Skip to main content
Question

The curated rule "Extortion Email Detected via Subject Keywords" is not triggering alerts (alerting is turned on for that rule for both precise and broad), even though creating an equivalent rule manually results in successful detections.

  • May 6, 2026
  • 2 replies
  • 15 views
NASEEF
Forum|alt.badge.img+8

hello Team ,
I’m observing that the curated rule “Extortion Email Detected via Subject Keywords” is not generating any alerts in my environment even though alerting is turned on for that rule for both precise and broad. However, when I create a custom detection rule with the same logic, as curated  it successfully triggers alerts on the same dataset.

I’m trying to understand the gap between curated and custom detections in this case.

Has anyone encountered a similar issue where:

  • Curated rules do not fire, but equivalent custom rules do?

Any insights would be helpful.

2 replies

hzmndt
Staff
Forum|alt.badge.img+11
  • hzmndt
  • Staff
  • May 6, 2026

Troubleshooting Steps:

  1. Confirm Custom Rule Logic: Post the exact YARA-L logic of your custom rule for comparison.
  2. Verify Enablement in Both UIs: Check the rule status in both "Curated Detections" and "Unified Rules".
  3. Test with a Clear Signal: Send a test email with the exact subject line "data dissemination" to see if either rule triggers.

https://docs.cloud.google.com/chronicle/docs/detection/unified-rules/manage-unified-rules

If still the same, suggest to open a support case to ask backend team to check the rule. 

NASEEF
Forum|alt.badge.img+8
  • NASEEFSilver 2
  • Author
  • Silver 2
  • May 6, 2026

1 i have used the exact same query as it is there on curated rule  which is as per pasted here

verified its enables on both UI

 
3 I tried simulating the detection, but only the custom rule is triggering. The curated rule is not generating any alerts for the same activity.
 

rule ttp_extortion_email_subject_keywords {

  meta:

    rule_name = "Extortion Email Detected via Subject Keywords"

    description = "This rule identifies potential extortion emails by detecting specific keywords in the subject line. The presence of phrases like data dissemination can indicate an adversary is threatening to release sensitive information to coerce a victim."

    severity = "Low"

    tactic = "TA0040"

    technique = "T1657"

 

  events:

    $e.metadata.event_type = "EMAIL_TRANSACTION"

    re.regex($e.network.email.subject, `\bdata\s+dissemination\b`) nocase

 

  outcome:

    $risk_score = 0

    $vendor_name = array_distinct($e.metadata.vendor_name)

    $product_name = array_distinct($e.metadata.product_name)

    $event_count = count_distinct($e.metadata.id)

    $subject = array_distinct($e.network.email.subject)

    $victim_uid = array_distinct($e.target.user.userid)

    $victim_name = array_distinct($e.target.user.user_display_name)

    $victim_netid = array_distinct($e.target.user.email_addresses)

    $adversary_uid = array_distinct($e.principal.user.userid)

    $adversary_name = array_distinct($e.principal.user.user_display_name)

    $adversary_netid = array_distinct($e.principal.user.email_addresses)

    $tmp1 = max(

      if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)

    )

    $tmp2 = max(

      if($e.security_result.action = "BLOCK", 1)

    )

    $result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)

    $result_time = max($e.metadata.event_timestamp.seconds)

 

  condition:

    $e

}

 

Terms & ConditionsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.