Sync from PR#2130

Create impersonation_benefits_enrollment.yml by @aidenmitchell #2130 Source SHA d2b2e55 Triggered by @aidenmitchell
sublime-security · Nov 22, 2024 · 95aa412 · 95aa412
1 parent 6c4a511
commit 95aa412
Showing 1 changed file with 17 additions and 17 deletions.
diff --git a/detection-rules/impersonation_benefits_enrollment.yml b/detection-rules/impersonation_benefits_enrollment.yml
@@ -6,7 +6,7 @@ source: |
   type.inbound
   and sender.email.domain.domain not in $org_domains
   and length(body.current_thread.text) < 2500
-  and 1 of (
+  and (
     regex.icontains(subject.subject,
                     '(open|benefits?) enrol{1,2}ment', // catches both enrolment and enrollment
                     'benefit(s)? (plan|choice|selection|deadline|period)',
@@ -16,21 +16,21 @@ source: |
                     '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
                     'dependent (coverage|verification)',
                     '(health|dental|vision|insurance|medical) enrol{1,2}ment'
-    ),
-    regex.icontains(body.current_thread.text,
-                    '(open|benefits?) enrol{1,2}ment',
-                    'benefit(s)? (plan|choice|selection|deadline|period)',
-                    'hr benefits',
-                    'annual enrol{1,2}ment',
-                    'healthcare (choice|selection|opt.?in)',
-                    '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
-                    'dependent (coverage|verification)',
-                    '(health|dental|vision|insurance|medical) enrol{1,2}ment',
-                    '(urgent|immediate) action required.*(benefit|enrol{1,2}ment)',
-                    'coverage.*(expire|terminate)',
-                    'last (day|chance).*(enrol{1,2}|select)',
-                    '(login|sign.?in).*(benefit portal|hr portal)',
-                    '(verify|update|confirm).*(benefit.*selection)'
+    )
+    or regex.icontains(body.current_thread.text,
+                       '(open|benefits?) enrol{1,2}ment',
+                       'benefit(s)? (plan|choice|selection|deadline|period)',
+                       'hr benefits',
+                       'annual enrol{1,2}ment',
+                       'healthcare (choice|selection|opt.?in)',
+                       '(fsa|hsa|401k) (enrol{1,2}ment|selection)',
+                       'dependent (coverage|verification)',
+                       '(health|dental|vision|insurance|medical) enrol{1,2}ment',
+                       '(urgent|immediate) action required.{0,20}(benefit|enrol{1,2}ment)',
+                       'coverage.{0,20}(expire|terminate)',
+                       'last (day|chance).{0,20}(enrol{1,2}|select)',
+                       '(login|sign.?in).{0,20}(benefit portal|hr portal)',
+                       '(verify|update|confirm).{0,20}(benefit.{0,20}selection)'
     )
   )
   and 1 of (
@@ -101,4 +101,4 @@ detection_methods:
   - "Sender analysis"
 id: "5a6eb5a8-2d91-5ed8-a0d2-fb3cc2fef40b"
 testing_pr: 2130
-testing_sha: 50c11df1bc9000a7e886b5fbc0bf367ce0a1bd6c
+testing_sha: d2b2e55324bcec2a7cb688bfc53f3b8f99467f58