Skip to main content

Hey community,

I am starting with this simple rule that checks sender's IP address and sender's domain against VT. While getting an IP address is straightforward, the domain requires an extraction from sender's email address. I am using a regex for this extraction, however getting this error as given in subject line.

Here's the rule:


   events:

   $e.metadata.event_type = "EMAIL_TRANSACTION"
   $e.network.email.from != ""
   $e.principal.ip = $ip
   $e.network.email.from = $sender_email
   $domain = re.regex($sender_email, "@([a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})")

   $vt.graph.relations.entity.ip = $ip
   $vt.graph.relations.entity.domain.name = $domain

   match:
    $ip, $domain over 1h

   outcome:
    $alerted_ip = count_distinct($ip)
    $alerted_domain = count_distinct($domain)
   
   condition:
    $e and $vt
}

Hi @devashishsingh 


The reason for the error is because double quotes are being used for the regular expression and therefore the escape character (\\) is not being recognized. We have some documentation around this in the link below:


https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regular_expression_literals


If we change from double quotes to back quotes, the "tokenizing" error goes away, but we are then presented with another error:


validating intermediate representation: type mismatch between "$domain" of type string and "RegexContains($sender_email, @([a-zA-Z0-9.-]+\\\\.[a-zA-Z]{2,}))" of type bool

The reason for that error is because the function "re.regex" returns a boolean.


If the intention in this rule is to extract part of the email, then you can use "re.capture()". If I replace, this in the rule, then it compiles:


events:

$e.metadata.event_type = "EMAIL_TRANSACTION"
$e.network.email.from != ""
$e.principal.ip = $ip
$e.network.email.from = $sender_email
$domain = re.capture($sender_email, `@([a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})`)

$vt.graph.relations.entity.ip = $ip
$vt.graph.relations.entity.domain.name = $domain

match:
$ip, $domain over 1h

outcome:
$alerted_ip = count_distinct($ip)
$alerted_domain = count_distinct($domain)

condition:
$e and $vt

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.