From 141b21fc6e3e7b57506cb49cc8c92f9bba9adae8 Mon Sep 17 00:00:00 2001
From: Sam Scholten <morriscode@gmail.com>
Date: Thu, 26 Oct 2023 20:04:38 -0400
Subject: [PATCH] Adding missed $

---
 detection-rules/attachment_any_html_unsolicited.yml           | 4 ++--
 detection-rules/body_business_email_compromise_new_sender.yml | 4 ++--
 detection-rules/callback_phishing_nlu_body_or_attachments.yml | 4 ++--
 detection-rules/impersonation_amazon.yml                      | 4 ++--
 detection-rules/impersonation_amex.yml                        | 4 ++--
 detection-rules/impersonation_bank_of_america.yml             | 4 ++--
 detection-rules/impersonation_chase.yml                       | 4 ++--
 detection-rules/impersonation_coinbase.yml                    | 4 ++--
 detection-rules/impersonation_dhl.yml                         | 4 ++--
 detection-rules/impersonation_dropbox.yml                     | 4 ++--
 detection-rules/impersonation_employee_urgent_request.yml     | 4 ++--
 detection-rules/impersonation_human_resources.yml             | 4 ++--
 detection-rules/impersonation_microsoft.yml                   | 4 ++--
 detection-rules/impersonation_paypal.yml                      | 4 ++--
 detection-rules/impersonation_spotify.yml                     | 4 ++--
 detection-rules/impersonation_sublime_security.yml            | 4 ++--
 detection-rules/impersonation_ups.yml                         | 4 ++--
 detection-rules/impersonation_vanta.yml                       | 4 ++--
 detection-rules/impersonation_venmo.yml                       | 4 ++--
 detection-rules/impersonation_vip_urgent_request.yml          | 4 ++--
 detection-rules/impersonation_wells_fargo.yml                 | 4 ++--
 detection-rules/link_credential_phishing.yml                  | 4 ++--
 detection-rules/link_microsoft_low_reputation.yml             | 4 ++--
 detection-rules/link_qr_code_suspicious_language_fts.yml      | 4 ++--
 detection-rules/qr_code_suspicious_indicators.yml             | 4 ++--
 25 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml
index 48c118ebf6f..63930d5d697 100644
--- a/detection-rules/attachment_any_html_unsolicited.yml
+++ b/detection-rules/attachment_any_html_unsolicited.yml
@@ -20,14 +20,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 tags:
   - "Attack surface reduction"
diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml
index af3b145c073..2c611b22b9e 100644
--- a/detection-rules/body_business_email_compromise_new_sender.yml
+++ b/detection-rules/body_business_email_compromise_new_sender.yml
@@ -33,14 +33,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
index 976126c7348..3759b91daae 100644
--- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml
+++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml
@@ -44,14 +44,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
index 24bfa22f0ca..fefefa60530 100644
--- a/detection-rules/impersonation_amazon.yml
+++ b/detection-rules/impersonation_amazon.yml
@@ -63,14 +63,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml
index f358796348d..2655b4dddd8 100644
--- a/detection-rules/impersonation_amex.yml
+++ b/detection-rules/impersonation_amex.yml
@@ -31,14 +31,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml
index 3aa68a79d4f..a2a1d56a231 100644
--- a/detection-rules/impersonation_bank_of_america.yml
+++ b/detection-rules/impersonation_bank_of_america.yml
@@ -19,14 +19,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml
index 73145ed206a..d42cdebe6c7 100644
--- a/detection-rules/impersonation_chase.yml
+++ b/detection-rules/impersonation_chase.yml
@@ -35,14 +35,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml
index 9cb1aed5dc1..da67b05fe84 100644
--- a/detection-rules/impersonation_coinbase.yml
+++ b/detection-rules/impersonation_coinbase.yml
@@ -33,14 +33,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 tags:
   - "Cryptocurrency"
diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml
index abb15727ede..369bf556318 100644
--- a/detection-rules/impersonation_dhl.yml
+++ b/detection-rules/impersonation_dhl.yml
@@ -36,14 +36,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml
index 5bd552d3ca6..394faee4bbb 100644
