From baf421bdd210a764a0f6ea7d65877286ce080b72 Mon Sep 17 00:00:00 2001
From: alexo-nano <alex.o@sublimesecurity.com>
Date: Fri, 5 Dec 2025 17:53:32 -0500
Subject: [PATCH 1/2] Update attachment_pdf_comp_review.yml

Added to the regex.icontains phrase list querying file explode.strings.
---
 detection-rules/attachment_pdf_comp_review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/attachment_pdf_comp_review.yml b/detection-rules/attachment_pdf_comp_review.yml
index 58a8355b352..20768f92b73 100644
--- a/detection-rules/attachment_pdf_comp_review.yml
+++ b/detection-rules/attachment_pdf_comp_review.yml
@@ -61,7 +61,7 @@ source: |
                 any([.scan.strings.raw, .scan.ocr.raw],
                     (
                       regex.icontains(.,
-                                      '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary increment)\b'
+                                      '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (increment|deduction))\b'
                       )
                     )
                 )

From d40c10394ee7edea8550147e381227853a716042 Mon Sep 17 00:00:00 2001
From: alexo-nano <alex.o@sublimesecurity.com>
Date: Fri, 5 Dec 2025 18:58:34 -0500
Subject: [PATCH 2/2] Update detection-rules/attachment_pdf_comp_review.yml

Co-authored-by: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
---
 detection-rules/attachment_pdf_comp_review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/attachment_pdf_comp_review.yml b/detection-rules/attachment_pdf_comp_review.yml
index 20768f92b73..eeaabd963f1 100644
--- a/detection-rules/attachment_pdf_comp_review.yml
+++ b/detection-rules/attachment_pdf_comp_review.yml
@@ -61,7 +61,7 @@ source: |
                 any([.scan.strings.raw, .scan.ocr.raw],
                     (
                       regex.icontains(.,
-                                      '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (increment|deduction))\b'
+                                      '\b(?:Remuneration Overview|Updated Compensation (?:Summary|Schedule|Details)|Access Your Statements?|Staff Performance Appraisal|Compensation Adjustment|performance appraisal|Appraisal Overview|appraisal and compensation|salary (?:increment|deduction))\b'
                       )
                     )
                 )