type.inbound
and length(distinct(attachments, .sha1)) == 2
and length(filter(attachments, .file_type == "pdf")) == 2
// either of them are chrome/wkhtmltopdf
and any(filter(attachments, .file_type == "pdf"),
beta.parse_exif(.).creator == "Chromium"
or strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
or strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
or (
any(beta.parse_exif(.).fields, .key == "Creator" and .value == "")
and any(beta.parse_exif(.).fields,
.key == "Producer" and .value == ""
)
)
)
and any(attachments,
strings.istarts_with(.file_name, 'lnv')
or strings.istarts_with(.file_name, 'inv-')
or strings.istarts_with(.file_name, "invoice_")
or regex.contains(.file_name, '^Invoice\s\d{8,9}')
or regex.contains(.file_name, '^INV[0-9]{7}')
or regex.contains(.file_name, '^INV#[0-9]{12}')
or regex.icontains(.file_name, '_inv_')
or strings.icontains(beta.ocr(.).text, "Executive Business Coaching")
or strings.icontains(beta.ocr(.).text, "Executive Coaching")
or strings.icontains(beta.ocr(.).text, "Professional Services")
or strings.icontains(beta.ocr(.).text, "Business Systems Integration")
or strings.icontains(beta.ocr(.).text, "Consulting & Advisory")
or strings.icontains(beta.ocr(.).text, "Zoomlnfo")
)
and any(attachments,
.file_name == ".pdf"
or regex.contains(beta.ocr(.).text, 'W[=-]9')
or regex.icontains(.file_name, 'w[-_]?9')
)
and not (
sender.email.domain.root_domain in ('intuit.com')
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.