Rules file format (YAML)

Format

Rules are stored in YAML files with a .yml extension and have the following format:

(* denotes required fields)

*name: string
*description: string
*source: string
type: string
severity: string
references:
 - string
tags:
 - string

Field

Required

Description

Acceptable values

name

true

Name for the rule or query

Any string

source

true

Raw MQL

Any string

description

true

Digestible description of the rule and its purpose

Any string

type

false

Entity type

rule
query

severity

false

Criticality of a triggered rule

low
medium
high
critical

references

false

References to where the rule was derived from. Blogs, tweets, papers, etc.

A list of strings (typically URLs)

tags

false

A way to categorize the rule or query

A list of any strings

false_positives

false

Descriptions of known false positives that can occur

A list of any strings

Multi-line strings in YAML are denoted using a | like so:

name: "Mismatched link"
source: |
    type.inbound
    and any(body.links, .mismatched)
type: rule