From 68f430f1ee581137996f8fdc7c6d78bef5c6541b Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Wed, 11 Oct 2023 08:24:08 -0700
Subject: [PATCH] Moving rule to discovery + creating insight (#854)

---
 ...rsonation_recipient_sld_in_sender_local_fts.yml |  0
 insights/sender/recipient_sld_in_sender_local.yml  | 14 ++++++++++++++
 2 files changed, 14 insertions(+)
 rename {detection-rules => discovery-rules}/impersonation_recipient_sld_in_sender_local_fts.yml (100%)
 create mode 100644 insights/sender/recipient_sld_in_sender_local.yml

diff --git a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/discovery-rules/impersonation_recipient_sld_in_sender_local_fts.yml
similarity index 100%
rename from detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml
rename to discovery-rules/impersonation_recipient_sld_in_sender_local_fts.yml
diff --git a/insights/sender/recipient_sld_in_sender_local.yml b/insights/sender/recipient_sld_in_sender_local.yml
new file mode 100644
index 00000000000..7c6b8d7bfc3
--- /dev/null
+++ b/insights/sender/recipient_sld_in_sender_local.yml
@@ -0,0 +1,14 @@
+name: "Recipient SLD in sender's email address local part"
+description: |
+  The sender's email address local part contains the recipient's SLD.
+type: "query"
+source: |
+  type.inbound
+  and any(recipients.to,
+        (
+          strings.contains(sender.email.local_part, .email.domain.sld)
+          // checking to ensure no FPs, like "me" in "me.com"
+          and length(.email.domain.sld) > 3
+        )
+    )
+severity: "medium"