--- a/detection-rules/impersonation_dropbox.yml
+++ b/detection-rules/impersonation_dropbox.yml
@@ -21,14 +21,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml
index cfb2a2744aa..d79b3301a55 100644
--- a/detection-rules/impersonation_employee_urgent_request.yml
+++ b/detection-rules/impersonation_employee_urgent_request.yml
@@ -35,14 +35,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml
index 6677eda048f..dde8c198b23 100644
--- a/detection-rules/impersonation_human_resources.yml
+++ b/detection-rules/impersonation_human_resources.yml
@@ -29,14 +29,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml
index 1222dd021a1..2eb31286c2a 100644
--- a/detection-rules/impersonation_microsoft.yml
+++ b/detection-rules/impersonation_microsoft.yml
@@ -54,14 +54,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml
index 2ce6cecde42..556837e94c9 100644
--- a/detection-rules/impersonation_paypal.yml
+++ b/detection-rules/impersonation_paypal.yml
@@ -64,14 +64,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml
index c258ec87972..989da91b16d 100644
--- a/detection-rules/impersonation_spotify.yml
+++ b/detection-rules/impersonation_spotify.yml
@@ -32,14 +32,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml
index a83f6fc2b68..2d7e10449d9 100644
--- a/detection-rules/impersonation_sublime_security.yml
+++ b/detection-rules/impersonation_sublime_security.yml
@@ -24,14 +24,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 attack_types:
   - "Credential Phishing"
diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml
index bd38a1f7a15..383f3a6e0ec 100644
--- a/detection-rules/impersonation_ups.yml
+++ b/detection-rules/impersonation_ups.yml
@@ -23,14 +23,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml
index b2f819778be..39c6d5ef1a0 100644
--- a/detection-rules/impersonation_vanta.yml
+++ b/detection-rules/impersonation_vanta.yml
@@ -24,14 +24,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml
index 4d7248b3af5..61b4f12f8d8 100644
--- a/detection-rules/impersonation_venmo.yml
+++ b/detection-rules/impersonation_venmo.yml
@@ -28,14 +28,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 attack_types:
   - "Credential Phishing"
diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml
index f80878b81a0..02611bfeb1e 100644
--- a/detection-rules/impersonation_vip_urgent_request.yml
+++ b/detection-rules/impersonation_vip_urgent_request.yml
@@ -27,14 +27,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 attack_types:
   - "BEC/Fraud"
diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml
index 7ca3a7b50c5..c63f6bd6988 100644
--- a/detection-rules/impersonation_wells_fargo.yml
+++ b/detection-rules/impersonation_wells_fargo.yml
@@ -32,14 +32,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml
index e34aa693dae..24184577d11 100644
--- a/detection-rules/link_credential_phishing.yml
+++ b/detection-rules/link_credential_phishing.yml
@@ -21,14 +21,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml
index 08bd17e23b5..b8a2e2ec3c5 100644
--- a/detection-rules/link_microsoft_low_reputation.yml
+++ b/detection-rules/link_microsoft_low_reputation.yml
@@ -141,14 +141,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml
index e406d25a7c8..ddbf41c778f 100644
--- a/detection-rules/link_qr_code_suspicious_language_fts.yml
+++ b/detection-rules/link_qr_code_suspicious_language_fts.yml
@@ -56,14 +56,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types:
diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml
index 166dd6edce3..a5a70fedcf8 100644
--- a/detection-rules/qr_code_suspicious_indicators.yml
+++ b/detection-rules/qr_code_suspicious_indicators.yml
@@ -46,14 +46,14 @@ source: |
   and
   (
     (
-      sender.email.domain.root_domain in high_trust_sender_root_domains
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
       and (
         any(distinct(headers.hops, .authentication_results.dmarc is not null),
             strings.ilike(.authentication_results.dmarc, "*fail")
         )
       )
     )
-    or sender.email.domain.root_domain not in high_trust_sender_root_domains
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
   )
 
 attack_types: