[PR #3756] modified rule: Attachment: ICS file with meeting prefix

Author: github-actions[bot]

detection-rules/3756_attachment_ics_meeting_invite.yml

@@ -9,14 +9,8 @@ source: |
                  .file_extension in~ ('ics')
                  or .content_type in ("application/ics", "text/calendar")
           ),
-          (
-            regex.contains(.file_name, "meeting_[a-zA-Z]{5}")
-            or regex.contains(.file_name, "meeting_[a-zA-Z0-9]{5}")
-          )
-          and not (
-            regex.contains(.file_name, "meeting_invit[eation]")
-            or regex.contains(.file_name, "meeting_request")
-          )
+          regex.icontains(.file_name, 'meeting_[a-zA-Z0-9]{5}\.')
+          and not .file_name == "meeting_invite.ics"
   )
 attack_types:
   - "BEC/Fraud"
@@ -29,4 +23,4 @@ detection_methods:
 id: "5800490c-1a6f-5435-b593-a505507cca09"
 og_id: "383a5810-0b85-55a8-ac9b-e7135823317b"
 testing_pr: 3756
-testing_sha: a1be97c3fcabbeef10ba61b4303d04670fc91b41
+testing_sha: ec155d88e1f9a24eecf4dfd1b63d2d2b8192b613