Rules file format (YAML)
Format
Rules are stored in YAML files with a .yml extension and have the following format:
(* denotes required fields)
*name: string
*description: string
references:
- string
authors:
- twitter: string
- name: string
- github: string
- email: string
type: string
severity: string
*source: string
tags:
- string
| Field | Required | Description | Acceptable values |
|---|---|---|---|
| name | true | Name for the rule or query | Any string |
| source | true | Raw MQL | Any string |
| description | true | Digestible description of the rule and its purpose | Any string |
| type | false | Entity type | rulequery |
| severity | false | Criticality of a triggered rule (see Rule severity for more info) | lowmediumhighcritical |
| references | false | References to where the rule was derived from. Blogs, tweets, papers, etc. | A list of strings (typically URLs) |
| tags | false | A way to categorize the rule or query | A list of any strings |
| false_positives | false | Descriptions of known false positives that can occur | A list of any strings |
| authors | false | Original author(s) | A list of Twitter profiles or names |
Multi-line strings in YAML are denoted using a | like so:
name: "Mismatched link"
source: |
type.inbound
and any(body.links, .mismatched)
type: rule
Updated 5 months ago