Format

Rules are stored in YAML files with a .yml extension and have the following format:

(* denotes required fields)

*name: string
*source: string
*description: string
id: string
*type: string
severity: string
references:
 - string
authors:
  - twitter: string
  - name: string
  - github: string
  - email: string
tags:
 - string
attack_types:
 - string
tactics_and_techniques:
 - string
detection_methods:
 - string

Field	Required	Description	Acceptable values
name	true	Name for the rule or query	Any string
source	true	Raw MQL	Any string
description	true	Digestible description of the rule and its purpose	Any string
id	false	uuid, auto-generated from hash of file name if absent	valid UUID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (RFC 4122 style).
type	true	Entity type	`rule`
severity	false	Criticality of a triggered rule	`low` `medium` `high` `critical`
references	false	References to where the rule was derived from. Blogs, tweets, papers, etc.	A list of strings (typically URLs)
tags	false	A way to categorize the rule or query	A list of any strings
false_positives	false	Descriptions of known false positives that can occur	A list of any strings
authors	false	Original author(s)	A list of Twitter profiles or names
attack_types	false	Profiles of cyber threats that pinpoint the attackers' primary intent, whether it's to steal credentials, distribute malware, or commit fraud.	`BEC/Fraud` `Callback Phishing` `Credential Phishing` `Extortion` `Malware/Ransomware` `Spam`
tactics_and_techniques	false	Methods and strategies employed by threat actors to execute their attack, focusing on their actions, behaviors, and artifacts.	`Evasion` `Encryption` `Exploit` `Free email provider` `Free file host` `Free subdomain host` `HTML smuggling` `Image as content` `Impersonation: Brand` `Impersonation: Employee` `Impersonation: VIP` `IPFS` `ISO` `LNK` `Lookalike domain` `Macros` `OneNote` `Open redirect` `Out of band pivot` `PDF` `Punycode` `QR code` `Scripting` `Social engineering` `Spoofing`
detection_methods	false	Highlights the technical methodologies and Sublime specialized techniques that recognized and flagged the threat, offering insights.	`Archive analysis` `Computer Vision` `Content analysis` `Exif analysis` `File analysis` `Header analysis` `HTML analysis` `Javascript analysis` `Macro analysis` `Natural Language Understanding` `OLE analysis` `Optical Character Recognition` `QR code analysis` `Sender analysis` `Threat intelligence` `URL analysis` `URL screenshot` `Whois` `XML analysis` `YARA`

Multi-line strings in YAML are denoted using a | like so:

name: "Mismatched link"
source: |
    type.inbound
    and any(body.links, .mismatched)
type: rule

Note: Do not change the type of YAML files. The recommended method for migrating is to delete the old file and change the ID to guarantee ingestion of the new file either by file-name-change or explicit ID change.