[PR #3479] modified rule: Brand impersonation: Google Workspace alert notification

Author: github-actions[bot]

detection-rules/3479_impersonation_google_workspace.yml

@@ -26,7 +26,13 @@ source: |
     )
     and headers.auth_summary.dmarc.pass
   )
-  
+
+  // Negate legitimate Atlassian/Jira notifications that may contain Google Workspace content
+  and not (
+    sender.email.domain.root_domain in~ ('atlassian.net', 'atlassian.com')
+    and headers.auth_summary.dmarc.pass
+  )
+
   // Negate legitimate Google alerts forwarded through mailing lists
   and not (
     any(headers.hops,
@@ -131,4 +137,4 @@ detection_methods:
 id: "053558a8-ffee-5bd7-a7d6-217f44e571bc"
 og_id: "143ffbc4-15ba-535e-b9d6-ab2e2862abe9"
 testing_pr: 3479
-testing_sha: 27f56b595c2bc6b19c3bc6df3c2dae3de703edd7
+testing_sha: 40b00281075e662aff1bfc9e6abc3dba1ad09440