Create spam_google_looker_studio_report.yml (#2305)

Co-authored-by: ID Generator <[email protected]>
Co-authored-by: Sam Scholten <[email protected]>

detection-rules/spam_google_looker_studio_report.yml

@@ -0,0 +1,32 @@
+name: "Spam: Sexually Explict Looker Studio Report"
+description: "Detects suspicious Looker Studio Reports which containing inappropriate content or suspicious patterns. The rule looks for reports from non-organizational domains that contain emojis or explicit keywords within the report."
+type: "rule"
+severity: "low"
+source: |
+  type.inbound
+  // 
+  //  Warning: This rule contains sexually explict keywords
+  // 
+  and sender.email.email == "[email protected]"
+  // the invite is not from an $org_domain user
+  and all(headers.reply_to,
+          .email.domain.domain not in $org_domains
+          and .email.email not in $recipient_emails
+          and .email.email not in $sender_emails
+  )
+  // the subject or the body contain sexually explict keywords
+  and any([subject.subject, body.current_thread.text],
+          // this regex should be kept in sync between the Google Group and the Looker Studio rules
+          regex.icontains(.,
+                          '(?:sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|lust|desire|intimate|explicit|fetish|kinky|seduce|adult\s*(?:\w+\s+){0,2}\s*community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
+          )
+  )
+attack_types:
+  - "Spam"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Free email provider"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "f1e649cd-63c0-5df4-86c9-72adc4eef0f0"