Adding missed $

sublime-security · Oct 27, 2023 · 141b21f · 141b21f
1 parent 70d775a
commit 141b21f
Show file tree

Hide file tree

Showing 25 changed files with 50 additions and 50 deletions.
diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
@@ -20,14 +20,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 tags:
   - "Attack surface reduction"

diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml
@@ -33,14 +33,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -44,14 +44,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
@@ -63,14 +63,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml
@@ -31,14 +31,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml
@@ -19,14 +19,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml
@@ -35,14 +35,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml
@@ -33,14 +33,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 tags:
   - "Cryptocurrency"

diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml
@@ -36,14 +36,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml
@@ -21,14 +21,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml
@@ -35,14 +35,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml
@@ -29,14 +29,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml
@@ -54,14 +54,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml
@@ -64,14 +64,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml
@@ -32,14 +32,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml
@@ -24,14 +24,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml
@@ -23,14 +23,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml
@@ -24,14 +24,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml
@@ -28,14 +28,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 attack_types:
   - "Credential Phishing"

diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml
@@ -27,14 +27,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 attack_types:
   - "BEC/Fraud"

diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml
@@ -32,14 +32,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml
@@ -21,14 +21,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:

diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
@@ -141,14 +141,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types: