[Test Rules] [PR #4513] modified rule: VIP impersonation with BEC language (near match, untrusted sender)

github-actions[bot] · github-actions[bot] · commit 54cb9ce9d21c · 2026-05-29T20:58:50.000Z
diff --git a/detection-rules/4513_impersonation_vip_bec_loose.yml b/detection-rules/4513_impersonation_vip_bec_loose.yml
@@ -9,19 +9,18 @@ source: |
   type.inbound
   and any($org_vips,
           0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
+          or 0 <= strings.ilevenshtein(sender.display_name,
+                                       strings.concat(.first_name,
+                                                      " ",
+                                                      .last_name
+                                       )
+          ) < 4
           or 0 <= strings.ilevenshtein(sender.display_name,
                                        strings.concat(.last_name,
                                                       ", ",
                                                       .first_name
                                        )
           ) < 4
-          or any(regex.extract(.display_name,
-                               '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
-                 ),
-                 0 <= strings.ilevenshtein(sender.display_name,
-                                           .named_groups["name"]
-                 ) < 4
-          )
   )
   and any(ml.nlu_classifier(body.current_thread.text).intents,
           .name == "bec" and .confidence in ("medium", "high")
@@ -66,4 +65,4 @@ detection_methods:
 id: "af52ee6e-31f3-52e7-ba94-1e460c89628f"
 og_id: "303081da-6850-5ba6-9589-c3dc7673320e"
 testing_pr: 4513
-testing_sha: 8edfcb14502fda5aa8241629f8b4a08bbe1eefc7
+testing_sha: 4e4a7760ad81eb7d66ae5f3e4701e7923ebb1f45
