Rule
Fields to capture details about rules used to generate alerts or other notable events.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
rule.author | keyword | Extended | Rule author |
rule.category | keyword | Extended | Rule category |
rule.description | keyword | Extended | Rule description |
rule.id | keyword | Extended | Rule ID |
rule.license | keyword | Extended | Rule license |
rule.name | keyword | Extended | Rule name |
rule.reference | keyword | Extended | Rule reference URL |
rule.ruleset | keyword | Extended | Rule ruleset |
rule.uuid | keyword | Extended | Rule UUID |
rule.version | keyword | Extended | Rule version |
Field Details
rule.author
Type: keyword
Level: Extended
Description: Rule author
Example: ["Star-Lord"]
Normalization: array
Indexed: true
rule.category
Type: keyword
Level: Extended
Description: Rule category
Example: Attempted Information Leak
Indexed: true
rule.description
Type: keyword
Level: Extended
Description: Rule description
Example: Block requests to public DNS over HTTPS / TLS protocols
Indexed: true
rule.id
Type: keyword
Level: Extended
Description: Rule ID
Example: 101
Indexed: true
rule.license
Type: keyword
Level: Extended
Description: Rule license
Example: Apache 2.0
Indexed: true
rule.name
Type: keyword
Level: Extended
Description: Rule name
Example: BLOCK_DNS_over_TLS
Indexed: true
rule.reference
Type: keyword
Level: Extended
Description: Rule reference URL
Example: https://en.wikipedia.org/wiki/DNS_over_TLS
Indexed: true
rule.ruleset
Type: keyword
Level: Extended
Description: Rule ruleset
Example: Standard_Protocol_Filters
Indexed: true
rule.uuid
Type: keyword
Level: Extended
Description: Rule UUID
Example: 1100110011
Indexed: true
rule.version
Type: keyword
Level: Extended
Description: Rule version
Example: 1.1
Indexed: true