Skip to content

Commit 2474f85

Browse files
[Shared Samples] [PR #4513] modified rule: PR# 4513 - VIP / Executive impersonation (strict match, untrusted)
1 parent 41b1ff7 commit 2474f85

1 file changed

Lines changed: 11 additions & 11 deletions

File tree

detection-rules/4513_vip_impersonation.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,8 @@ source: |
1616
// the display name matches a name on the orgs vip list
1717
any($org_vips,
1818
.display_name =~ sender.display_name
19+
or strings.concat(.first_name, " ", .last_name) =~ sender.display_name
1920
or strings.concat(.last_name, ", ", .first_name) =~ sender.display_name
20-
or any(regex.extract(.display_name,
21-
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
22-
),
23-
.named_groups["name"] =~ sender.display_name
24-
)
2521
)
2622
// or the display name starts with the name on the orgs vip list
2723
or (
@@ -30,6 +26,16 @@ source: |
3026
strings.istarts_with(sender.display_name, .display_name)
3127
and length(sender.display_name) > length(.display_name)
3228
)
29+
or (
30+
strings.istarts_with(sender.display_name,
31+
strings.concat(.first_name, " ", .last_name)
32+
)
33+
and length(sender.display_name) > length(strings.concat(.first_name,
34+
" ",
35+
.last_name
36+
)
37+
)
38+
)
3339
or (
3440
strings.istarts_with(sender.display_name,
3541
strings.concat(.last_name, ", ", .first_name)
@@ -40,12 +46,6 @@ source: |
4046
)
4147
)
4248
)
43-
or any(regex.extract(.display_name,
44-
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
45-
),
46-
strings.istarts_with(sender.display_name, .named_groups["name"])
47-
and length(sender.display_name) > length(.named_groups["name"])
48-
)
4949
)
5050
// and we have confidence it's BEC
5151
and any(ml.nlu_classifier(body.current_thread.text).intents,

0 commit comments

Comments
 (0)