Rules file format (YAML)
Format
Rules are stored in YAML files with a .yml extension and have the following format:
(* denotes required fields)
*name: string
*description: string
references:
- string
authors:
- twitter: string
- name: string
- github: string
- email: string
type: string
severity: string
*source: string
tags:
- string
attack_types:
- string
tactics_and_techniques:
- string
detection_methods:
- stringField | Required | Description | Acceptable values |
|---|---|---|---|
name | true | Name for the rule or query | Any string |
source | true | Raw MQL | Any string |
description | true | Digestible description of the rule and its purpose | Any string |
type | true | Entity type |
|
severity | false | Criticality of a triggered rule |
|
references | false | References to where the rule was derived from. Blogs, tweets, papers, etc. | A list of strings (typically URLs) |
tags | false | A way to categorize the rule or query | A list of any strings |
false_positives | false | Descriptions of known false positives that can occur | A list of any strings |
authors | false | Original author(s) | A list of Twitter profiles or names |
attack_types | false | Profiles of cyber threats that pinpoint the attackers' primary intent, whether it's to steal credentials, distribute malware, or commit fraud. |
|
tactics_and_techniques | false | Methods and strategies employed by threat actors to execute their attack, focusing on their actions, behaviors, and artifacts. |
|
detection_methods | false | Highlights the technical methodologies and Sublime specialized techniques that recognized and flagged the threat, offering insights. |
|
Multi-line strings in YAML are denoted using a | like so:
name: "Mismatched link"
source: |
type.inbound
and any(body.links, .mismatched)
type: ruleUpdated 6 days ago