diff --git a/insights/attachments/links_attached_eml.yml b/insights/attachments/links_attached_eml.yml new file mode 100644 index 00000000000..f6759597b74 --- /dev/null +++ b/insights/attachments/links_attached_eml.yml @@ -0,0 +1,10 @@ +name: "Links in Attached EML" +type: "query" +source: | + filter(map(attachments, + distinct( + map(file.parse_eml(.).body.links, .href_url.url), .) + ), + length(.) > 0 + ) +severity: "informational" diff --git a/insights/attachments/links_domains_attached_eml.yml b/insights/attachments/links_domains_attached_eml.yml new file mode 100644 index 00000000000..02a5a7d781c --- /dev/null +++ b/insights/attachments/links_domains_attached_eml.yml @@ -0,0 +1,10 @@ +name: "Domains in Attached EML" +type: "query" +source: | + filter(map(attachments, + distinct( + map(file.parse_eml(.).body.links, .href_url.domain.domain), .) + ), + length(.) > 0 + ) +severity: "informational" diff --git a/insights/attachments/links_free_file_host_attached_eml.yml b/insights/attachments/links_free_file_host_attached_eml.yml new file mode 100644 index 00000000000..3989dc3284d --- /dev/null +++ b/insights/attachments/links_free_file_host_attached_eml.yml @@ -0,0 +1,10 @@ +name: "Links to Free File Hosts in Attached EML" +type: "query" +source: | + filter(map(attachments, + distinct( + map(filter(file.parse_eml(.).body.links, .href_url.domain.root_domain in $free_file_hosts), .href_url.url), .) + ), + length(.) > 0 + ) +severity: "medium" diff --git a/insights/attachments/links_free_subdomain_host_attached_eml.yml b/insights/attachments/links_free_subdomain_host_attached_eml.yml new file mode 100644 index 00000000000..7507bf46be2 --- /dev/null +++ b/insights/attachments/links_free_subdomain_host_attached_eml.yml @@ -0,0 +1,10 @@ +name: "Links to Free Subdomain Host in Attached EML" +type: "query" +source: | + filter(map(attachments, + distinct( + map(filter(file.parse_eml(.).body.links, .href_url.domain.root_domain in $free_subdomain_hosts and .href_url.domain.subdomain is not null and .href_url.domain.subdomain != "www"), .href_url.url), .) + ), + length(.) > 0 + ) +severity: "medium" diff --git a/insights/attachments/links_low_reputation_attached_eml.yml b/insights/attachments/links_low_reputation_attached_eml.yml new file mode 100644 index 00000000000..558b6e1610f --- /dev/null +++ b/insights/attachments/links_low_reputation_attached_eml.yml @@ -0,0 +1,17 @@ +name: "Links With Low Reputation in Attached EML" +type: "query" +source: | + filter(map(attachments, + distinct(map(filter(file.parse_eml(.).body.links, + .href_url.domain.root_domain not in $tranco_1m + and .href_url.domain.root_domain not in $org_domains + and .href_url.domain.root_domain != "sublimesecurity.com" + ), + .href_url.url + ), + . + ) + ), + length(.) > 0 + ) +severity: "low" diff --git a/insights/attachments/links_qr_code_attached_eml.yml b/insights/attachments/links_qr_code_attached_eml.yml new file mode 100644 index 00000000000..b0e23ad9fc9 --- /dev/null +++ b/insights/attachments/links_qr_code_attached_eml.yml @@ -0,0 +1,13 @@ +name: "QR Code Link in Attached EML" +type: "query" +source: | + map(attachments, + map(filter(file.parse_eml(.).attachments, + .file_type in $file_types_images + or .file_extension in $file_extensions_macros + or .file_type == "pdf" + ), + map(filter(file.explode(.), .scan.qr.type == "url"), .scan.qr.url.url) + ) + ) +severity: "medium" diff --git a/insights/attachments/links_qr_contains_recipient_email_attached_eml.yml b/insights/attachments/links_qr_contains_recipient_email_attached_eml.yml new file mode 100644 index 00000000000..03c6766147b --- /dev/null +++ b/insights/attachments/links_qr_contains_recipient_email_attached_eml.yml @@ -0,0 +1,22 @@ +name: "Recipient Email in QR Code Link of Attached EML" +type: "query" +source: | + map(attachments, + map(file.parse_eml(.).attachments, + map(filter(file.explode(.), + .scan.qr.type == "url" + and ( + any(file.parse_eml(...).recipients.to, + strings.contains(..scan.qr.url.url, .email.email) + ) + or + any(recipients.to, + strings.contains(..scan.qr.url.url, .email.email) + ) + ) + ), + .scan.qr.url.url + ) + ) + ) +severity: "high" diff --git a/insights/attachments/links_qr_free_subdomain_attached_eml.yml b/insights/attachments/links_qr_free_subdomain_attached_eml.yml new file mode 100644 index 00000000000..526554af3f9 --- /dev/null +++ b/insights/attachments/links_qr_free_subdomain_attached_eml.yml @@ -0,0 +1,20 @@ +name: "QR Code Link to Free Subdomain in Attached EML" +type: "query" +source: | + map(attachments, + map(filter(file.parse_eml(.).attachments, + .file_type in $file_types_images + or .file_extension in $file_extensions_macros + or .file_type == "pdf" + ), + map(filter(file.explode(.), + .scan.qr.type == "url" + and .scan.qr.url.domain.root_domain in $free_subdomain_hosts + and .scan.qr.url.domain.subdomain is not null + and .scan.qr.url.domain.subdomain != "www" + ), + .scan.qr.url.url + ) + ) + ) +severity: "high" diff --git a/insights/attachments/links_recipient_email_attached_emls.yml b/insights/attachments/links_recipient_email_attached_emls.yml new file mode 100644 index 00000000000..f874c18e9dd --- /dev/null +++ b/insights/attachments/links_recipient_email_attached_emls.yml @@ -0,0 +1,16 @@ +name: "Recipient Email in Link in Attached EML" +type: "query" +source: | + map(attachments, + map(filter(file.parse_eml(.).body.links, + any(file.parse_eml(..).recipients.to, + strings.contains(..href_url.url, .email.email) + ) + or any(recipients.to, + strings.contains(..href_url.url, .email.email) + ) + ), + .href_url.url + ), + ) +severity: "medium" diff --git a/insights/attachments/links_url_shortner_attached_eml.yml b/insights/attachments/links_url_shortner_attached_eml.yml new file mode 100644 index 00000000000..08990521daf --- /dev/null +++ b/insights/attachments/links_url_shortner_attached_eml.yml @@ -0,0 +1,15 @@ +name: "Links to URL Shortener in Attached EML" +type: "query" +source: | + filter(map(attachments, + distinct(map(filter(file.parse_eml(.).body.links, + .href_url.domain.root_domain in $url_shorteners + ), + .href_url.url + ), + . + ) + ), + length(.) > 0 + ) +severity: "medium"