From 9ed24ef52208ad6acbc571e8130a4260b318405d Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Thu, 14 Dec 2023 09:06:16 -0800
Subject: [PATCH] Update suspicious_request_for_quote_or_purchase.yml

---
 .../suspicious_request_for_quote_or_purchase.yml          | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/detection-rules/suspicious_request_for_quote_or_purchase.yml b/detection-rules/suspicious_request_for_quote_or_purchase.yml
index ec98cd1f396..c84863a2d3e 100644
--- a/detection-rules/suspicious_request_for_quote_or_purchase.yml
+++ b/detection-rules/suspicious_request_for_quote_or_purchase.yml
@@ -47,6 +47,14 @@ source: |
     )
   )
 
+  // negate known RFP/RFQ senders
+  and not (
+      any(distinct(headers.hops, .authentication_results.dmarc is not null),
+          strings.ilike(.authentication_results.dmarc, "pass")
+          and .authentication_results.dmarc_details.from.domain in ("lynnplanroom.com")
+      )
+  )
+
   // negate highly trusted sender domains unless they fail DMARC authentication
   and
   (