Skip to content

Commit ddb0772

Browse files
[Shared Samples] [PR #4513] modified rule: PR# 4513 - VIP impersonation with invoicing request
1 parent f600624 commit ddb0772

1 file changed

Lines changed: 16 additions & 5 deletions

File tree

detection-rules/4513_impersonation_vip_invoicing_request.yml

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,23 @@ severity: "high"
55
source: |
66
type.inbound
77
and any($org_vips,
8-
strings.contains(sender.display_name, .display_name)
9-
or strings.contains(sender.display_name,
10-
strings.concat(.first_name, " ", .last_name)
8+
(
9+
.display_name != ""
10+
and strings.contains(sender.display_name, .display_name)
1111
)
12-
or strings.contains(sender.display_name,
13-
strings.concat(.last_name, ", ", .first_name)
12+
or (
13+
.first_name != ""
14+
and .last_name != ""
15+
and strings.contains(sender.display_name,
16+
strings.concat(.first_name, " ", .last_name)
17+
)
18+
)
19+
or (
20+
.first_name != ""
21+
and .last_name != ""
22+
and strings.contains(sender.display_name,
23+
strings.concat(.last_name, ", ", .first_name)
24+
)
1425
)
1526
)
1627
and (

0 commit comments

Comments
 (0)