Create asr_gated_dropbox_link.yml

detection-rules/asr_gated_dropbox_link.yml

@@ -0,0 +1,31 @@
+name: "Attack surface reduction: Secured Dropbox share link"
+description: "File shared through Dropbox requires authentication to view. Enable this rule if this behaviour is unusual in your environment."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  and sender.email.email == "[email protected]"
+  and any(distinct(headers.hops, .authentication_results.dmarc is not null),
+          not strings.ilike(.authentication_results.dmarc, "*fail")
+  )
+  and strings.ilike(subject.subject, "*shared*with you*")
+  and any(body.links,
+          .href_url.domain.root_domain == "dropbox.com"
+          and strings.icontains(beta.linkanalysis(.).final_dom.display_text,
+                                "we need to confirm your identity"
+          )
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Free file host"
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "HTML analysis"
+  - "URL analysis"
+id: "7b4e5616-8ca5-5926-90a6-4c7aedf5ab9f"