Brand impersonation: Capital One

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

This detection rule identifies inbound messages containing Capital One branding indicators in display names, sender addresses, message content, or embedded logos, while excluding legitimate Capital One domains and authenticated communications from known trusted senders.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Impersonation: Brand, Lookalike domain, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.html
body.links (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
// limit evaluation of a regex heavy rule
and length(body.current_thread.text) < 2000000
and (
  any([
        strings.replace_confusables(sender.display_name),
        strings.replace_confusables(subject.subject),
        // domain parts of sender
        sender.email.local_part,
        sender.email.domain.sld
      ],
      // quick checks first
      strings.icontains(., 'Capital One')
      or strings.icontains(., 'CapitalOne')

      // slower checks next
      or regex.icontains(., 'Capital.?One')
      // levenshtein distince similar to captial one
      or strings.ilevenshtein(., 'Capital One') <= 2
  )
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name == "Capital One Bank" and .confidence != "low"
  )
)
and not (
  sender.email.domain.root_domain in (
    "capitalone.co.uk",
    "capitalone.com",
    "capitaloneshopping.com",
    "capitalonesoftware.com",
    "capitalonebooking.com",
    "capitalonetravel.com",
    "olbanking.com", // a fiserv.one domain
    "bynder.com", // Digital Assest Mgmt
    "gcs-web.com", // investor relations run by capital one
    "capitalonearena.com", // the arena
    "monumentalsports.com", // the company that owns a bunch of teams that play at the arena?
    "ticketmaster.com", // sell and advertises tickets at Capital One Arena
    "credible.com", // known loan marketplace
    "capitalonetradecredit.com" // domain associated with Capital One's trade credit platform
  )
  and headers.auth_summary.dmarc.pass
)
// and the sender is not from high trust sender root domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// suspicious indicators here
and (
  // // password theme
  (
    strings.icontains(body.current_thread.text, "new password")
    or regex.icontains(body.current_thread.text,
                       '(?:credentials?|password)\s*(?:\w+\s+){0,3}\s*(?:compromise|reset|expir(?:ation|ed)|update|invalid|incorrect|changed|(?:mis)?match)',
                       '(?:compromise|reset|expir(?:ation|ed)|update|invalid|incorrect|changed|(?:mis)?match)\s*(?:\w+\s+){0,3}\s*(?:credentials?|password)',
                       '(?:short|weak|chang(?:e|ing)|reset)\s*(?:\w+\s+){0,3}\s*(?:credentials?|password)',
                       '(?:credentials?|password)\s*(?:\w+\s+){0,3}\s*(?:short|weak|chang(?:e|ing)|reset)',
    )
  )
  // // login failures
  or (
    strings.icontains(body.current_thread.text, "unusual number of")
    or strings.icontains(body.current_thread.text, "security breach")
    or (
      strings.icontains(body.current_thread.text, "security alert")
      // some capital one notiifcaitons include directions to
      // change notificaiton preferences to only security alerts
      and (
        strings.icount(body.current_thread.text, "security alert") > strings.icount(body.current_thread.text,
                                                                                    "sign in to your account and select Security Alerts."
        )
      )
    )
    or strings.icontains(body.current_thread.text, "account remains secure")
    or strings.icontains(body.current_thread.text, "please verify your account")
    or strings.icontains(body.current_thread.text,
                         "suspicious activity detected"
    )
    or strings.icontains(body.current_thread.text, "temporarily locked out")
    or regex.icontains(body.current_thread.text,
                       '(?:invalid|unrecognized|unauthorized|fail(?:ed|ure)?|suspicious|unusual|attempt(?:ed)?\b|tried to)\s*(?:\w+\s+){0,3}\s*(?:log(?:.?in)?|sign(?:.?in)?|account|access|activity)',
                       '(?:log(?:.?in)?|sign(?:.?in)?|account|access|activity)\s*(?:\w+\s+){0,3}\s*(?:invalid|unrecognized|fail(?:ed|ure)?|suspicious|unusual|attempt(?:ed)?\b)'
    )
  )
  // // account locked
  or (
    strings.icontains(body.current_thread.text, "been suspend")
    or strings.icontains(body.current_thread.text, "will be restored")
    or strings.icontains(body.current_thread.text, "security reasons")
    or strings.icontains(body.current_thread.text,
                         "temporarily restricted access"
    )
    or regex.icontains(body.current_thread.text,
                       'acc(?:ou)?n?t\s*(?:\w+\s+){0,3}\s*(?:authenticat(?:e|ion)|activity|\bho[li]d\b|terminat|[il1]{2}m[il1]t(?:s|ed|ation)|b?locked|de-?activat|suspen(?:ed|sion)|restrict(?:ed|ion)?|expir(?:ed?|ing)|v[il]o[li]at|verif(?:y|ication))',
                       '(?:authenticat(?:e|ion)|activity|\bho[li]d\b|terminat|[il1]{2}m[il1]t(?:s|ed|ation)|b?locked|de-?activat|suspen(?:ed|sion)|restrict(?:ed|ion)?|expir(?:ed?|ing)|v[il]o[li]at|verif(?:y|ication))\s*(?:\w+\s+){0,3}\s*acc(?:ou)?n?t\b'
    )
  )
  // // secure messages
  or (
    regex.icontains(body.current_thread.text,
                    '(?:encrypt(?:ion|ed)?|secur(?:ed?|ity)) (?:\w+\s+){0,3}\s*message'
    )
    or strings.icontains(body.current_thread.text, "document portal")
    or regex.icontains(body.current_thread.text,
                       "has been (?:encrypt|sent secure)"
    )
    or regex.icontains(body.current_thread.text,
                       'encryption (?:\w+\s+){0,3}\s*tech'
    )
  )
  // // documents to view
  or (
    // we can skip the regex if the diplay_text doesn't contain document
    // this might need to be removed if the regex is expanded
    strings.icontains(body.current_thread.text, 'document')
    and regex.icontains(body.current_thread.text,
                        'document\s*(?:\w+\s+){0,3}\s*(?:ready|posted|review|available|online)',
                        '(?:ready|posted|review|available|online)\s*(?:\w+\s+){0,3}\s*document'
    )
  )
  // // account/profile details
  or (
    strings.icontains(body.current_thread.text, "about your account")
    or strings.icontains(body.current_thread.text, "action required")
    or regex.icontains(body.current_thread.text,
                       '(update|\bedit\b|modify|revise|verif(?:y|ication)|discrepanc(?:y|ies)|mismatch(?:es)?|inconsistenc(?:y|ies)?|difference(?:s)?|anomal(?:y|ies)?|irregularit(?:y|ies)?)\s*(?:\w+\s+){0,4}\s*(?:account|ownership|detail|record|data|info(?:rmation)?)',
                       '(?:account|ownership|detail|record|data|info(?:rmation)?)\s*(?:\w+\s+){0,4}\s*(update|\bedit\b|modify|revise|verif(?:y|ication)|discrepanc(?:y|ies)|mismatch(?:es)?|inconsistenc(?:y|ies)?|difference(?:s)?|anomal(?:y|ies)?|irregularit(?:y|ies)?)'
    )
  )
  // // other calls to action that are unexpected
  or (strings.icontains(body.current_thread.text, "download the attachment"))

