strings.concat(.last_name, ", ", .first_name)
             )
             and length(sender.display_name) > length(strings.concat(.last_name,
                                                                     ", ",
@@ -119,4 +132,4 @@ detection_methods:
 id: "83f40c96-2ae9-501e-88ca-20a711a01b89"
 og_id: "e42c84b7-9d50-5870-9a5d-311670a14bc1"
 testing_pr: 4513
-testing_sha: 4e4a7760ad81eb7d66ae5f3e4701e7923ebb1f45
+testing_sha: 14caf0d1fb8deb9470797e8b93fc8c0756120fa3
