From 1163065e8d6bb11c32466b83eafad23d8ce52d2c Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Thu, 30 Nov 2023 15:51:23 +0000
Subject: [PATCH] Scheduled cleanup

Removed 1058
---
 detection-rules/impersonation_okta.yml | 61 --------------------------
 1 file changed, 61 deletions(-)
 delete mode 100644 detection-rules/impersonation_okta.yml

diff --git a/detection-rules/impersonation_okta.yml b/detection-rules/impersonation_okta.yml
deleted file mode 100644
index 958daa8612d..00000000000
--- a/detection-rules/impersonation_okta.yml
+++ /dev/null
@@ -1,61 +0,0 @@
-name: "Brand impersonation: Okta"
-description: "Impersonation of Okta an Identity and access management company."
-type: "rule"
-severity: "medium"
-source: |
-  type.inbound
-  and (
-    regex.icontains(sender.display_name, '\bOkta\b')
-    or strings.ilike(sender.email.domain.domain, '*Okta*')
-    or strings.ilike(subject.subject, '*Okta*')
-  )
-  and not(
-    sender.email.domain.root_domain in~ (
-      'oktacdn.com',
-      'okta.com',
-      'okta-emea.com',
-      'okta-gov.com',
-      'oktapreview.com',
-      'polaris.me'
-    )
-    and any(distinct(headers.hops, .authentication_results.dmarc is not null),
-           strings.ilike(.authentication_results.dmarc, "*pass")
-    )
-  )
-  and any(ml.logo_detect(beta.message_screenshot()).brands,
-          .name == "Okta" and .confidence in ("medium", "high")
-  )
-  and (
-    profile.by_sender().prevalence in ("new", "outlier")
-    or (
-      profile.by_sender().any_messages_malicious_or_spam
-      and not profile.by_sender().any_false_positives
-    )
-  )
-
-  // negate highly trusted sender domains unless they fail DMARC authentication
-  and (
-    (
-      sender.email.domain.root_domain in $high_trust_sender_root_domains
-      and (
-        any(distinct(headers.hops, .authentication_results.dmarc is not null),
-            strings.ilike(.authentication_results.dmarc, "*fail")
-        )
-      )
-    )
-    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
-  )
-attack_types:
-  - "Credential Phishing"
-tactics_and_techniques:
-  - "Impersonation: Brand"
-  - "Lookalike domain"
-  - "Social engineering"
-detection_methods:
-  - "Computer Vision"
-  - "Content analysis"
-  - "Header analysis"
-  - "Sender analysis"
-id: "b7a2989a-a5ef-5340-b1d0-6b7c51462855"
-testing_pr: 1058
-testing_sha: 45f3c24811d476a7b8aa86e9371e35fe80f4615c