[Test Rules] [PR #4513] modified rule: VIP impersonation with invoicing request

github-actions[bot] · github-actions[bot] · commit 3b4c404fc63b · 2026-05-29T19:19:20.000Z
diff --git a/detection-rules/4513_impersonation_vip_invoicing_request.yml b/detection-rules/4513_impersonation_vip_invoicing_request.yml
@@ -6,12 +6,14 @@ source: |
   type.inbound
   and any($org_vips,
           strings.contains(sender.display_name, .display_name)
-          or strings.contains(sender.display_name,
-                              strings.concat(.first_name, " ", .last_name)
-          )
           or strings.contains(sender.display_name,
                               strings.concat(.last_name, ", ", .first_name)
           )
+          or any(regex.extract(.display_name,
+                               '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
+                 ),
+                 strings.contains(sender.display_name, .named_groups["name"])
+          )
   )
   and (
     (
@@ -56,4 +58,4 @@ detection_methods:
 id: "ced9bb2d-3bc2-59d0-ab4c-48cc1bba975c"
 og_id: "a60f89a0-6cd0-5c2d-96de-8800380df407"
 testing_pr: 4513
-testing_sha: 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5
+testing_sha: 8edfcb14502fda5aa8241629f8b4a08bbe1eefc7
