Updating rule: link_microsoft_low_reputation.yml #778
Conversation
Removing link check and editing NLU logic. Holds up well in hunts.
|
Leaving the Tranco check in... because it works. We should investigate a better solution later, but the rule preforms well in this state. |
| ) | ||
| ) | ||
| or ( | ||
| any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") | ||
| and not any(ml.nlu_classifier(body.current_thread.text).intents, | ||
| .name == "benign" and .confidence == "high" | ||
| and any(ml.nlu_classifier(body.current_thread.text).intents, .name not in~ ("benign", "unknown") |
There was a problem hiding this comment.
@aidenmitchell does this need to be an all to match our previous behavior? as written, we could get a benign:high and cred_theft:low and still flag here
There was a problem hiding this comment.
I don't think we could get a benign and cred_theft intent, because we're only evaluating one thing, body.current_thread.text?
There was a problem hiding this comment.
.intents is an array because i think we can return multiple with different confidence levels, but @bfilar can confirm
There was a problem hiding this comment.
so if the model returns benign that would be the only intent we return. If benign is not present in intent array would could return something like: (cred_theft,steal_pii)
|
Closing in favour of #791 |
Removing link checkand editing NLU logic. Holds up well in hunts.