Skip to content

Commit

Permalink
Update suspicious_request_for_quote_or_purchase.yml (#2224)
Browse files Browse the repository at this point in the history
  • Loading branch information
aidenmitchell authored Dec 19, 2024
1 parent aefd975 commit 93cbe2f
Showing 1 changed file with 28 additions and 3 deletions.
31 changes: 28 additions & 3 deletions detection-rules/suspicious_request_for_quote_or_purchase.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,12 @@ source: |
(
(
length(recipients.to) == 0
or all(recipients.to, .display_name == "Undisclosed recipients")
or all(recipients.to,
.display_name in (
"Undisclosed recipients",
"undisclosed-recipients"
)
)
)
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
Expand Down Expand Up @@ -39,10 +44,14 @@ source: |
'(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)'
)
),
(regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quot(e|ation)')),
(
regex.icontains(body.current_thread.text,
'(please|kindly).{0,30}quot(e|ation)'
)
),
(
regex.icontains(subject.subject,
'(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)'
'(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b|bid invit(e|ation))'
)
),
(
Expand All @@ -63,6 +72,22 @@ source: |
.name == "purchase_order" and .confidence == "high"
)
),
(
0 < length(filter(body.links,
(
.href_url.domain.domain in $free_subdomain_hosts
or .href_url.domain.domain in $free_file_hosts
or network.whois(.href_url.domain).days_old < 30
)
and (
regex.match(.display_text, '[A-Z ]+')
or any(ml.nlu_classifier(.display_text).entities,
.name in ("request", "urgency")
)
)
)
) < 3
)
)
or (
length(attachments) == 1
Expand Down

0 comments on commit 93cbe2f

Please sign in to comment.