Rules file format (YAML)

Format

Rules are stored in YAML files with a .yml extension and have the following format:

(* denotes required fields)

*name: string
*description: string
references:
 - string
authors:
  - twitter: string
  - name: string
  - github: string
  - email: string
type: string
severity: string
*source: string
tags:
 - string
attack_types:
 - string
tactics_and_techniques:
 - string
detection_methods:
 - string
FieldRequiredDescriptionAcceptable values
nametrue Name for the rule or queryAny string
sourcetrue Raw MQLAny string
descriptiontrueDigestible description of the rule and its purposeAny string
typefalseEntity typerule
query
severityfalseCriticality of a triggered rulelow
medium
high
critical
referencesfalseReferences to where the rule was derived from. Blogs, tweets, papers, etc.A list of strings (typically URLs)
tagsfalseA way to categorize the rule or queryA list of any strings
false_positivesfalseDescriptions of known false positives that can occurA list of any strings
authorsfalseOriginal author(s)A list of Twitter profiles or names
attack_typesfalseProfiles of cyber threats that pinpoint the attackers' primary intent, whether it's to steal credentials, distribute malware, or commit fraud.BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Spam
tactics_and_techniquesfalseMethods and strategies employed by threat actors to execute their attack, focusing on their actions, behaviors, and artifacts.Evasion
Encryption
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
detection_methodsfalseHighlights the technical methodologies and Sublime specialized techniques that recognized and flagged the threat, offering insights.Archive analysis
Computer Vision
Content analysis
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
OLE analysis
Optical Character Recognition
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA

Multi-line strings in YAML are denoted using a | like so:

name: "Mismatched link"
source: |
    type.inbound
    and any(body.links, .mismatched)
type: rule