[PR #4] added rule: Test Draft Rule - Suspicious Attachment

github-actions[bot] · github-actions[bot] · commit 8f863fb1bb51 · 2026-01-16T20:09:50.000Z
diff --git a/detection-rules/4_test_draft_rule.yml b/detection-rules/4_test_draft_rule.yml
@@ -0,0 +1,23 @@
+name: "Test Draft Rule - Suspicious Attachment"
+description: "Test rule for draft PR functionality - detects suspicious attachment patterns"
+type: "rule"
+severity: "medium"
+authors:
+  - github.com/aidenmitchell
+source: |
+  type.inbound
+  and any(attachments,
+      .file_extension in~ ("exe", "scr", "bat", "cmd")
+      and .file_type == "unknown"
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "T1204"
+detection_methods:
+  - "File analysis"
+id: "89c3c2fa-c857-5d1e-8d1d-9fe166b7bc6d"
+testing_pr: 4
+testing_sha: 4e494dd69fc1f048257840f3b2c25acf4890d6f8