  // the links contain suspect wording
  or (
    0 < length(body.links) <= 50
    and any(body.links,
            (
              regex.icontains(.display_text, '(?:log|sign).?in')
              or strings.icontains(.display_text, 'confirm')
              or strings.icontains(.display_text, 'i recongize it')
              or strings.icontains(.display_text, "something\'s wrong")
              or regex.icontains(.display_text,
                                 '(?:(?:re)?view|see|read)\s*(?:\w+\s*){0,3}\s*(?:document|message|now|account)'
              )
              or regex.icontains(.display_text,
                                 'restore\s*(?:\w+\s*){0,3}\s*(?:account|access)'
              )
              or regex.icontains(.display_text,
                                 'review\s*(?:\w+\s*){0,3}\s*(?:payment)'
              )
            )
            and not regex.icontains(.display_text,
                                    'confirm\s*(?:\w+\s*){0,3}\s*this message'
            )
            and .href_url.domain.root_domain != "capitalone.com"
    )
  )
  // the message contains a disclaimer but isn't from capitalone
  or (
    regex.icontains(body.current_thread.text,
                    'To ensure delivery, add [^\@]+@[^\s]*capitalone.com to your address book.'
    )
    and sender.email.domain.root_domain != "capitalone.com"
  )
)
// negation of inbound org domains which path eamil auth
and not (
  type.inbound
  and sender.email.domain.domain in $org_domains
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
  and not 'fail' in~ distinct(map(headers.hops, .authentication_results.dkim))
)
and not any(beta.ml_topic(body.html.display_text).topics,
            (
              .name in (
                // lots of newsletters talk about capital one
                "Newsletters and Digests",
                // lots of recruiting mention oppurtunties at capital one, often including the logo
                "Professional and Career Development",
              )
              and .confidence == "high"
            )
            or (
              .name in (
                // Outage events are often news worthy
                "News and Current Events"
              )
              and .confidence != "low"
            )
)
// negating legit replies/forwards
// https://github.com/sublime-security/sublime-rules/blob/main/insights/authentication/org_inbound_auth_pass.yml
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "FW:")
    or strings.istarts_with(subject.subject, "FWD:")
    or regex.imatch(subject.subject,
                    '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
    )
    or strings.istarts_with(subject.subject, "Réponse automatique")
  )
  and (length(headers.references) > 0 and headers.in_reply_to is not null)
)
// negate bounce backs
and not (
  strings.like(sender.email.local_part,
               "*postmaster*",
               "*mailer-daemon*",
               "*administrator*"
  )
  and any(attachments,
          .content_type in (
            "message/rfc822",
            "message/delivery-status",
            "text/calendar"
          )
  )
)

