Sync from PR#2192

Create link_issuu_unsolicited.yml by @zoomequipd #2192 Source SHA a7a8e4f Triggered by @zoomequipd
sublime-security · Dec 11, 2024 · e1ce1e7 · e1ce1e7
1 parent 5a11f81
commit e1ce1e7
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/detection-rules/link_issuu_unsolicited.yml b/detection-rules/link_issuu_unsolicited.yml
@@ -4,11 +4,22 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and any(body.links,
-          // issuu link
-          .href_url.domain.root_domain == 'issuu.com'
-          and strings.icontains(.href_url.path, "/docs/")
+  and any(filter(body.links,
+                 // issuu link
+                 .href_url.domain.root_domain == 'issuu.com'
+                 and strings.icontains(.href_url.path, "/docs/")
+          ),
+          (
+            .href_url.query_params is null
+            // reduce alerting on newsletters, flyers, etc
+            // by ensure there are not any marketing focused query param keys like utm_source
+            or regex.imatch(.href_url.query_params, '^fr=[^\&]+$')
+          )
   )
+
+  // to further reduce noise from newsletters/flyers inspect the number of imbedded images
+  and strings.icount(body.html.raw, '<img') < 15
+
   // not solicited or from malicious/spam user with no FPs
   and (
     not profile.by_sender().solicited
@@ -18,6 +29,12 @@ source: |
     )
   )
 
+  // netgate common senders which have not been marked as malicious
+  and not (
+      profile.by_sender().prevalence in ("common", "rare")
+      and profile.by_sender().any_messages_malicious_or_spam == false
+  )
+
   // not from high trust sender root domains
   and (
     (
@@ -39,4 +56,4 @@ detection_methods:
   - "Sender analysis"
 id: "3e38b7fe-9ec1-5738-bff4-387ff4f9c750"
 testing_pr: 2192
-testing_sha: 082eb9b6f6bbabeddcbfb217a9bace842c48486f
+testing_sha: a7a8e4f006edadbd12e2fd96b5184b8068b4523c