Create links_attached_emls.yml (#2075)

insights/attachments/links_attached_eml.yml

@@ -0,0 +1,10 @@
+name: "Links in Attached EML"
+type: "query"
+source: |
+  filter(map(attachments,
+             distinct(
+                 map(file.parse_eml(.).body.links, .href_url.url), .)
+         ),
+         length(.) > 0
+  )
+severity: "informational"

insights/attachments/links_domains_attached_eml.yml

@@ -0,0 +1,10 @@
+name: "Domains in Attached EML"
+type: "query"
+source: |
+  filter(map(attachments,
+             distinct(
+                 map(file.parse_eml(.).body.links, .href_url.domain.domain), .)
+         ),
+         length(.) > 0
+  )
+severity: "informational"

insights/attachments/links_free_file_host_attached_eml.yml

@@ -0,0 +1,10 @@
+name: "Links to Free File Hosts in Attached EML"
+type: "query"
+source: |
+  filter(map(attachments,
+             distinct(
+                 map(filter(file.parse_eml(.).body.links, .href_url.domain.root_domain in $free_file_hosts), .href_url.url), .)
+         ),
+         length(.) > 0
+  )
+severity: "medium"

insights/attachments/links_free_subdomain_host_attached_eml.yml

@@ -0,0 +1,10 @@
+name: "Links to Free Subdomain Host in Attached EML"
+type: "query"
+source: |
+  filter(map(attachments,
+             distinct(
+                 map(filter(file.parse_eml(.).body.links, .href_url.domain.root_domain in $free_subdomain_hosts and .href_url.domain.subdomain is not null and .href_url.domain.subdomain != "www"), .href_url.url), .)
+         ),
+         length(.) > 0
+  )
+severity: "medium"

insights/attachments/links_low_reputation_attached_eml.yml

@@ -0,0 +1,17 @@
+name: "Links With Low Reputation in Attached EML"
+type: "query"
+source: |
+  filter(map(attachments,
+             distinct(map(filter(file.parse_eml(.).body.links,
+                                 .href_url.domain.root_domain not in $tranco_1m
+                                 and .href_url.domain.root_domain not in $org_domains
+                                 and .href_url.domain.root_domain != "sublimesecurity.com"
+                          ),
+                          .href_url.url
+                      ),
+                      .
+             )
+         ),
+         length(.) > 0
+  )
+severity: "low"

insights/attachments/links_qr_code_attached_eml.yml

@@ -0,0 +1,13 @@
+name: "QR Code Link in Attached EML"
+type: "query"
+source: |
+  map(attachments,
+      map(filter(file.parse_eml(.).attachments,
+                 .file_type in $file_types_images
+                 or .file_extension in $file_extensions_macros
+                 or .file_type == "pdf"
+          ),
+          map(filter(file.explode(.), .scan.qr.type == "url"), .scan.qr.url.url)
+      )
+  )
+severity: "medium"

insights/attachments/links_qr_contains_recipient_email_attached_eml.yml

@@ -0,0 +1,22 @@
+name: "Recipient Email in QR Code Link of Attached EML"
+type: "query"
+source: |
+  map(attachments,
+      map(file.parse_eml(.).attachments,
+          map(filter(file.explode(.),
+                     .scan.qr.type == "url"
+                     and (
+                       any(file.parse_eml(...).recipients.to,
+                           strings.contains(..scan.qr.url.url, .email.email)
+                       )
+                       or 
+                       any(recipients.to,
+                              strings.contains(..scan.qr.url.url, .email.email)
+                       )
+                     )
+              ),
+              .scan.qr.url.url
+          )
+      )
+  )
+severity: "high"

insights/attachments/links_qr_free_subdomain_attached_eml.yml

@@ -0,0 +1,20 @@
+name: "QR Code Link to Free Subdomain in Attached EML"
+type: "query"
+source: |
+  map(attachments,
+      map(filter(file.parse_eml(.).attachments,
+                 .file_type in $file_types_images
+                 or .file_extension in $file_extensions_macros
+                 or .file_type == "pdf"
+          ),
+          map(filter(file.explode(.),
+                     .scan.qr.type == "url"
+                     and .scan.qr.url.domain.root_domain in $free_subdomain_hosts
+                     and .scan.qr.url.domain.subdomain is not null
+                     and .scan.qr.url.domain.subdomain != "www"
+              ),
+              .scan.qr.url.url
+          )
+      )
+  )
+severity: "high"

insights/attachments/links_recipient_email_attached_emls.yml

@@ -0,0 +1,16 @@
+name: "Recipient Email in Link in Attached EML"
+type: "query"
+source: |
+  map(attachments,
+      map(filter(file.parse_eml(.).body.links,
+                 any(file.parse_eml(..).recipients.to,
+                     strings.contains(..href_url.url, .email.email)
+                 )
+                 or any(recipients.to,
+                        strings.contains(..href_url.url, .email.email)
+                 )
+          ),
+          .href_url.url
+      ),
+  )
+severity: "medium"

insights/attachments/links_url_shortner_attached_eml.yml

@@ -0,0 +1,15 @@
+name: "Links to URL Shortener in Attached EML"
+type: "query"
+source: |
+  filter(map(attachments,
+             distinct(map(filter(file.parse_eml(.).body.links,
+                                 .href_url.domain.root_domain in $url_shorteners
+                          ),
+                          .href_url.url
+                      ),
+                      .
+             )
+         ),
+         length(.) > 0
+  )
+severity: "medium"