Skip to content

Commit 4fe371c

Browse files
authored
Update keyword flags based on ngram analysis from hunt results
Should be final update before review ready. Updated keyword flags and took away requirement for sender to not be from a freemail domain (noticed FN where this was the case). Changes should also tune results to fit the scope of the rule.
1 parent 2741125 commit 4fe371c

File tree

1 file changed

+14
-8
lines changed

1 file changed

+14
-8
lines changed

detection-rules/recon_hotel_booking_reply_to_redirect.yml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,10 @@ type: "rule"
44
severity: "medium"
55
source: |
66
type.inbound
7-
and any(headers.reply_to, .email.domain.root_domain in $free_email_providers)
8-
and sender.email.domain.root_domain not in $free_email_providers
7+
and any(headers.reply_to,
8+
.email.domain.root_domain in $free_email_providers
9+
and .email.domain.root_domain != sender.email.domain.root_domain
10+
)
911
and all(recipients.to,
1012
.email.domain.root_domain != sender.email.domain.root_domain
1113
)
@@ -35,17 +37,21 @@ source: |
3537
'*suite*',
3638
'*availability*',
3739
'*check-in*',
38-
'*pet friendly*'
40+
'*available dates*',
41+
'*family trip*',
42+
'*deluxe accommodation*',
43+
'*two children*',
44+
'*hotel manager*'
3945
)
4046
)
4147
or strings.ilike(subject.subject,
4248
'*hotel*',
43-
'*booking*',
44-
'*reserv*',
45-
'*room*',
49+
'*hotel booking*',
50+
'*room reserv*',
51+
'*room inquiry*',
52+
'*room availability*',
4653
'*suite*',
47-
'*accommodation*',
48-
'*property*'
54+
'*accommodation*'
4955
)
5056
)
5157
attack_types:

0 commit comments

Comments
 (0)