# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# 	http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: rule
  title: Rule
  group: 2
  short: Fields to capture details about rules used to generate alerts or other notable events.
  description: >
   Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.

   Examples of data sources that would populate the rule fields include: network admission control platforms, network or
   host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.

  type: group
  fields:

    - name: id
      level: extended
      type: keyword
      short: Rule ID
      description: >
        A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.

      example: 101

    - name: uuid
      level: extended
      type: keyword
      short: Rule UUID
      description: >
        A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.

      example: 1100110011

    - name: version
      level: extended
      type: keyword
      short: Rule version
      description: The version / revision of the rule being used for analysis.
      example: 1.1

    - name: name
      level: extended
      type: keyword
      short: Rule name
      description: The name of the rule or signature generating the event.
      example: BLOCK_DNS_over_TLS

    - name: description
      level: extended
      type: keyword
      short: Rule description
      description: The description of the rule generating the event.
      example: Block requests to public DNS over HTTPS / TLS protocols

    - name: category
      level: extended
      type: keyword
      short: Rule category
      description: >
         A categorization value keyword used by the entity using the rule for detection of this event.

      example: Attempted Information Leak

    - name: ruleset
      level: extended
      type: keyword
      short: Rule ruleset
      description: >
         Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.

      example: Standard_Protocol_Filters

    - name: reference
      level: extended
      type: keyword
      short: Rule reference URL
      description: >
        Reference URL to additional information about the rule used to generate this event.

        The URL can point to the vendor's documentation about the rule.
        If that's not available, it can also be a link to a more general page describing this type of alert.

      example: https://en.wikipedia.org/wiki/DNS_over_TLS

    - name: author
      level: extended
      type: keyword
      short: Rule author
      description: >
        Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.

      example: "[\"Star-Lord\"]"
      normalize:
        - array

    - name: license
      level: extended
      type: keyword
      short: Rule license
      description: >
        Name of the license under which the rule used to generate this event is made available.

      example: Apache 2.0