From 93cbe2ff8c38051ae86f2e09dd35e6a786db6372 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 19 Dec 2024 09:33:14 -0800 Subject: [PATCH] Update suspicious_request_for_quote_or_purchase.yml (#2224) --- ...spicious_request_for_quote_or_purchase.yml | 31 +++++++++++++++++-- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/detection-rules/suspicious_request_for_quote_or_purchase.yml b/detection-rules/suspicious_request_for_quote_or_purchase.yml index 4253793cd24..1f1476624df 100644 --- a/detection-rules/suspicious_request_for_quote_or_purchase.yml +++ b/detection-rules/suspicious_request_for_quote_or_purchase.yml @@ -10,7 +10,12 @@ source: | ( ( length(recipients.to) == 0 - or all(recipients.to, .display_name == "Undisclosed recipients") + or all(recipients.to, + .display_name in ( + "Undisclosed recipients", + "undisclosed-recipients" + ) + ) ) and length(recipients.cc) == 0 and length(recipients.bcc) == 0 @@ -39,10 +44,14 @@ source: | '(sign(ed?)|view).{0,10}(purchase order)|Request for a Quot(e|ation)' ) ), - (regex.icontains(body.current_thread.text, '(please|kindly).{0,30}quot(e|ation)')), + ( + regex.icontains(body.current_thread.text, + '(please|kindly).{0,30}quot(e|ation)' + ) + ), ( regex.icontains(subject.subject, - '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b)' + '(request for (purchase|quot(e|ation))|\bRFQ\b|\bRFP\b|bid invit(e|ation))' ) ), ( @@ -63,6 +72,22 @@ source: | .name == "purchase_order" and .confidence == "high" ) ), + ( + 0 < length(filter(body.links, + ( + .href_url.domain.domain in $free_subdomain_hosts + or .href_url.domain.domain in $free_file_hosts + or network.whois(.href_url.domain).days_old < 30 + ) + and ( + regex.match(.display_text, '[A-Z ]+') + or any(ml.nlu_classifier(.display_text).entities, + .name in ("request", "urgency") + ) + ) + ) + ) < 3 + ) ) or ( length(attachments) == 1