Rules file format (YAML)

Format

Rules are stored in YAML files with a .yml extension and have the following format:

(* denotes required fields)

*name: string
*description: string
references:
 - string
authors:
  - twitter: string
  - name: string
  - github: string
  - email: string
type: string
severity: string
*source: string
tags:
 - string
FieldRequiredDescriptionAcceptable values
nametrue Name for the rule or queryAny string
sourcetrue Raw MQLAny string
descriptiontrueDigestible description of the rule and its purposeAny string
typefalseEntity typerule
query
severityfalseCriticality of a triggered rule (see Rule severity for more info)low
medium
high
critical
referencesfalseReferences to where the rule was derived from. Blogs, tweets, papers, etc.A list of strings (typically URLs)
tagsfalseA way to categorize the rule or queryA list of any strings
false_positivesfalseDescriptions of known false positives that can occurA list of any strings
authorsfalseOriginal author(s)A list of Twitter profiles or names

Multi-line strings in YAML are denoted using a | like so:

name: "Mismatched link"
source: |
    type.inbound
    and any(body.links, .mismatched)
type: rule