Skip to main content
Question

The curated rule "Extortion Email Detected via Subject Keywords" is not triggering alerts (alerting is turned on for that rule for both precise and broad), even though creating an equivalent rule manually results in successful detections.

  • May 6, 2026
  • 3 replies
  • 42 views
NASEEF
Forum|alt.badge.img+8

hello Team ,
I’m observing that the curated rule “Extortion Email Detected via Subject Keywords” is not generating any alerts in my environment even though alerting is turned on for that rule for both precise and broad. However, when I create a custom detection rule with the same logic, as curated  it successfully triggers alerts on the same dataset.

I’m trying to understand the gap between curated and custom detections in this case.

Has anyone encountered a similar issue where:

  • Curated rules do not fire, but equivalent custom rules do?

Any insights would be helpful.

3 replies

vaskenh
Staff
Forum|alt.badge.img+13
  • vaskenh
  • Staff
  • May 6, 2026

Does the curated rule this this scenario have any exclusions configured?  If there are none, could you share your exact rules here (both the one that you wrote and the curated rule you’re comparing it to) so they can be reviewed side by side?

NASEEF
Forum|alt.badge.img+8
  • NASEEFSilver 2
  • Author
  • Silver 2
  • May 6, 2026

thello Vaskenh
here are no exclusion configured

since i copied from curated page  i am using same codes on both end
 

rule_ttp_extortion_email_subject_keywords {

  meta:

    rule_name = "Extortion Email Detected via Subject Keywords"

    description = "This rule identifies potential extortion emails by detecting specific keywords in the subject line. The presence of phrases like data dissemination can indicate an adversary is threatening to release sensitive information to coerce a victim."

    severity = "Low"

    tactic = "TA0040"

    technique = "T1657"

 

  events:

    $e.metadata.event_type = "EMAIL_TRANSACTION"

    re.regex($e.network.email.subject, `\bdata\s+dissemination\b`) nocase

 

  outcome:

    $risk_score = 0

    $vendor_name = array_distinct($e.metadata.vendor_name)

    $product_name = array_distinct($e.metadata.product_name)

    $event_count = count_distinct($e.metadata.id)

    $subject = array_distinct($e.network.email.subject)

    $victim_uid = array_distinct($e.target.user.userid)

    $victim_name = array_distinct($e.target.user.user_display_name)

    $victim_netid = array_distinct($e.target.user.email_addresses)

    $adversary_uid = array_distinct($e.principal.user.userid)

    $adversary_name = array_distinct($e.principal.user.user_display_name)

    $adversary_netid = array_distinct($e.principal.user.email_addresses)

    $tmp1 = max(

      if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)

    )

    $tmp2 = max(

      if($e.security_result.action = "BLOCK", 1)

    )

    $result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)

    $result_time = max($e.metadata.event_timestamp.seconds)

 

  condition:

    $e

}

jstoner
Community Manager
Forum|alt.badge.img+23
  • jstonerCommunity Manager
  • Community Manager
  • May 7, 2026

If you want to reach out directly to me via community with some more specific details I can add it to a ticket that I am tracking. Alternatively, I would open a ticket on this particularly if there are no exclusions and the rule in test or compiled as custom runs successfully.

Terms & ConditionsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.