Detection logic

Scope: inbound message.

inbound message
length(body.current_thread.text) < 2000000
any of:
- any of [strings.replace_confusables(sender.display_name), strings.replace_confusables(subject.subject), sender.email.local_part, sender.email.domain.sld] where any holds:
  - . contains 'Capital One'
  - . contains 'CapitalOne'
  - . matches 'Capital.?One'
  - . is similar to 'Capital One'
- any of ml.logo_detect(file.message_screenshot()).brands where all hold:
  - .name is 'Capital One Bank'
  - .confidence is not 'low'
not:
- all of:
  - sender.email.domain.root_domain in ('capitalone.co.uk', 'capitalone.com', 'capitaloneshopping.com', 'capitalonesoftware.com', 'capitalonebooking.com', 'capitalonetravel.com', 'olbanking.com', 'bynder.com', 'gcs-web.com', 'capitalonearena.com', 'monumentalsports.com', 'ticketmaster.com', 'credible.com', 'capitalonetradecredit.com')
  - headers.auth_summary.dmarc.pass
any of:
- all of:
  - sender.email.domain.root_domain in $high_trust_sender_root_domains
  - not:
    
    headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
- any of:
  - body.current_thread.text contains 'new password'
  - body.current_thread.text matches any of 4 patterns
    
    (?:credentials?|password)\s*(?:\w+\s+){0,3}\s*(?:compromise|reset|expir(?:ation|ed)|update|invalid|incorrect|changed|(?:mis)?match)
    (?:compromise|reset|expir(?:ation|ed)|update|invalid|incorrect|changed|(?:mis)?match)\s*(?:\w+\s+){0,3}\s*(?:credentials?|password)
    (?:short|weak|chang(?:e|ing)|reset)\s*(?:\w+\s+){0,3}\s*(?:credentials?|password)
    (?:credentials?|password)\s*(?:\w+\s+){0,3}\s*(?:short|weak|chang(?:e|ing)|reset)
- any of:
  - body.current_thread.text contains 'unusual number of'
  - body.current_thread.text contains 'security breach'
  - all of:
    
    body.current_thread.text contains 'security alert'
    strings.icount(body.current_thread.text, 'security alert') > strings.icount(body.current_thread.text, 'sign in to your account and select Security Alerts.')
  - body.current_thread.text contains 'account remains secure'
  - body.current_thread.text contains 'please verify your account'
  - body.current_thread.text contains 'suspicious activity detected'
  - body.current_thread.text contains 'temporarily locked out'
  - body.current_thread.text matches any of 2 patterns
    
    (?:invalid|unrecognized|unauthorized|fail(?:ed|ure)?|suspicious|unusual|attempt(?:ed)?\b|tried to)\s*(?:\w+\s+){0,3}\s*(?:log(?:.?in)?|sign(?:.?in)?|account|access|activity)
    (?:log(?:.?in)?|sign(?:.?in)?|account|access|activity)\s*(?:\w+\s+){0,3}\s*(?:invalid|unrecognized|fail(?:ed|ure)?|suspicious|unusual|attempt(?:ed)?\b)
- any of:
  - body.current_thread.text contains 'been suspend'
  - body.current_thread.text contains 'will be restored'
  - body.current_thread.text contains 'security reasons'
  - body.current_thread.text contains 'temporarily restricted access'
  - body.current_thread.text matches any of 2 patterns
    
    acc(?:ou)?n?t\s*(?:\w+\s+){0,3}\s*(?:authenticat(?:e|ion)|activity|\bho[li]d\b|terminat|[il1]{2}m[il1]t(?:s|ed|ation)|b?locked|de-?activat|suspen(?:ed|sion)|restrict(?:ed|ion)?|expir(?:ed?|ing)|v[il]o[li]at|verif(?:y|ication))
    (?:authenticat(?:e|ion)|activity|\bho[li]d\b|terminat|[il1]{2}m[il1]t(?:s|ed|ation)|b?locked|de-?activat|suspen(?:ed|sion)|restrict(?:ed|ion)?|expir(?:ed?|ing)|v[il]o[li]at|verif(?:y|ication))\s*(?:\w+\s+){0,3}\s*acc(?:ou)?n?t\b
- any of:
  - body.current_thread.text matches '(?:encrypt(?:ion|ed)?|secur(?:ed?|ity)) (?:\\w+\\s+){0,3}\\s*message'
  - body.current_thread.text contains 'document portal'
  - body.current_thread.text matches 'has been (?:encrypt|sent secure)'
  - body.current_thread.text matches 'encryption (?:\\w+\\s+){0,3}\\s*tech'
- all of:
  - body.current_thread.text contains 'document'
  - body.current_thread.text matches any of 2 patterns
    
    document\s*(?:\w+\s+){0,3}\s*(?:ready|posted|review|available|online)
    (?:ready|posted|review|available|online)\s*(?:\w+\s+){0,3}\s*document
- any of:
  - body.current_thread.text contains 'about your account'
  - body.current_thread.text contains 'action required'
  - body.current_thread.text matches any of 2 patterns
    
    (update|\bedit\b|modify|revise|verif(?:y|ication)|discrepanc(?:y|ies)|mismatch(?:es)?|inconsistenc(?:y|ies)?|difference(?:s)?|anomal(?:y|ies)?|irregularit(?:y|ies)?)\s*(?:\w+\s+){0,4}\s*(?:account|ownership|detail|record|data|info(?:rmation)?)
    (?:account|ownership|detail|record|data|info(?:rmation)?)\s*(?:\w+\s+){0,4}\s*(update|\bedit\b|modify|revise|verif(?:y|ication)|discrepanc(?:y|ies)|mismatch(?:es)?|inconsistenc(?:y|ies)?|difference(?:s)?|anomal(?:y|ies)?|irregularit(?:y|ies)?)
- body.current_thread.text contains 'download the attachment'
- all of:
  - all of:
    
    length(body.links) > 0
    length(body.links) ≤ 50
  - any of body.links where all hold:
    
    any of:
    
    .display_text matches '(?:log|sign).?in'
    .display_text contains 'confirm'
    .display_text contains 'i recongize it'
    .display_text contains "something\\'s wrong"
    .display_text matches '(?:(?:re)?view|see|read)\\s*(?:\\w+\\s*){0,3}\\s*(?:document|message|now|account)'
    .display_text matches 'restore\\s*(?:\\w+\\s*){0,3}\\s*(?:account|access)'
    .display_text matches 'review\\s*(?:\\w+\\s*){0,3}\\s*(?:payment)'
    not:
    
    .display_text matches 'confirm\\s*(?:\\w+\\s*){0,3}\\s*this message'
    .href_url.domain.root_domain is not 'capitalone.com'
- all of:
  - body.current_thread.text matches 'To ensure delivery, add [^\\@]+@[^\\s]*capitalone.com to your address book.'
  - sender.email.domain.root_domain is not 'capitalone.com'
not:
- all of:
  - inbound message
  - sender.email.domain.domain in $org_domains
  - headers.auth_summary.spf.pass
  - headers.auth_summary.dmarc.pass
  - not:
    
    distinct(...) contains 'fail'
not:
- any of beta.ml_topic(body.html.display_text).topics where any holds:
  - all of:
    
    .name in ('Newsletters and Digests', 'Professional and Career Development')
    .confidence is 'high'
  - all of:
    
    .name in ('News and Current Events')
    .confidence is not 'low'
not:
- all of:
  - any of:
    
    subject.subject starts with 'RE:'
    subject.subject starts with 'FW:'
    subject.subject starts with 'FWD:'
    subject.subject matches '(\\[[^\\]]+\\]\\s?){0,3}(re|fwd?|automat.*)\\s?:.*'
    subject.subject starts with 'Réponse automatique'
  - all of:
    
    length(headers.references) > 0
    headers.in_reply_to is set
not:
- all of:
  - sender.email.local_part matches any of 3 patterns
    
