[Shared Samples] [PR #4515] modified rule: PR# 4515 - Service abuse: Trello board invitation with VIP impersonation

github-actions[bot] · github-actions[bot] · commit df1416abb5c1 · 2026-05-29T20:55:36.000Z
diff --git a/detection-rules/4515_service_abuse_trello_board_invite_vip.yml b/detection-rules/4515_service_abuse_trello_board_invite_vip.yml
@@ -30,12 +30,10 @@ source: |
         any($org_vips,
             strings.icontains(..display_text, .display_name)
             or strings.icontains(..display_text,
-                                 strings.concat(.last_name, ", ", .first_name)
+                                 strings.concat(.first_name, " ", .last_name)
             )
-            or any(regex.extract(.display_name,
-                                 '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
-                   ),
-                   strings.icontains(...display_text, .named_groups["name"])
+            or strings.icontains(..display_text,
+                                 strings.concat(.last_name, ", ", .first_name)
             )
         )
         // org sld as the board name
@@ -53,19 +51,18 @@ source: |
            and strings.iends_with(.display_text, 'From')
            and any($org_vips,
                    strings.icontains(..display_text, .display_name)
+                   or strings.icontains(..display_text,
+                                        strings.concat(.first_name,
+                                                       " ",
+                                                       .last_name
+                                        )
+                   )
                    or strings.icontains(..display_text,
                                         strings.concat(.last_name,
                                                        ", ",
                                                        .first_name
                                         )
                    )
-                   or any(regex.extract(.display_name,
-                                        '\A(?P<name>.+?)\s*[\(（][^)）]*[)）]\s*\z'
-                          ),
-                          strings.icontains(...display_text,
-                                            .named_groups["name"]
-                          )
-                   )
            )
     )
   )

Original file line number	Diff line number	Diff line change
`@@ -30,12 +30,10 @@ source: \|`
`30`	`30`	`any($org_vips,`
`31`	`31`	`strings.icontains(..display_text, .display_name)`
`32`	`32`	`or strings.icontains(..display_text,`
`33`		`- strings.concat(.last_name, ", ", .first_name)`
	`33`	`+ strings.concat(.first_name, " ", .last_name)`
`34`	`34`	`)`
`35`		`- or any(regex.extract(.display_name,`
`36`		`- '\A(?P<name>.+?)\s[\(（][^)）][)）]\s*\z'`
`37`		`- ),`
`38`		`- strings.icontains(...display_text, .named_groups["name"])`
	`35`	`+ or strings.icontains(..display_text,`
	`36`	`+ strings.concat(.last_name, ", ", .first_name)`
`39`	`37`	`)`
`40`	`38`	`)`
`41`	`39`	`// org sld as the board name`
`@@ -53,19 +51,18 @@ source: \|`
`53`	`51`	`and strings.iends_with(.display_text, 'From')`
`54`	`52`	`and any($org_vips,`
`55`	`53`	`strings.icontains(..display_text, .display_name)`
	`54`	`+ or strings.icontains(..display_text,`
	`55`	`+ strings.concat(.first_name,`
	`56`	`+ " ",`
	`57`	`+ .last_name`
	`58`	`+ )`
	`59`	`+ )`
`56`	`60`	`or strings.icontains(..display_text,`
`57`	`61`	`strings.concat(.last_name,`
`58`	`62`	`", ",`
`59`	`63`	`.first_name`
`60`	`64`	`)`
`61`	`65`	`)`
`62`		`- or any(regex.extract(.display_name,`
`63`		`- '\A(?P<name>.+?)\s[\(（][^)）][)）]\s*\z'`
`64`		`- ),`
`65`		`- strings.icontains(...display_text,`
`66`		`- .named_groups["name"]`
`67`		`- )`
`68`		`- )`
`69`	`66`	`)`
`70`	`67`	`)`
`71`	`68`	`)`