type.inbound
and (
regex.icontains(sender.display_name, 'state\s?farm')
and not (
strings.icontains(sender.display_name, "state farm")
and (
strings.icontains(sender.display_name, "center")
or strings.icontains(sender.display_name, "arena")
or strings.icontains(sender.display_name, "stadium")
or strings.icontains(sender.display_name, "hall")
or strings.icontains(sender.display_name, "classic")
or strings.icontains(sender.display_name, "showdown")
or strings.icontains(sender.display_name, "perks at work")
)
)
)
// and the sender is not in org_domains or from State Farm domains
and not (
(
sender.email.domain.root_domain in $org_domains
or sender.email.domain.root_domain in $high_trust_sender_root_domains
or sender.email.domain.root_domain in (
"statefarm.com",
"statefarminsurance.com",
"statefarm.ca",
"statefarmbank.com",
"sfauthentication.com",
"statefarmarena.com",
"statefarmservice.com",
"statefarmisthere.com",
"digitalpayouts.com", // State Farm use this domain for claim payouts
"aravo.com", // risk management company State Farm uses
"statefarmclaims.com",
"statefarmfeedback.com", // legit survey
"statefarmsurveys.com", // legit survey
"nationalesurvey.com"
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
sender.email.domain.root_domain in $high_trust_sender_root_domains
and coalesce(headers.auth_summary.dmarc.pass, false)
)
Playground
Test against your own EMLs or sample data.