Skip to content

Commit 4975b40

Browse files
[Test Rules] [PR #4498] modified rule: Link: Generic financial document and suspicious hosting template
1 parent 66717d3 commit 4975b40

1 file changed

Lines changed: 8 additions & 1 deletion

File tree

detection-rules/4498_link_financial_document_timeline_template.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,12 @@ type: "rule"
44
severity: "medium"
55
source: |
66
type.inbound
7+
// nlu filtering
8+
and not (
9+
any(ml.nlu_classifier(body.current_thread.text).intents, .name == "benign")
10+
and not length(body.current_thread.text) <= 1600
11+
)
12+
713
// expectation of time
814
and regex.icontains(body.current_thread.text,
915
'will be released|\b[1-4].[1-4]\b.{1,10}days?'
@@ -32,6 +38,7 @@ source: |
3238
and .href_url.domain.valid != false
3339
and .href_url.domain.root_domain not in $org_domains
3440
)
41+
3542
// suspicious sender behavior
3643
and (
3744
(
@@ -63,4 +70,4 @@ detection_methods:
6370
id: "1a6e4ced-4391-597f-9184-d4d1c57dedc7"
6471
og_id: "027cb65d-aee3-5f10-9555-20b719bbde42"
6572
testing_pr: 4498
66-
testing_sha: 9384da2d92eb56b85e45f5eee0fdc7c27fc77479
73+
testing_sha: e6a854f326d20dc2452a4350622bd79e632a7d88

0 commit comments

Comments
 (0)