Rules file format (YAML)
Format
Rules are stored in YAML files with a .yml
extension and have the following format:
(* denotes required fields)
*name: string
*description: string
references:
- string
authors:
- twitter: string
- name: string
- github: string
- email: string
type: string
severity: string
*source: string
tags:
- string
Field | Required | Description | Acceptable values |
---|---|---|---|
name | true | Name for the rule or query | Any string |
source | true | Raw MQL | Any string |
description | true | Digestible description of the rule and its purpose | Any string |
type | false | Entity type | rule query |
severity | false | Criticality of a triggered rule (see Rule severity for more info) | low medium high critical |
references | false | References to where the rule was derived from. Blogs, tweets, papers, etc. | A list of strings (typically URLs) |
tags | false | A way to categorize the rule or query | A list of any strings |
false_positives | false | Descriptions of known false positives that can occur | A list of any strings |
authors | false | Original author(s) | A list of Twitter profiles or names |
Multi-line strings in YAML are denoted using a |
like so:
name: "Mismatched link"
source: |
type.inbound
and any(body.links, .mismatched)
type: rule
Updated 5 months ago