query on extracting data

Question

I need to extract data that matches domains external to my organization. In this case, es@city-data.com but I would like to exclude others like yahoo gmail Expt among others. How could I do it? The logic example I'm trying to give is similar to this...... and not $w.network.email.from = "MyOrgantization@ .*"

Rule Pishing_365{

meta:

author = ""

description = "pishing 365"

severity = "High"

events:

$w.metadata.product_name = "Office 365"

($w.metadata.event_type = "EMAIL_UNCATEGORIZED" or $w.security_result.category = "MAIL_SPAM" and not $w.network.email.from = "MyOrgantization@ .*")

$w.security_result.category=$spam

match:

$spam over 1m

outcome:

$spam_count = count($spam)

condition:

$w and $spam_count >= 1

}

AymanC · Accepted Answer

Hi @erik314,Does the below work for you?Rule Pishing_365{  meta:    author = ""    description = "pishing 365"    severity = "High"  events:    $w.metadata.product_name = "Office 365"    ($w.metadata.event_type = "EMAIL_UNCATEGORIZED" or $w.security_result.category = "MAIL_SPAM" and not $w.network.email.from = /@city-data\.com$/)    $w.security_result.category=$spammatch:    $spam over 1moutcome:    $spam_count = count($spam)  condition:    $w and $spam_count >= 1}Kind Regards,Ayman

erik314 · Answer

Hi @erik314,Does the below work for you?Rule Pishing_365{  meta:    author = ""    description = "pishing 365"    severity = "High"  events:    $w.metadata.product_name = "Office 365"    ($w.metadata.event_type = "EMAIL_UNCATEGORIZED" or $w.security_result.category = "MAIL_SPAM" and not $w.network.email.from = /@city-data\.com$/)    $w.security_result.category=$spammatch:    $spam over 1moutcome:    $spam_count = count($spam)  condition:    $w and $spam_count >= 1}Kind Regards,Aymanthanks for the contribution, it's what I needed

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded