[Test Rules] [PR #4498] modified rule: Link: Generic financial document and suspicious hosting template

github-actions[bot] · github-actions[bot] · commit 4975b400a907 · 2026-06-03T22:14:13.000Z
diff --git a/detection-rules/4498_link_financial_document_timeline_template.yml b/detection-rules/4498_link_financial_document_timeline_template.yml
@@ -4,6 +4,12 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
+  // nlu filtering
+  and not (
+    any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign")
+    and not length(body.current_thread.text) <= 1600
+  )
+  
   // expectation of time
   and regex.icontains(body.current_thread.text,
                       'will be released|\b[1-4].[1-4]\b.{1,10}days?'
@@ -32,6 +38,7 @@ source: |
           and .href_url.domain.valid != false
           and .href_url.domain.root_domain not in $org_domains
   )
+  
   // suspicious sender behavior
   and (
     (
@@ -63,4 +70,4 @@ detection_methods:
 id: "1a6e4ced-4391-597f-9184-d4d1c57dedc7"
 og_id: "027cb65d-aee3-5f10-9555-20b719bbde42"
 testing_pr: 4498
-testing_sha: 9384da2d92eb56b85e45f5eee0fdc7c27fc77479
+testing_sha: e6a854f326d20dc2452a4350622bd79e632a7d88
