From 80aae7a50784f23722626ba8837703ecd35f8dc2 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Thu, 14 Aug 2025 10:14:32 -0400 Subject: [PATCH 1/3] Create fuzzy_attack_spam.yml --- detection-rules/fuzzy_attack_spam.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 detection-rules/fuzzy_attack_spam.yml diff --git a/detection-rules/fuzzy_attack_spam.yml b/detection-rules/fuzzy_attack_spam.yml new file mode 100644 index 00000000000..4b78857e523 --- /dev/null +++ b/detection-rules/fuzzy_attack_spam.yml @@ -0,0 +1,17 @@ +name: "Suspicious content identified by fuzzy attack detection" +description: "Message has been analyzed and flagged as spam by the fuzzy attack detection system, indicating potentially malicious or unwanted content patterns." +type: "rule" +severity: "medium" +source: | + type.inbound + and beta.fuzzy_attack_score().analyzed + and beta.fuzzy_attack_score().verdict == "spam" + +attack_types: + - "Spam" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Threat intelligence" From a5d3106dbd8593f7bf98d180c4c9f56d26335c2a Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 14 Aug 2025 15:03:00 +0000 Subject: [PATCH 2/3] Auto add rule ID --- detection-rules/fuzzy_attack_spam.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/fuzzy_attack_spam.yml b/detection-rules/fuzzy_attack_spam.yml index 4b78857e523..cda100832bf 100644 --- a/detection-rules/fuzzy_attack_spam.yml +++ b/detection-rules/fuzzy_attack_spam.yml @@ -15,3 +15,4 @@ tactics_and_techniques: detection_methods: - "Content analysis" - "Threat intelligence" +id: "e4a029a8-7a96-56fb-8f06-6e059807b785" From ef9920adff8cbf1a076dc73222b8a8d3d9c00953 Mon Sep 17 00:00:00 2001 From: Mark Morris Date: Thu, 14 Aug 2025 11:06:53 -0400 Subject: [PATCH 3/3] Update fuzzy_attack_spam.yml --- detection-rules/fuzzy_attack_spam.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/fuzzy_attack_spam.yml b/detection-rules/fuzzy_attack_spam.yml index cda100832bf..c4b14fbecc2 100644 --- a/detection-rules/fuzzy_attack_spam.yml +++ b/detection-rules/fuzzy_attack_spam.yml @@ -1,4 +1,4 @@ -name: "Suspicious content identified by fuzzy attack detection" +name: "Fuzzy Attack Score: Spam Content Detected" description: "Message has been analyzed and flagged as spam by the fuzzy attack detection system, indicating potentially malicious or unwanted content patterns." type: "rule" severity: "medium"