From 141b21fc6e3e7b57506cb49cc8c92f9bba9adae8 Mon Sep 17 00:00:00 2001 From: Sam Scholten <morriscode@gmail.com> Date: Thu, 26 Oct 2023 20:04:38 -0400 Subject: [PATCH] Adding missed $ --- detection-rules/attachment_any_html_unsolicited.yml | 4 ++-- detection-rules/body_business_email_compromise_new_sender.yml | 4 ++-- detection-rules/callback_phishing_nlu_body_or_attachments.yml | 4 ++-- detection-rules/impersonation_amazon.yml | 4 ++-- detection-rules/impersonation_amex.yml | 4 ++-- detection-rules/impersonation_bank_of_america.yml | 4 ++-- detection-rules/impersonation_chase.yml | 4 ++-- detection-rules/impersonation_coinbase.yml | 4 ++-- detection-rules/impersonation_dhl.yml | 4 ++-- detection-rules/impersonation_dropbox.yml | 4 ++-- detection-rules/impersonation_employee_urgent_request.yml | 4 ++-- detection-rules/impersonation_human_resources.yml | 4 ++-- detection-rules/impersonation_microsoft.yml | 4 ++-- detection-rules/impersonation_paypal.yml | 4 ++-- detection-rules/impersonation_spotify.yml | 4 ++-- detection-rules/impersonation_sublime_security.yml | 4 ++-- detection-rules/impersonation_ups.yml | 4 ++-- detection-rules/impersonation_vanta.yml | 4 ++-- detection-rules/impersonation_venmo.yml | 4 ++-- detection-rules/impersonation_vip_urgent_request.yml | 4 ++-- detection-rules/impersonation_wells_fargo.yml | 4 ++-- detection-rules/link_credential_phishing.yml | 4 ++-- detection-rules/link_microsoft_low_reputation.yml | 4 ++-- detection-rules/link_qr_code_suspicious_language_fts.yml | 4 ++-- detection-rules/qr_code_suspicious_indicators.yml | 4 ++-- 25 files changed, 50 insertions(+), 50 deletions(-) diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 48c118ebf6f..63930d5d697 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -20,14 +20,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) tags: - "Attack surface reduction" diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index af3b145c073..2c611b22b9e 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -33,14 +33,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 976126c7348..3759b91daae 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -44,14 +44,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 24bfa22f0ca..fefefa60530 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -63,14 +63,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml index f358796348d..2655b4dddd8 100644 --- a/detection-rules/impersonation_amex.yml +++ b/detection-rules/impersonation_amex.yml @@ -31,14 +31,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml index 3aa68a79d4f..a2a1d56a231 100644 --- a/detection-rules/impersonation_bank_of_america.yml +++ b/detection-rules/impersonation_bank_of_america.yml @@ -19,14 +19,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 73145ed206a..d42cdebe6c7 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -35,14 +35,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml index 9cb1aed5dc1..da67b05fe84 100644 --- a/detection-rules/impersonation_coinbase.yml +++ b/detection-rules/impersonation_coinbase.yml @@ -33,14 +33,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) tags: - "Cryptocurrency" diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index abb15727ede..369bf556318 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -36,14 +36,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml index 5bd552d3ca6..394faee4bbb 100644 --- a/detection-rules/impersonation_dropbox.yml +++ b/detection-rules/impersonation_dropbox.yml @@ -21,14 +21,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index cfb2a2744aa..d79b3301a55 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -35,14 +35,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 6677eda048f..dde8c198b23 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -29,14 +29,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 1222dd021a1..2eb31286c2a 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -54,14 +54,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index 2ce6cecde42..556837e94c9 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -64,14 +64,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index c258ec87972..989da91b16d 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -32,14 +32,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index a83f6fc2b68..2d7e10449d9 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -24,14 +24,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml index bd38a1f7a15..383f3a6e0ec 100644 --- a/detection-rules/impersonation_ups.yml +++ b/detection-rules/impersonation_ups.yml @@ -23,14 +23,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml index b2f819778be..39c6d5ef1a0 100644 --- a/detection-rules/impersonation_vanta.yml +++ b/detection-rules/impersonation_vanta.yml @@ -24,14 +24,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index 4d7248b3af5..61b4f12f8d8 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -28,14 +28,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "Credential Phishing" diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index f80878b81a0..02611bfeb1e 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -27,14 +27,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "BEC/Fraud" diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml index 7ca3a7b50c5..c63f6bd6988 100644 --- a/detection-rules/impersonation_wells_fargo.yml +++ b/detection-rules/impersonation_wells_fargo.yml @@ -32,14 +32,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index e34aa693dae..24184577d11 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -21,14 +21,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index 08bd17e23b5..b8a2e2ec3c5 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -141,14 +141,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index e406d25a7c8..ddbf41c778f 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -56,14 +56,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: diff --git a/detection-rules/qr_code_suspicious_indicators.yml b/detection-rules/qr_code_suspicious_indicators.yml index 166dd6edce3..a5a70fedcf8 100644 --- a/detection-rules/qr_code_suspicious_indicators.yml +++ b/detection-rules/qr_code_suspicious_indicators.yml @@ -46,14 +46,14 @@ source: | and ( ( - sender.email.domain.root_domain in high_trust_sender_root_domains + sender.email.domain.root_domain in $high_trust_sender_root_domains and ( any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail") ) ) ) - or sender.email.domain.root_domain not in high_trust_sender_root_domains + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: