Merge PR #4619 from @mcdave2k1 - Tune false positives with IMAP & SMT…

…P ports

fix: Suspicious Office Outbound Connections - Enhanced the filter by adding new ports that cause FP with SMTP and IMAP communications 
---------

Co-authored-by: nasbench <[email protected]>

rules/windows/network_connection/net_connection_win_office_susp_ports.yml

@@ -6,6 +6,7 @@ references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 author: X__Junior (Nextron Systems)
 date: 2023/07/12
+modified: 2023/12/15
 tags:
     - attack.defense_evasion
     - attack.command_and_control
@@ -23,10 +24,14 @@ detection:
             - '\wordview.exe'
     filter_main_ports:
         DestinationPort:
+            - 80
             - 139
             - 443
             - 445
-            - 80
+            - 465
+            - 587
+            - 993
+            - 995
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Other ports can be used, apply additional filters accordingly