write a regex to capture value between @ and " for below string.
[{\\"ActionType\\":\\"Forward\\",\\"Recipients\\":[\\"Katrina.Demon@whxyz.co.um\\"],\\"ForwardFlags\\":\\"None\\"}]
which is whxyz.co.um in above string.
or help write a yara code for capturing the same.
I am trying below, but is it giving error.
Have you looked into having Chronicle parse these log events for you into UDM format so they're easier to search and utilize in your YARA-L rules?
Can you try the regex expression below?
(?:"Recipients\\\\.+@)([a-zA-Z0-9.-]+)
I tested it using the Golang regex engine on regex101.com. The screenshot below shows the non-capturing group match in blue and the capturing group match in green.
Feel free to post your questions in the Chronicle SIEM Forum in future. This one was posted in "General/Misc Q&A" and might not be seen by all of our Chronicle SMEs.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.