+1write a regex to capture value between @ and " for below string.
[{\\"ActionType\\":\\"Forward\\",\\"Recipients\\":[\\"Katrina.Demon@whxyz.co.um\\"],\\"ForwardFlags\\":\\"None\\"}]
which is whxyz.co.um in above string.
or help write a yara code for capturing the same.
I am trying below, but is it giving error.
+9Have you looked into having Chronicle parse these log events for you into UDM format so they're easier to search and utilize in your YARA-L rules?
Can you try the regex expression below?
(?:"Recipients\\\\.+@)([a-zA-Z0-9.-]+)
I tested it using the Golang regex engine on regex101.com. The screenshot below shows the non-capturing group match in blue and the capturing group match in green.
+9Feel free to post your questions in the Chronicle SIEM Forum in future. This one was posted in "General/Misc Q&A" and might not be seen by all of our Chronicle SMEs.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.