type.inbound
and any(attachments,
(
.file_type == "ics"
or (
.file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
)
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(beta.file.parse_ics(.).events,
any(.links, network.whois(.href_url.domain).days_old < 30)
)
)
Playground
Test against your own EMLs or sample data.