From ecf3a6f549f82ecf28699ad40e9c094be979ce73 Mon Sep 17 00:00:00 2001
From: Josh Kamdjou <josh@sublimesecurity.com>
Date: Wed, 20 Nov 2024 07:41:57 +0200
Subject: [PATCH] New + updated Zip attachment insights (#2139)

---
 insights/attachments/encrypted_zip_attachment.yml | 12 ++++++++++++
 insights/attachments/encrypted_zip_inside.yml     |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 insights/attachments/encrypted_zip_attachment.yml

diff --git a/insights/attachments/encrypted_zip_attachment.yml b/insights/attachments/encrypted_zip_attachment.yml
new file mode 100644
index 00000000000..86d56f03df2
--- /dev/null
+++ b/insights/attachments/encrypted_zip_attachment.yml
@@ -0,0 +1,12 @@
+name: "Encrypted zip attachment"
+type: "query"
+source: |
+  any(attachments,
+          (.file_type == "zip" or .file_extension == "zip")
+          and any(file.explode(.),
+                  any(.flavors.yara, . == 'encrypted_zip') or .scan.zip.encrypted
+          )
+  )
+severity: "low"
+tags:
+  - "Suspicious attachments"
diff --git a/insights/attachments/encrypted_zip_inside.yml b/insights/attachments/encrypted_zip_inside.yml
index 6a6958e7afa..efd5385dd69 100644
--- a/insights/attachments/encrypted_zip_inside.yml
+++ b/insights/attachments/encrypted_zip_inside.yml
@@ -1,4 +1,4 @@
-name: "Files inside encrypted zip"
+name: "Files inside zip attachment"
 type: "query"
 source: |
   map(filter(attachments, .file_extension == "zip"),