[Shared Samples] [PR #4513] modified rule: PR# 4513 - VIP impersonation with urgent request (strict match, untrusted sender)

Author: github-actions[bot]

detection-rules/4513_impersonation_vip_urgent_request.yml

@@ -8,9 +8,17 @@ severity: "high"
 source: |
   type.inbound
   and any($org_vips,
-          .display_name =~ sender.display_name
-          or strings.concat(.first_name, " ", .last_name) =~ sender.display_name
-          or strings.concat(.last_name, ", ", .first_name) =~ sender.display_name
+          (.display_name != "" and .display_name =~ sender.display_name)
+          or (
+            .first_name != ""
+            and .last_name != ""
+            and strings.concat(.first_name, " ", .last_name) =~ sender.display_name
+          )
+          or (
+            .first_name != ""
+            and .last_name != ""
+            and strings.concat(.last_name, ", ", .first_name) =~ sender.display_name
+          )
   )
   and (
     any(ml.nlu_classifier(body.current_thread.text).intents,