I am trying to create a detection rule that looks at O365 for suspicious inbox rule creation. As part of the logic, I need to check if the “recipients” are internal/allowed.
There are 3 fields which this fall under, but for simplicity sake, I’m looking at security_result.rule_labels["ForwardTo"] where it can have multiple recipients with the value of “ [removed by moderator] ; [removed by moderator] ; [removed by moderator] ”
I have a regex that matches strings where every semicolon-delimited entry is @domain.com. The not inverts it, so rule should only fire when at least one external domain exists.
not $e.security_result.rule_labels["ForwardTo"] = /^(\s*[\w\.\+\-]+@domain\.com\s*;?\s*)+$/
Tested this pattern with https://regex101.com/r/CyngH4/1 and it captures the domain. The not should invert the result for exclusion, but I am still getting events with the domain.com
Can anybody provide help how to properly do this? Thank you
Question
Regex filter not working for multivalue fields
+1Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.