forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrule.yml
102 lines (82 loc) · 3.14 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
---
- name: rule
title: Rule
group: 2
short: Fields to capture details about rules used to generate alerts or other notable events.
description: >
Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
Examples of data sources that would populate the rule fields include: network admission control platforms, network or
host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.
type: group
fields:
- name: id
level: extended
type: keyword
short: Rule ID
description: >
A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
example: 101
- name: uuid
level: extended
type: keyword
short: Rule UUID
description: >
A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
example: 1100110011
- name: version
level: extended
type: keyword
short: Rule version
description: The version / revision of the rule being used for analysis.
example: 1.1
- name: name
level: extended
type: keyword
short: Rule name
description: The name of the rule or signature generating the event.
example: BLOCK_DNS_over_TLS
- name: description
level: extended
type: keyword
short: Rule description
description: The description of the rule generating the event.
example: Block requests to public DNS over HTTPS / TLS protocols
- name: category
level: extended
type: keyword
short: Rule category
description: >
A categorization value keyword used by the entity using the rule for detection of this event.
example: Attempted Information Leak
- name: ruleset
level: extended
type: keyword
short: Rule ruleset
description: >
Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
example: Standard_Protocol_Filters
- name: reference
level: extended
type: keyword
short: Rule reference URL
description: >
Reference URL to additional information about the rule used to generate this event.
The URL can point to the vendor's documentation about the rule.
If that's not available, it can also be a link to a more general page describing this type of alert.
example: https://en.wikipedia.org/wiki/DNS_over_TLS
- name: author
level: extended
type: keyword
short: Rule author
description: >
Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
example: "[\"Star-Lord\"]"
normalize:
- array
- name: license
level: extended
type: keyword
short: Rule license
description: >
Name of the license under which the rule used to generate this event is made available.
example: Apache 2.0