Swapping .received_spf verdictfor .authentication_results.spf (#954)

sublime-security · Nov 13, 2023 · b0f8854 · b0f8854
1 parent 2feb783
commit b0f8854
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 8 deletions.
diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml
@@ -22,8 +22,8 @@ source: |
     ),
     (
       // SPF failure
-      any(distinct(headers.hops, .received_spf.verdict is not null),
-          strings.ilike(.received_spf.verdict, "*fail")
+      any(distinct(headers.hops, .authentication_results.spf is not null),
+          strings.ilike(.authentication_results.spf, "*fail")
       )
     ),
   )

diff --git a/detection-rules/impersonation_blockchain.yml b/detection-rules/impersonation_blockchain.yml
@@ -11,8 +11,8 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*blockchain.com*')
     or any(body.links, strings.ilevenshtein(.href_url.domain.root_domain, 'blockchain') == 1)
   )
-  and any(distinct(headers.hops, .received_spf.verdict is not null),
-          strings.like(.received_spf.verdict, "*fail")
+  and any(distinct(headers.hops, .authentication_results.spf is not null),
+          strings.like(.authentication_results.spf, "*fail")
   )
   and sender.email.domain.root_domain not in~ (
     'blockchain.com',

diff --git a/detection-rules/spoofable_internal_domain_suspicious_signals.yml b/detection-rules/spoofable_internal_domain_suspicious_signals.yml
@@ -22,7 +22,7 @@ source: |
           .authentication_results.dmarc_details.from.domain in $org_domains
 
           // internal domain is spoofable
-          and .authentication_results.dmarc_details.verdict == "none"
+          and .authentication_results.dmarc == "none"
           and .authentication_results.spf == "none"
           and .authentication_results.compauth.verdict not in ("pass", "softpass")
   )

diff --git a/insights/authentication/spf_any_fail.yml b/insights/authentication/spf_any_fail.yml
@@ -1,7 +1,7 @@
 name: "SPF: Fail"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*fail"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*fail"))
 severity: "medium"
 tags:
   - "Sender authentication"
diff --git a/signals/authentication/authentication_spf_error.yml b/signals/authentication/authentication_spf_error.yml
@@ -1,4 +1,4 @@
 name: "Authentication: SPF Error"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*error"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*error"))
diff --git a/signals/authentication/authentication_spf_failure.yml b/signals/authentication/authentication_spf_failure.yml
@@ -1,4 +1,4 @@
 name: "Authentication: SPF Failure"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*fail"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*fail"))