[PR #3756] modified rule: Attachment: ICS file with meeting prefix

Author: github-actions[bot]

detection-rules/3756_attachment_ics_meeting_invite.yml

@@ -7,7 +7,14 @@ source: |
   and length(attachments) == 1
   and any(attachments,
           .file_extension == "ics"
-          and regex.icontains(.file_name, "meeting_[a-z0-9]{5}")
+          and (
+            regex.contains(.file_name, "meeting_[a-zA-Z]{5}")
+            or regex.contains(.file_name, "meeting_[a-zA-Z0-9]{5}")
+          )
+          and not (
+            regex.contains(.file_name, "meeting_invit[eation]")
+            or regex.contains(.file_name, "meeting_request")
+          )
   )
 attack_types:
   - "BEC/Fraud"
@@ -20,4 +27,4 @@ detection_methods:
 id: "5800490c-1a6f-5435-b593-a505507cca09"
 og_id: "383a5810-0b85-55a8-ac9b-e7135823317b"
 testing_pr: 3756
-testing_sha: 583c8d9c4bc5a51c4a2b68ecd3ea429f5a41be2b
+testing_sha: 29a395ba32ae85a11e0ad61b8e4bb09d75fe6ccc