From 57fde2fbc8c1005ce1455eee8a5f84068dfac291 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 19 Dec 2023 14:41:22 -0500
Subject: [PATCH] Update link_pikabot_malware.yml (#1167)

---
 detection-rules/link_pikabot_malware.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/link_pikabot_malware.yml b/detection-rules/link_pikabot_malware.yml
index 00088be4393..0d529c826c3 100644
--- a/detection-rules/link_pikabot_malware.yml
+++ b/detection-rules/link_pikabot_malware.yml
@@ -4,7 +4,7 @@ type: "rule"
 severity: "high"
 source: |
   type.inbound
-  and any(body.links, regex.contains(.display_url.url, '[A-Za-z0-9]\/\?[0-9]+$'))
+  and any(body.links, regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+'))
   and (
     any(body.links,
         .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters