Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
| Attribute | Type | Description | Examples | Stability |
|---|---|---|---|---|
security_rule.category |
string | A categorization value keyword used by the entity using the rule for detection of this event | Attempted Information Leak |
 |
security_rule.description |
string | The description of the rule generating the event. | Block requests to public DNS over HTTPS / TLS protocols |
|
security_rule.license |
string | Name of the license under which the rule used to generate this event is made available. | Apache 2.0 |
|
security_rule.name |
string | The name of the rule or signature generating the event. | BLOCK_DNS_over_TLS |
|
security_rule.reference |
string | Reference URL to additional information about the rule used to generate this event. [1] | https://en.wikipedia.org/wiki/DNS_over_TLS |
|
security_rule.ruleset.name |
string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | Standard_Protocol_Filters |
|
security_rule.uuid |
string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | 550e8400-e29b-41d4-a716-446655440000; 1100110011 |
|
security_rule.version |
string | The version / revision of the rule being used for analysis. | 1.0.0 |
|
[1] security_rule.reference: The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.