    *postmaster*
    *mailer-daemon*
    *administrator*
  - any of attachments where:
    
    .content_type in ('message/rfc822', 'message/delivery-status', 'text/calendar')

Inspects: attachments[].content_type, body.current_thread.text, body.html.display_text, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.hops, headers.hops[].authentication_results.dkim, headers.in_reply_to, headers.references, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.domain.sld, sender.email.local_part, subject.subject, type.inbound. Sensors: beta.ml_topic, file.message_screenshot, ml.logo_detect, regex.icontains, regex.imatch, strings.icontains, strings.icount, strings.ilevenshtein, strings.istarts_with, strings.like, strings.replace_confusables. Reference lists: $high_trust_sender_root_domains, $org_domains.

Indicators matched (76)

Field	Match	Value
`strings.icontains`	substring	`Capital One`
`strings.icontains`	substring	`CapitalOne`
`regex.icontains`	regex	`Capital.?One`
`strings.ilevenshtein`	fuzzy	`Capital One`
`ml.logo_detect(file.message_screenshot()).brands[].name`	equals	`Capital One Bank`
`sender.email.domain.root_domain`	member	`capitalone.co.uk`
`sender.email.domain.root_domain`	member	`capitalone.com`
`sender.email.domain.root_domain`	member	`capitaloneshopping.com`
`sender.email.domain.root_domain`	member	`capitalonesoftware.com`
`sender.email.domain.root_domain`	member	`capitalonebooking.com`
`sender.email.domain.root_domain`	member	`capitalonetravel.com`
`sender.email.domain.root_domain`	member	`olbanking.com`

