From bdae9ecfe213f583c9bb5dd1ecdb16c2d38a02d7 Mon Sep 17 00:00:00 2001 From: Dennis Lynch Date: Thu, 4 Jun 2026 09:37:13 -0400 Subject: [PATCH 1/4] Beta test rule Co-Authored-By: Claude Sonnet 4.6 --- detection-rules/beta_fuzzy_attack_score.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 detection-rules/beta_fuzzy_attack_score.yml diff --git a/detection-rules/beta_fuzzy_attack_score.yml b/detection-rules/beta_fuzzy_attack_score.yml new file mode 100644 index 00000000000..65d80858237 --- /dev/null +++ b/detection-rules/beta_fuzzy_attack_score.yml @@ -0,0 +1,8 @@ +name: "Beta: Fuzzy attack score" +description: "Exercises the beta.fuzzy_attack_score() function. The 'notaverdict' verdict ensures this rule never flags." +type: "rule" +severity: "low" +source: | + type.inbound + and any([beta.fuzzy_attack_score()], .analyzed and .verdict == "notaverdict") +id: "0887f39a-2568-4694-99ff-9182e37dc894" From 468a6612e9edbd7964e271c896c6f46e3dd023f1 Mon Sep 17 00:00:00 2001 From: Dennis Lynch Date: Wed, 10 Jun 2026 09:07:23 -0400 Subject: [PATCH 2/4] Swaps dummy rule with graymail rule --- ...y_attack_score.yml => beta_fuzzy_graymail_rule.yml} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename detection-rules/{beta_fuzzy_attack_score.yml => beta_fuzzy_graymail_rule.yml} (50%) diff --git a/detection-rules/beta_fuzzy_attack_score.yml b/detection-rules/beta_fuzzy_graymail_rule.yml similarity index 50% rename from detection-rules/beta_fuzzy_attack_score.yml rename to detection-rules/beta_fuzzy_graymail_rule.yml index 65d80858237..9024a05bc2e 100644 --- a/detection-rules/beta_fuzzy_attack_score.yml +++ b/detection-rules/beta_fuzzy_graymail_rule.yml @@ -1,8 +1,8 @@ -name: "Beta: Fuzzy attack score" -description: "Exercises the beta.fuzzy_attack_score() function. The 'notaverdict' verdict ensures this rule never flags." +name: "Beta: Fuzzy Graymail" +description: "Exercises the beta.fuzzy_attack_score() function. Flags on Graymail verdicts." type: "rule" -severity: "low" +severity: "medium" source: | type.inbound - and any([beta.fuzzy_attack_score()], .analyzed and .verdict == "notaverdict") -id: "0887f39a-2568-4694-99ff-9182e37dc894" + and any([beta.fuzzy_attack_score()], .analyzed and .verdict == "graymail") +id: "f83b83bc-039b-4025-be85-78a36ffabf6e" From 1541c5125502f8bdfccd9af7b242f286e395c581 Mon Sep 17 00:00:00 2001 From: Dennis Lynch Date: Wed, 10 Jun 2026 14:16:12 -0400 Subject: [PATCH 3/4] Create fuzzy spam rule --- detection-rules/beta_fuzzy_spam_rule.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 detection-rules/beta_fuzzy_spam_rule.yml diff --git a/detection-rules/beta_fuzzy_spam_rule.yml b/detection-rules/beta_fuzzy_spam_rule.yml new file mode 100644 index 00000000000..63ac1ad1ed5 --- /dev/null +++ b/detection-rules/beta_fuzzy_spam_rule.yml @@ -0,0 +1,8 @@ +name: "Beta: Fuzzy Spam" +description: "Exercises the beta.fuzzy_attack_score() function. Flags on Fpam verdicts." +type: "rule" +severity: "medium" +source: | + type.inbound + and any([beta.fuzzy_attack_score()], .analyzed and .verdict == "spam") +id: "ed0965c3-8691-40ed-a44d-c73b23e8c76e" From 6dcdad627db1cd7bd5ff1d24cd9313cd226eafc7 Mon Sep 17 00:00:00 2001 From: Dennis Lynch Date: Wed, 10 Jun 2026 15:30:15 -0400 Subject: [PATCH 4/4] Fix spam typo, add malicious rule --- detection-rules/beta_fuzzy_malicious_rule.yml | 8 ++++++++ detection-rules/beta_fuzzy_spam_rule.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 detection-rules/beta_fuzzy_malicious_rule.yml diff --git a/detection-rules/beta_fuzzy_malicious_rule.yml b/detection-rules/beta_fuzzy_malicious_rule.yml new file mode 100644 index 00000000000..7b8dc24d6ba --- /dev/null +++ b/detection-rules/beta_fuzzy_malicious_rule.yml @@ -0,0 +1,8 @@ +name: "Beta: Fuzzy Malicious" +description: "Exercises the beta.fuzzy_attack_score() function. Flags on Malicious verdicts." +type: "rule" +severity: "medium" +source: | + type.inbound + and any([beta.fuzzy_attack_score()], .analyzed and .verdict == "malicious") +id: "4822150c-e06c-48aa-8e2e-8bede0bd39d3" diff --git a/detection-rules/beta_fuzzy_spam_rule.yml b/detection-rules/beta_fuzzy_spam_rule.yml index 63ac1ad1ed5..e1f5ec9dd55 100644 --- a/detection-rules/beta_fuzzy_spam_rule.yml +++ b/detection-rules/beta_fuzzy_spam_rule.yml @@ -1,5 +1,5 @@ name: "Beta: Fuzzy Spam" -description: "Exercises the beta.fuzzy_attack_score() function. Flags on Fpam verdicts." +description: "Exercises the beta.fuzzy_attack_score() function. Flags on Spam verdicts." type: "rule" severity: "medium" source: |