From 8430fc8f84d6cf2f4b40e7d208d362663c7e74c6 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 6 Dec 2023 17:38:36 -0500
Subject: [PATCH] Update inline_image_as_message.yml

Moving the link req outside of the or'd condition. This is done to mitigate FP's. Would like to run some comparative hunts before merging
---
 detection-rules/inline_image_as_message.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml
index 9a46199c0c3..428ee8e078d 100644
--- a/detection-rules/inline_image_as_message.yml
+++ b/detection-rules/inline_image_as_message.yml
@@ -9,15 +9,16 @@ severity: "low"
 source: |
   type.inbound
   and length(body.html.raw) < 200
+  and length(body.links) > 0
   and (
-    (
-      length(body.links) > 0
-
-      // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
-      and any(body.links, not strings.ilike(.href_url.url, "*.png"))
-    )
+    // as of 20220116 there's a link parsing bug with .png inline images, so ignore those
+    any(body.links, not strings.ilike(.href_url.url, "*.png"))
+  
     // cid images are treated as attachments, so we're looking for more than 1
-    or (length(attachments) > 1 and any(attachments, .file_type not in $file_types_images))
+    or (
+      length(attachments) > 1
+      and any(attachments, .file_type not in $file_types_images)
+    )
   )
   and strings.ilike(body.html.raw, "*img*cid*")
   and (