Skip to content

Commit d416899

Browse files
github-actions[bot]github-actions[bot]
committed
[Test Rules] [PR #4513] modified rule: VIP impersonation with BEC language (near match, untrusted sender)
1 parent 0d10e2a commit d416899

1 file changed

Lines changed: 8 additions & 7 deletions

File tree

detection-rules/4513_impersonation_vip_bec_loose.yml

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,18 +9,19 @@ source: |
99
type.inbound
1010
and any($org_vips,
1111
0 <= strings.ilevenshtein(sender.display_name, .display_name) < 4
12-
or 0 <= strings.ilevenshtein(sender.display_name,
13-
strings.concat(.first_name,
14-
" ",
15-
.last_name
16-
)
17-
) < 4
1812
or 0 <= strings.ilevenshtein(sender.display_name,
1913
strings.concat(.last_name,
2014
", ",
2115
.first_name
2216
)
2317
) < 4
18+
or any(regex.extract(.display_name,
19+
'\A(?P<name>.+?)\s*[\((][^))]*[))]\s*\z'
20+
),
21+
0 <= strings.ilevenshtein(sender.display_name,
22+
.named_groups["name"]
23+
) < 4
24+
)
2425
)
2526
and any(ml.nlu_classifier(body.current_thread.text).intents,
2627
.name == "bec" and .confidence in ("medium", "high")
@@ -65,4 +66,4 @@ detection_methods:
6566
id: "af52ee6e-31f3-52e7-ba94-1e460c89628f"
6667
og_id: "303081da-6850-5ba6-9589-c3dc7673320e"
6768
testing_pr: 4513
68-
testing_sha: 90a3176084fd25d367a7582d78b2cd7bb9c4b8b5
69+
testing_sha: 8edfcb14502fda5aa8241629f8b4a08bbe1eefc7

0 commit comments

Comments
 (0)