Add phishing simulation header insights for common training vendors#4914
Add phishing simulation header insights for common training vendors#4914MSAdministrator wants to merge 3 commits into
Conversation
Adds informational insight (query) rules that surface phishing simulation / security awareness training messages from the following vendors: Adaptive Security, Arctic Wolf MSA, Breach Secure Now, BullPhish, CanIPhish, Fable, Huntress, InfoSec IQ, Material, Microsoft, Mimecast, NINJIO, Phish Notify, Phished, Proofpoint, and Right Hand AI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The root_domain linter flagged 4 literals that can never match a root_domain comparison: - avoidphishing.securityeducation.com (subdomain; securityeducation.com is already listed in the same block) - avoidphishing.eu.securityeducation.com (subdomain; ditto) - avoidphishing.ap.securityeducation.com (subdomain; ditto) - corpinternal.org2 (invalid TLD; root_domain resolves to "org2.") Removed all four dead literals. No matching coverage is lost since the registrable domain securityeducation.com remains in each block. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Runs the repo's mql_format.py over the new insight rules so their source matches the canonical formatting. CI's auto-format step reformats these but cannot commit the result back (its `git add` glob doesn't reach insights/headers/*.yml two levels deep), so the formatting must be committed manually. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
Adds informational insight (
query) rules underinsights/headers/that surface phishing-simulation / security-awareness-training messages, tagged Headers and Phishing simulation. Covers the following vendors:Notes
These are
informationalseverity query rules that identify simulation senders by their known sending domains. Several complement the exclusion rules in #4913.🤖 Generated with Claude Code