Skip to content

Commit 1ab3e67

Browse files
[Test Rules] [PR #4691] modified rule: Cloud storage impersonation with credential theft indicators
1 parent 3222c8d commit 1ab3e67

1 file changed

Lines changed: 3 additions & 8 deletions

File tree

detection-rules/4691_credential_theft_cloud_storage_impersonation.yml

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ source: |
66
type.inbound
77
and (
88
0 < length(body.current_thread.links) < 10
9-
or length(body.current_thread.links) > 50
9+
or length(body.current_thread.links) > 100
1010
)
1111
and any([subject.subject, sender.display_name],
1212
regex.icontains(.,
@@ -48,12 +48,7 @@ source: |
4848
""
4949
)
5050
)
51-
or (
52-
any(body.links,
53-
regex.icontains(.href_url.url, '(?:;[^/]*){3,}')
54-
or regex.icontains(.href_url.path, '@')
55-
)
56-
)
51+
or any(body.links, regex.icontains(.href_url.url, '(?:;[^/]*){3,}'))
5752
)
5853
)
5954
)
@@ -83,4 +78,4 @@ detection_methods:
8378
id: "1228585e-ce7d-5186-acc8-369a0f9e3c15"
8479
og_id: "4c20f72c-0045-518c-8157-7dad5f196ecc"
8580
testing_pr: 4691
86-
testing_sha: 6d26229a095381ae2ac0bcc6dd847a243f258692
81+
testing_sha: 923751758d81b293ded07d1c7c16f5297b94295d

0 commit comments

Comments
 (0)