From b0f88546734f0732ce201cb9e6bea930036d4b4d Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 13 Nov 2023 16:23:02 -0500
Subject: [PATCH] Swapping .received_spf verdictfor .authentication_results.spf
 (#954)

---
 .../body_business_email_compromise_unsolicited.yml            | 4 ++--
 detection-rules/impersonation_blockchain.yml                  | 4 ++--
 .../spoofable_internal_domain_suspicious_signals.yml          | 2 +-
 insights/authentication/spf_any_fail.yml                      | 2 +-
 signals/authentication/authentication_spf_error.yml           | 2 +-
 signals/authentication/authentication_spf_failure.yml         | 2 +-
 6 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml
index 2eb2383c0c6..69e2b4d3e73 100644
--- a/detection-rules/body_business_email_compromise_unsolicited.yml
+++ b/detection-rules/body_business_email_compromise_unsolicited.yml
@@ -22,8 +22,8 @@ source: |
     ),
     (
       // SPF failure
-      any(distinct(headers.hops, .received_spf.verdict is not null),
-          strings.ilike(.received_spf.verdict, "*fail")
+      any(distinct(headers.hops, .authentication_results.spf is not null),
+          strings.ilike(.authentication_results.spf, "*fail")
       )
     ),
   )
diff --git a/detection-rules/impersonation_blockchain.yml b/detection-rules/impersonation_blockchain.yml
index 89db7b6df80..e5068b58f0c 100644
--- a/detection-rules/impersonation_blockchain.yml
+++ b/detection-rules/impersonation_blockchain.yml
@@ -11,8 +11,8 @@ source: |
     or strings.ilike(sender.email.domain.domain, '*blockchain.com*')
     or any(body.links, strings.ilevenshtein(.href_url.domain.root_domain, 'blockchain') == 1)
   )
-  and any(distinct(headers.hops, .received_spf.verdict is not null),
-          strings.like(.received_spf.verdict, "*fail")
+  and any(distinct(headers.hops, .authentication_results.spf is not null),
+          strings.like(.authentication_results.spf, "*fail")
   )
   and sender.email.domain.root_domain not in~ (
     'blockchain.com',
diff --git a/detection-rules/spoofable_internal_domain_suspicious_signals.yml b/detection-rules/spoofable_internal_domain_suspicious_signals.yml
index 442aa897331..f38ce2e1b94 100644
--- a/detection-rules/spoofable_internal_domain_suspicious_signals.yml
+++ b/detection-rules/spoofable_internal_domain_suspicious_signals.yml
@@ -22,7 +22,7 @@ source: |
           .authentication_results.dmarc_details.from.domain in $org_domains
 
           // internal domain is spoofable
-          and .authentication_results.dmarc_details.verdict == "none"
+          and .authentication_results.dmarc == "none"
           and .authentication_results.spf == "none"
           and .authentication_results.compauth.verdict not in ("pass", "softpass")
   )
diff --git a/insights/authentication/spf_any_fail.yml b/insights/authentication/spf_any_fail.yml
index 6ccd78cf1bf..795f4f9aee5 100644
--- a/insights/authentication/spf_any_fail.yml
+++ b/insights/authentication/spf_any_fail.yml
@@ -1,7 +1,7 @@
 name: "SPF: Fail"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*fail"))
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*fail"))
 severity: "medium"
 tags:
   - "Sender authentication"
diff --git a/signals/authentication/authentication_spf_error.yml b/signals/authentication/authentication_spf_error.yml
index aec2a5e3ace..cb25d5bdecb 100644
--- a/signals/authentication/authentication_spf_error.yml
+++ b/signals/authentication/authentication_spf_error.yml
@@ -1,4 +1,4 @@
 name: "Authentication: SPF Error"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*error"))
\ No newline at end of file
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*error"))
\ No newline at end of file
diff --git a/signals/authentication/authentication_spf_failure.yml b/signals/authentication/authentication_spf_failure.yml
index b6bc7922795..6285c609044 100644
--- a/signals/authentication/authentication_spf_failure.yml
+++ b/signals/authentication/authentication_spf_failure.yml
@@ -1,4 +1,4 @@
 name: "Authentication: SPF Failure"
 type: "query"
 source: |
-  any(distinct(headers.hops, .received_spf.verdict is not null), strings.ilike(.received_spf.verdict, "*fail"))
\ No newline at end of file
+  any(distinct(headers.hops, .authentication_results.spf is not null), strings.ilike(.authentication_results.spf, "*fail"))
\ No newline at end of file