Skip to content

Commit 17675cb

Browse files
[Test Rules] [PR #4513] modified rule: VIP impersonation with invoicing request
1 parent bade8a6 commit 17675cb

1 file changed

Lines changed: 17 additions & 6 deletions

File tree

detection-rules/4513_impersonation_vip_invoicing_request.yml

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,23 @@ severity: "high"
55
source: |
66
type.inbound
77
and any($org_vips,
8-
strings.contains(sender.display_name, .display_name)
9-
or strings.contains(sender.display_name,
10-
strings.concat(.first_name, " ", .last_name)
8+
(
9+
.display_name != ""
10+
and strings.contains(sender.display_name, .display_name)
1111
)
12-
or strings.contains(sender.display_name,
13-
strings.concat(.last_name, ", ", .first_name)
12+
or (
13+
.first_name != ""
14+
and .last_name != ""
15+
and strings.contains(sender.display_name,
16+
strings.concat(.first_name, " ", .last_name)
17+
)
18+
)
19+
or (
20+
.first_name != ""
21+
and .last_name != ""
22+
and strings.contains(sender.display_name,
23+
strings.concat(.last_name, ", ", .first_name)
24+
)
1425
)
1526
)
1627
and (
@@ -56,4 +67,4 @@ detection_methods:
5667
id: "ced9bb2d-3bc2-59d0-ab4c-48cc1bba975c"
5768
og_id: "a60f89a0-6cd0-5c2d-96de-8800380df407"
5869
testing_pr: 4513
59-
testing_sha: 4e4a7760ad81eb7d66ae5f3e4701e7923ebb1f45
70+
testing_sha: 14caf0d1fb8deb9470797e8b93fc8c0756120fa3

0 commit comments

Comments
 (0)