From e6f8509982e46559ef7065e78ac06ab265454a1f Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Wed, 30 Aug 2023 15:30:00 -0400
Subject: [PATCH] Negate FP's and FN's: impersonation_github.yml

---
 detection-rules/impersonation_github.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml
index 7f60c752bac..2496d264a23 100644
--- a/detection-rules/impersonation_github.yml
+++ b/detection-rules/impersonation_github.yml
@@ -23,6 +23,15 @@ source: |
     'githubnext.com',
     'lithub.com'
   )
+  and (
+    beta.whois(sender.email.domain).days_old < 45
+    or (
+      any(body.links,
+          .href_url.domain.tld not in ("com", "net", "org", "co", "ms")
+          and .href_url.domain.valid == true
+      )
+    )
+  )
   and (
     (
       sender.email.domain.root_domain in $free_email_providers
@@ -42,4 +51,5 @@ tactics_and_techniques:
 detection_methods:
   - "Header analysis"
   - "Sender analysis"
+  - "Whois"
 id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"