Rule

Top Level Fieldset: True

This field set is used to capture information about detection rules.

Rule Fields

rule.author

Required Field: False
Type: STRING
Example: AppOmni
Detection Supported Field: True

Name, organization, or author(s) who created the rule.

rule.category

Required Field: False
Type: STRING
Example: Authentication
Detection Supported Field: True

Indicates the high-level categorization of the rule.

rule.description

Required Field: False
Type: STRING
Example: Multiple admin users have been deleted or suspended in a short period of time. An adversary might use this technique to disrupt business operations and maintain their access for a longer period.
Detection Supported Field: False

Brief explanation of what event(s) occurred and the intent/goal of the threat actor.

rule.license

Required Field: False
Type: STRING
Example: Apache 2.0
Detection Supported Field: False

Name of the license in which the rule is made available.

rule.name

Required Field: False
Type: STRING
Example: Multiple Admin Users Deleted
Detection Supported Field: True

Name of the rule.

rule.reference

Required Field: False
Type: STRING
Example: https://example.com/rule/123
Detection Supported Field: True

URL to reference information about the rule.

rule.ruleset

Required Field: False
Type: STRING
Example: Default Ruleset
Detection Supported Field: True

Name of the ruleset for which the rule is assigned.

rule.uuid

Required Field: False
Type: UUID
Example: ada8ee63-42b4-4f87-bc2c-22ce7e34f55d
Detection Supported Field: True

Unique UUID of the rule.

rule.vendor_id

Required Field: False
Type: STRING
Example: VendorX-123
Detection Supported Field: True

Unique ID of a vendor rule external to AppOmni.

rule.version

Required Field: False
Type: STRING
Example: 1
Detection Supported Field: False

Version of the rule.