64 more

`sender.email.domain.root_domain`	member	`bynder.com`
`sender.email.domain.root_domain`	member	`gcs-web.com`
`sender.email.domain.root_domain`	member	`capitalonearena.com`
`sender.email.domain.root_domain`	member	`monumentalsports.com`
`sender.email.domain.root_domain`	member	`ticketmaster.com`
`sender.email.domain.root_domain`	member	`credible.com`
`sender.email.domain.root_domain`	member	`capitalonetradecredit.com`
`strings.icontains`	substring	`new password`
`regex.icontains`	regex	`(?:credentials?\|password)\s(?:\w+\s+){0,3}\s(?:compromise\|reset\|expir(?:ation\|ed)\|update\|invalid\|incorrect\|changed\|(?:mis)?match)`
`regex.icontains`	regex	`(?:compromise\|reset\|expir(?:ation\|ed)\|update\|invalid\|incorrect\|changed\|(?:mis)?match)\s(?:\w+\s+){0,3}\s(?:credentials?\|password)`
`regex.icontains`	regex	`(?:short\|weak\|chang(?:e\|ing)\|reset)\s(?:\w+\s+){0,3}\s(?:credentials?\|password)`
`regex.icontains`	regex	`(?:credentials?\|password)\s(?:\w+\s+){0,3}\s(?:short\|weak\|chang(?:e\|ing)\|reset)`
`strings.icontains`	substring	`unusual number of`
`strings.icontains`	substring	`security breach`
`strings.icontains`	substring	`security alert`
`strings.icontains`	substring	`account remains secure`
`strings.icontains`	substring	`please verify your account`
`strings.icontains`	substring	`suspicious activity detected`
`strings.icontains`	substring	`temporarily locked out`
`regex.icontains`	regex	`(?:invalid\|unrecognized\|unauthorized\|fail(?:ed\|ure)?\|suspicious\|unusual\|attempt(?:ed)?\b\|tried to)\s(?:\w+\s+){0,3}\s(?:log(?:.?in)?\|sign(?:.?in)?\|account\|access\|activity)`
`regex.icontains`	regex	`(?:log(?:.?in)?\|sign(?:.?in)?\|account\|access\|activity)\s(?:\w+\s+){0,3}\s(?:invalid\|unrecognized\|fail(?:ed\|ure)?\|suspicious\|unusual\|attempt(?:ed)?\b)`
`strings.icontains`	substring	`been suspend`
`strings.icontains`	substring	`will be restored`
`strings.icontains`	substring	`security reasons`
`strings.icontains`	substring	`temporarily restricted access`
`regex.icontains`	regex	`acc(?:ou)?n?t\s(?:\w+\s+){0,3}\s(?:authenticat(?:e\|ion)\|activity\|\bho[li]d\b\|terminat\|[il1]{2}m[il1]t(?:s\|ed\|ation)\|b?locked\|de-?activat\|suspen(?:ed\|sion)\|restrict(?:ed\|ion)?\|expir(?:ed?\|ing)\|v[il]o[li]at\|verif(?:y\|ication))`
`regex.icontains`	regex	`(?:authenticat(?:e\|ion)\|activity\|\bho[li]d\b\|terminat\|[il1]{2}m[il1]t(?:s\|ed\|ation)\|b?locked\|de-?activat\|suspen(?:ed\|sion)\|restrict(?:ed\|ion)?\|expir(?:ed?\|ing)\|v[il]o[li]at\|verif(?:y\|ication))\s(?:\w+\s+){0,3}\sacc(?:ou)?n?t\b`
`regex.icontains`	regex	`(?:encrypt(?:ion\|ed)?\|secur(?:ed?\|ity)) (?:\w+\s+){0,3}\s*message`
`strings.icontains`	substring	`document portal`
`regex.icontains`	regex	`has been (?:encrypt\|sent secure)`
`regex.icontains`	regex	`encryption (?:\w+\s+){0,3}\s*tech`
`strings.icontains`	substring	`document`
`regex.icontains`	regex	`document\s(?:\w+\s+){0,3}\s(?:ready\|posted\|review\|available\|online)`
`regex.icontains`	regex	`(?:ready\|posted\|review\|available\|online)\s(?:\w+\s+){0,3}\sdocument`
`strings.icontains`	substring	`about your account`
`strings.icontains`	substring	`action required`
`regex.icontains`	regex	`(update\|\bedit\b\|modify\|revise\|verif(?:y\|ication)\|discrepanc(?:y\|ies)\|mismatch(?:es)?\|inconsistenc(?:y\|ies)?\|difference(?:s)?\|anomal(?:y\|ies)?\|irregularit(?:y\|ies)?)\s(?:\w+\s+){0,4}\s(?:account\|ownership\|detail\|record\|data\|info(?:rmation)?)`
`regex.icontains`	regex	`(?:account\|ownership\|detail\|record\|data\|info(?:rmation)?)\s(?:\w+\s+){0,4}\s(update\|\bedit\b\|modify\|revise\|verif(?:y\|ication)\|discrepanc(?:y\|ies)\|mismatch(?:es)?\|inconsistenc(?:y\|ies)?\|difference(?:s)?\|anomal(?:y\|ies)?\|irregularit(?:y\|ies)?)`
`strings.icontains`	substring	`download the attachment`
`regex.icontains`	regex	`(?:log\|sign).?in`
`strings.icontains`	substring	`confirm`
`strings.icontains`	substring	`i recongize it`
`strings.icontains`	substring	`something\'s wrong`
`regex.icontains`	regex	`(?:(?:re)?view\|see\|read)\s(?:\w+\s){0,3}\s*(?:document\|message\|now\|account)`
`regex.icontains`	regex	`restore\s(?:\w+\s){0,3}\s*(?:account\|access)`
`regex.icontains`	regex	`review\s(?:\w+\s){0,3}\s*(?:payment)`
`regex.icontains`	regex	`confirm\s(?:\w+\s){0,3}\s*this message`
`regex.icontains`	regex	`To ensure delivery, add [^\@]+@[^\s]*capitalone.com to your address book.`
`distinct(map(headers.hops, .authentication_results.dkim))`	contains	`fail`
`beta.ml_topic(body.html.display_text).topics[].name`	member	`Newsletters and Digests`
`beta.ml_topic(body.html.display_text).topics[].name`	member	`Professional and Career Development`
`beta.ml_topic(body.html.display_text).topics[].confidence`	equals	`high`
`beta.ml_topic(body.html.display_text).topics[].name`	member	`News and Current Events`
`strings.istarts_with`	prefix	`RE:`
`strings.istarts_with`	prefix	`FW:`
`strings.istarts_with`	prefix	`FWD:`
`regex.imatch`	regex	`(\[[^\]]+\]\s?){0,3}(re\|fwd?\|automat.)\s?:.`
`strings.istarts_with`	prefix	`Réponse automatique`
`strings.like`	substring	`postmaster`
`strings.like`	substring	`mailer-daemon`
`strings.like`	substring	`administrator`
`attachments[].content_type`	member	`message/rfc822`
`attachments[].content_type`	member	`message/delivery-status`
`attachments[].content_type`	member	`text/calendar`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)