[MODIFY] Detection Rule 5

[poslogica]

Existing Rule Filename

detection-rule-5.yml

Rule Name

Detection Rule 5

Rule Status (Optional)

None

Rule Description (Optional)

No response

References (Optional)

https://test.one.com
https://hello.one.org
https://acme.tv

Modified By

FB Mod User 1

Modified Date

2025-12-01

MITRE ATT&CK Mapping (Optional)

attack.T1234
attack.T6789

Vendor Data Sources (Optional)

ACME

Service Data Sources (Optional)

HappySpace

Detection Query Before

Query 123

Detection Query After

Query 456

Detection Query Condition (Optional)

No response

Detection Query Suppress (Optional)

No response

Severity (Optional)

None

Outcome (Optional)

No response

Review Last Reviewed

2025-12-01

Review Next Review

2026-12-01

Expiry Date (Optional)

No response

Summary of Changes

Update query to reduce the number of false positives.
Update Vendor name.
Update Service name.

[github-actions]

✅ Detection rule data has been extracted and a pull request has been created. Please review the PR to approve the new rule.

[github-actions]

✅ Detection rule has been updated and a pull request has been created. Please review the PR to approve the modifications.

Current Rule Values (Before Modification)

name: Detection Rule 5
status: Enabled-PreProd
description: Detection Rule 5
references: null
author:
  by: null
  date: "2025-12-01"
modified:
  by: null
  date: null
tags: null
log_source:
  vendor: ACME123
  service: Funtime33
detection:
  query:
    before: null
    after: Query 123
  condition: trigger on first match
  suppress: Suppress for 15 minutes
severity: Low
outcome: Alert - No Investigation
review:
  last_reviewed: "2025-12-01"
  next_review: "2026-12-01"
expiry_date: null

Next Steps:

• Review the pull request to see the changes
• Approve the PR to apply the modifications