From 0609b5fc474c62aadc64ecc482b7ba142393a503 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <30846409+aidenmitchell@users.noreply.github.com>
Date: Fri, 18 Aug 2023 12:56:39 -0700
Subject: [PATCH] Add new bit.ly detection

---
 ...{link_deactivated_bitly.yml => link_flagged_bitly.yml} | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 rename detection-rules/{link_deactivated_bitly.yml => link_flagged_bitly.yml} (75%)

diff --git a/detection-rules/link_deactivated_bitly.yml b/detection-rules/link_flagged_bitly.yml
similarity index 75%
rename from detection-rules/link_deactivated_bitly.yml
rename to detection-rules/link_flagged_bitly.yml
index c7d0fb33248..763f6565db6 100644
--- a/detection-rules/link_deactivated_bitly.yml
+++ b/detection-rules/link_flagged_bitly.yml
@@ -1,6 +1,6 @@
-name: "Link: Deactivated bit.ly link"
+name: "Link: Flagged bit.ly link"
 description: |
-  Shortened link is blocked by bit.ly. Indicator of malicious email.
+  Shortened link is blocked or gated by bit.ly. Indicator of malicious email.
 type: "rule"
 severity: "medium"
 source: |
@@ -10,9 +10,9 @@ source: |
       .href_url.domain.root_domain == "bit.ly"
       // link doesn't forward through
       and beta.linkanalysis(.).effective_url.domain.domain == "bit.ly"
-      // blocked by bit.ly
+      // blocked or gated by bit.ly
       and strings.ilike(
-          beta.linkanalysis(.).final_dom.display_text, "*link*blocked*"
+          beta.linkanalysis(.).final_dom.display_text, "*link*blocked*", "*flagged*by*"
       )
   )
 attack_types: