Negate FP's and FN's: impersonation_github.yml

Author: morriscode

detection-rules/impersonation_github.yml

@@ -23,6 +23,15 @@ source: |
     'githubnext.com',
     'lithub.com'
   )
+  and (
+    beta.whois(sender.email.domain).days_old < 45
+    or (
+      any(body.links,
+          .href_url.domain.tld not in ("com", "net", "org", "co", "ms")
+          and .href_url.domain.valid == true
+      )
+    )
+  )
   and (
     (
       sender.email.domain.root_domain in $free_email_providers
@@ -42,4 +51,5 @@ tactics_and_techniques:
 detection_methods:
   - "Header analysis"
   - "Sender analysis"
+  - "Whois"
 id: "9402f92b-f2b1-5452-8124-fdad4a88feb4"