From ef666d22f962558833c3bc8aacdcd88e48772cbd Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 14 Nov 2023 11:16:26 -0500 Subject: [PATCH] Adding any_fp's as a standalone to ASR rules (#955) --- .../attachment_any_html_in_archive_unsolicited.yml | 3 ++- detection-rules/attachment_any_html_new_sender.yml | 6 ++---- detection-rules/attachment_any_html_unsolicited.yml | 6 ++++-- .../attachment_disallowed_file_type_in_archive.yml | 7 +++---- detection-rules/attachment_eml_with_html_attachment.yml | 9 ++++----- detection-rules/attachment_js_file_execution.yml | 7 +++---- detection-rules/link_google_translate.yml | 7 +++---- .../link_new_domain_in_link_first_time_sender.yml | 6 ++---- .../recipients_undisclosed_free_subdomain_host.yml | 7 +++---- .../sender_new_from_domain_first_time_sender.yml | 7 +++---- .../vip_impersonation_attack_surface_reduction.yml | 7 +++---- 11 files changed, 32 insertions(+), 40 deletions(-) diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml index f7ab205f57a..6ed7fc8ec31 100644 --- a/detection-rules/attachment_any_html_in_archive_unsolicited.yml +++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml @@ -17,9 +17,10 @@ source: | not profile.by_sender().solicited or ( profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives ) ) + + and not profile.by_sender().any_false_positives tags: - "Attack surface reduction" attack_types: diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index a38f997871d..303df0db404 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -13,11 +13,9 @@ source: | and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html") and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives // negate highly trusted sender domains unless they fail DMARC authentication and diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index 63930d5d697..6f55abb2784 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -12,10 +12,12 @@ source: | type.inbound and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html") and ( - not profile.by_sender().any_false_positives - and not profile.by_sender().solicited + not profile.by_sender().solicited + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives + // negate highly trusted sender domains unless they fail DMARC authentication and ( diff --git a/detection-rules/attachment_disallowed_file_type_in_archive.yml b/detection-rules/attachment_disallowed_file_type_in_archive.yml index 06bae59f1c7..0a12b599d1c 100644 --- a/detection-rules/attachment_disallowed_file_type_in_archive.yml +++ b/detection-rules/attachment_disallowed_file_type_in_archive.yml @@ -197,11 +197,10 @@ source: | ) and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives + tags: - "Attack surface reduction" attack_types: diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml index f719bf69097..ef352054202 100644 --- a/detection-rules/attachment_eml_with_html_attachment.yml +++ b/detection-rules/attachment_eml_with_html_attachment.yml @@ -41,15 +41,14 @@ source: | // if the "References" is in the body of the message, it's probably a bounce and not any(headers.references, strings.contains(body.html.display_text, .)) and ( - not profile.by_sender().solicited - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + profile.by_sender().prevalence in ("new", "outlier") + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives tags: - "Attack surface reduction" attack_types: + - "Credential Phishing" - "Malware/Ransomware" tactics_and_techniques: diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml index 788d141ed21..2014bbe9b33 100644 --- a/detection-rules/attachment_js_file_execution.yml +++ b/detection-rules/attachment_js_file_execution.yml @@ -17,11 +17,10 @@ source: | ) and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives + tags: - "Attack surface reduction" attack_types: diff --git a/detection-rules/link_google_translate.yml b/detection-rules/link_google_translate.yml index 4f34f45938d..852f58295f9 100644 --- a/detection-rules/link_google_translate.yml +++ b/detection-rules/link_google_translate.yml @@ -13,11 +13,10 @@ source: | and any(body.links, "google_translate_open_redirect" in .href_url.rewrite.encoders) and ( not profile.by_sender().solicited - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + + and not profile.by_sender().any_false_positives tags: - "Attack surface reduction" attack_types: diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml index 6f303b2fbaa..4750499f559 100644 --- a/detection-rules/link_new_domain_in_link_first_time_sender.yml +++ b/detection-rules/link_new_domain_in_link_first_time_sender.yml @@ -9,11 +9,9 @@ source: | and any(body.links, beta.whois(.href_url.domain).days_old <= 10) and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives tags: - "Attack surface reduction" attack_types: diff --git a/detection-rules/recipients_undisclosed_free_subdomain_host.yml b/detection-rules/recipients_undisclosed_free_subdomain_host.yml index 91ab346d706..f1e4f4d0714 100644 --- a/detection-rules/recipients_undisclosed_free_subdomain_host.yml +++ b/detection-rules/recipients_undisclosed_free_subdomain_host.yml @@ -23,11 +23,10 @@ source: | ) and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives + tags: - "Attack surface reduction" tactics_and_techniques: diff --git a/detection-rules/sender_new_from_domain_first_time_sender.yml b/detection-rules/sender_new_from_domain_first_time_sender.yml index d623bcb7187..bcc7d089093 100644 --- a/detection-rules/sender_new_from_domain_first_time_sender.yml +++ b/detection-rules/sender_new_from_domain_first_time_sender.yml @@ -8,11 +8,10 @@ source: | and beta.whois(sender.email.domain).days_old <= 10 and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives - ) + or profile.by_sender().any_messages_malicious_or_spam ) + and not profile.by_sender().any_false_positives + tags: - "Attack surface reduction" detection_methods: diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml index 36971da13ad..fec53da1194 100644 --- a/detection-rules/vip_impersonation_attack_surface_reduction.yml +++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml @@ -26,16 +26,15 @@ source: | or ( profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives - ) ) and ( not profile.by_sender().solicited - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives + or profile.by_sender().any_messages_malicious_or_spam ) ) + + and not profile.by_sender().any_false_positives tags: - "Attack surface reduction" attack_types: