From 8be72eecfe3235cd6b7a0aa5e7109978901df30b Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Wed, 21 Aug 2024 12:42:46 -0700
Subject: [PATCH 1/2] Update attachment_docusign_image_suspicious_links.yml

---
 ...chment_docusign_image_suspicious_links.yml | 20 +++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
index cc36c841f99..d4e95936c15 100644
--- a/detection-rules/attachment_docusign_image_suspicious_links.yml
+++ b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -39,15 +39,19 @@ source: |
                  )
           )
         )
-        and not any(file.explode(.),
-                    (
-                      strings.ilike(.scan.ocr.raw, "*DocuSigned By*")
-                      and not strings.ilike(.scan.ocr.raw,
-                                            "*DocuSign Envelope ID*"
-                      )
+      and not any(file.explode(.),
+                  (
+                    strings.ilike(.scan.ocr.raw,
+                                          "*DocuSign Envelope ID*"
                     )
-        )
-    )
+                    or 2 of (
+                        strings.ilike(.scan.ocr.raw, "*DocuSigned By*"),
+                        strings.ilike(.scan.ocr.raw, "*Offering ID*"),
+                        strings.ilike(.scan.ocr.raw, "*Document ID*")
+                    )
+                  )
+      )
+  )
 
     // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
     or any(attachments,

From eae48e25b7f0805237926c3e4314346eef70c5ec Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Wed, 21 Aug 2024 12:52:45 -0700
Subject: [PATCH 2/2] Update attachment_docusign_image_suspicious_links.yml

---
 .../attachment_docusign_image_suspicious_links.yml            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml
index d4e95936c15..6e9c4b6160f 100644
--- a/detection-rules/attachment_docusign_image_suspicious_links.yml
+++ b/detection-rules/attachment_docusign_image_suspicious_links.yml
@@ -50,8 +50,8 @@ source: |
                         strings.ilike(.scan.ocr.raw, "*Document ID*")
                     )
                   )
-      )
-  )
+        )
+    )
 
     // accomidate truncated pngs and GIF files which can cause logodetect/OCR failures
     or any(attachments,