Skip to content

Commit

Permalink
Adding any_fp's as a standalone to ASR rules (#955)
Browse files Browse the repository at this point in the history
  • Loading branch information
morriscode authored Nov 14, 2023
1 parent 550da01 commit ef666d2
Show file tree
Hide file tree
Showing 11 changed files with 32 additions and 40 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,10 @@ source: |
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down
6 changes: 2 additions & 4 deletions detection-rules/attachment_any_html_new_sender.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,9 @@ source: |
and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
// negate highly trusted sender domains unless they fail DMARC authentication
and
Expand Down
6 changes: 4 additions & 2 deletions detection-rules/attachment_any_html_unsolicited.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,12 @@ source: |
type.inbound
and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
and (
not profile.by_sender().any_false_positives
and not profile.by_sender().solicited
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
// negate highly trusted sender domains unless they fail DMARC authentication
and
(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -197,11 +197,10 @@ source: |
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down
9 changes: 4 additions & 5 deletions detection-rules/attachment_eml_with_html_attachment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,14 @@ source: |
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
profile.by_sender().prevalence in ("new", "outlier")
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:

- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
Expand Down
7 changes: 3 additions & 4 deletions detection-rules/attachment_js_file_execution.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,10 @@ source: |
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down
7 changes: 3 additions & 4 deletions detection-rules/link_google_translate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,10 @@ source: |
and any(body.links, "google_translate_open_redirect" in .href_url.rewrite.encoders)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down
6 changes: 2 additions & 4 deletions detection-rules/link_new_domain_in_link_first_time_sender.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,9 @@ source: |
and any(body.links, beta.whois(.href_url.domain).days_old <= 10)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,10 @@ source: |
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
tactics_and_techniques:
Expand Down
7 changes: 3 additions & 4 deletions detection-rules/sender_new_from_domain_first_time_sender.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,10 @@ source: |
and beta.whois(sender.email.domain).days_old <= 10
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
detection_methods:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,15 @@ source: |
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
or profile.by_sender().any_messages_malicious_or_spam
)
)
and not profile.by_sender().any_false_positives
tags:
- "Attack surface reduction"
attack_types:
Expand Down

0 comments on commit ef666d2

Please sign in to comment.