New + updated Zip attachment insights (#2139)

sublime-security · Nov 20, 2024 · ecf3a6f · ecf3a6f
1 parent 0e7a302
commit ecf3a6f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/insights/attachments/encrypted_zip_attachment.yml b/insights/attachments/encrypted_zip_attachment.yml
@@ -0,0 +1,12 @@
+name: "Encrypted zip attachment"
+type: "query"
+source: |
+  any(attachments,
+          (.file_type == "zip" or .file_extension == "zip")
+          and any(file.explode(.),
+                  any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
+          )
+  )
+severity: "low"
+tags:
+  - "Suspicious attachments"
diff --git a/insights/attachments/encrypted_zip_inside.yml b/insights/attachments/encrypted_zip_inside.yml
@@ -1,4 +1,4 @@
-name: "Files inside encrypted zip"
+name: "Files inside zip attachment"
 type: "query"
 source: |
   map(filter(attachments, .file_extension == "zip"),