From 43fae38125b975f5d5b770e463c819b9f0f6b9e1 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Mon, 25 Sep 2023 00:41:08 +0200 Subject: [PATCH 1/2] Signals: New link and sender domains --- signals/links/link_new_domain_L14D.yml | 4 ++++ signals/links/link_new_domain_L3D.yml | 4 ++++ signals/sender/sender_new_domain_L14D.yml | 4 ++++ signals/sender/sender_new_domain_L3D.yml | 4 ++++ 4 files changed, 16 insertions(+) create mode 100644 signals/links/link_new_domain_L14D.yml create mode 100644 signals/links/link_new_domain_L3D.yml create mode 100644 signals/sender/sender_new_domain_L14D.yml create mode 100644 signals/sender/sender_new_domain_L3D.yml diff --git a/signals/links/link_new_domain_L14D.yml b/signals/links/link_new_domain_L14D.yml new file mode 100644 index 00000000000..52482774218 --- /dev/null +++ b/signals/links/link_new_domain_L14D.yml @@ -0,0 +1,4 @@ +name: "Link: Domain registered less than 14 days ago" +type: "query" +source: | + any(body.links, beta.whois(.href_url.domain).days_old < 14) diff --git a/signals/links/link_new_domain_L3D.yml b/signals/links/link_new_domain_L3D.yml new file mode 100644 index 00000000000..e59024a2942 --- /dev/null +++ b/signals/links/link_new_domain_L3D.yml @@ -0,0 +1,4 @@ +name: "Link: Domain registered less than 3 days ago" +type: "query" +source: | + any(body.links, beta.whois(.href_url.domain).days_old < 3) diff --git a/signals/sender/sender_new_domain_L14D.yml b/signals/sender/sender_new_domain_L14D.yml new file mode 100644 index 00000000000..404e3a3cb21 --- /dev/null +++ b/signals/sender/sender_new_domain_L14D.yml @@ -0,0 +1,4 @@ +name: "Sender: Domain registered less than 14 days ago" +type: "query" +source: | + beta.whois(sender.email.domain).days_old < 14 diff --git a/signals/sender/sender_new_domain_L3D.yml b/signals/sender/sender_new_domain_L3D.yml new file mode 100644 index 00000000000..05a1649b3cb --- /dev/null +++ b/signals/sender/sender_new_domain_L3D.yml @@ -0,0 +1,4 @@ +name: "Sender: Domain registered less than 3 days ago" +type: "query" +source: | + beta.whois(sender.email.domain).days_old < 3 From 19dc0d823cd074c17c02d2b69a30f71b9f28c319 Mon Sep 17 00:00:00 2001 From: Bobby Filar Date: Wed, 27 Sep 2023 14:26:30 -0500 Subject: [PATCH 2/2] switching link domain age to count instead of bool --- signals/links/link_new_domain_L14D.yml | 2 +- signals/links/link_new_domain_L3D.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/signals/links/link_new_domain_L14D.yml b/signals/links/link_new_domain_L14D.yml index 52482774218..0ab79efa571 100644 --- a/signals/links/link_new_domain_L14D.yml +++ b/signals/links/link_new_domain_L14D.yml @@ -1,4 +1,4 @@ name: "Link: Domain registered less than 14 days ago" type: "query" source: | - any(body.links, beta.whois(.href_url.domain).days_old < 14) + length(filter(body.links, beta.whois(.href_url.domain).days_old < 14)) diff --git a/signals/links/link_new_domain_L3D.yml b/signals/links/link_new_domain_L3D.yml index e59024a2942..781b9016866 100644 --- a/signals/links/link_new_domain_L3D.yml +++ b/signals/links/link_new_domain_L3D.yml @@ -1,4 +1,4 @@ name: "Link: Domain registered less than 3 days ago" type: "query" source: | - any(body.links, beta.whois(.href_url.domain).days_old < 3) + length(filter(body.links, beta.whois(.href_url.domain).days_old < 3))