Skip to content

Commit bade8a6

Browse files
github-actions[bot]github-actions[bot]
committed
[Test Rules] [PR #4513] modified rule: VIP impersonation with BEC language (near match, untrusted sender)
1 parent 852340f commit bade8a6

1 file changed

Lines changed: 25 additions & 14 deletions

File tree

detection-rules/4513_impersonation_vip_bec_loose.yml

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -8,19 +8,30 @@ severity: "medium"
88
source: |
99
type.inbound
1010
and any($org_vips,
11-
0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
12-
or 0 <= strings.ilevenshtein(sender.display_name,
13-
strings.concat(.first_name,
14-
" ",
15-
.last_name
16-
)
17-
) < 4
18-
or 0 <= strings.ilevenshtein(sender.display_name,
19-
strings.concat(.last_name,
20-
", ",
21-
.first_name
22-
)
23-
) < 4
11+
(
12+
.display_name != ""
13+
and 0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
14+
)
15+
or (
16+
.first_name != ""
17+
and .last_name != ""
18+
and 0 <= strings.ilevenshtein(sender.display_name,
19+
strings.concat(.first_name,
20+
" ",
21+
.last_name
22+
)
23+
) < 4
24+
)
25+
or (
26+
.first_name != ""
27+
and .last_name != ""
28+
and 0 <= strings.ilevenshtein(sender.display_name,
29+
strings.concat(.last_name,
30+
", ",
31+
.first_name
32+
)
33+
) < 4
34+
)
2435
)
2536
and any(ml.nlu_classifier(body.current_thread.text).intents,
2637
.name == "bec" and .confidence in ("medium", "high")
@@ -65,4 +76,4 @@ detection_methods:
6576
id: "af52ee6e-31f3-52e7-ba94-1e460c89628f"
6677
og_id: "303081da-6850-5ba6-9589-c3dc7673320e"
6778
testing_pr: 4513
68-
testing_sha: 4e4a7760ad81eb7d66ae5f3e4701e7923ebb1f45
79+
testing_sha: 14caf0d1fb8deb9470797e8b93fc8c0756120fa3

0 commit comments

Comments
 (0)