Skip to main content

Tokenizing: unable to tokenize: invalid char escape in a detection rule

  • June 21, 2025
  • 1 reply
  • 35 views
devashishsingh
Forum|alt.badge.img+3

Hey community,

I am starting with this simple rule that checks sender's IP address and sender's domain against VT. While getting an IP address is straightforward, the domain requires an extraction from sender's email address. I am using a regex for this extraction, however getting this error as given in subject line.

Here's the rule:


   events:

   $e.metadata.event_type = "EMAIL_TRANSACTION"
   $e.network.email.from != ""
   $e.principal.ip = $ip
   $e.network.email.from = $sender_email
   $domain = re.regex($sender_email, "@([a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})")

   $vt.graph.relations.entity.ip = $ip
   $vt.graph.relations.entity.domain.name = $domain

   match:
    $ip, $domain over 1h

   outcome:
    $alerted_ip = count_distinct($ip)
    $alerted_domain = count_distinct($domain)
   
   condition:
    $e and $vt
}

1 reply

Rene_Figueroa
Staff
Forum|alt.badge.img+10

Hi @devashishsingh 

The reason for the error is because double quotes are being used for the regular expression and therefore the escape character (\\) is not being recognized. We have some documentation around this in the link below:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regular_expression_literals

If we change from double quotes to back quotes, the "tokenizing" error goes away, but we are then presented with another error:

validating intermediate representation: type mismatch between "$domain" of type string and "RegexContains($sender_email, @([a-zA-Z0-9.-]+\\\\.[a-zA-Z]{2,}))" of type bool

The reason for that error is because the function "re.regex" returns a boolean.

If the intention in this rule is to extract part of the email, then you can use "re.capture()". If I replace, this in the rule, then it compiles:

events: $e.metadata.event_type = "EMAIL_TRANSACTION" $e.network.email.from != "" $e.principal.ip = $ip $e.network.email.from = $sender_email $domain = re.capture($sender_email, `@([a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})`) $vt.graph.relations.entity.ip = $ip $vt.graph.relations.entity.domain.name = $domain match: $ip, $domain over 1h outcome: $alerted_ip = count_distinct($ip) $alerted_domain = count_distinct($domain) condition: $e and $vt
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.