You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: This section contains the fields that specify the detection logic and the language used to express it. See the specifications of the fields below.
215
214
216
-
Required: *optional*
217
215
218
-
Description: It has to include the name of the actor, TLP:key, and dates when the behavior described in the RootA rule was used by the Actor. On the contrary to indicators of compromise, which are Actor specific, behaviors are constant while Actor is a variable. If the TLP:key is not defined, it is perceived as TLP:CLEAR. The period can be defined with two dates (first and last seen) or with one date.
216
+
### language
219
217
220
-
Example:
221
-
```
222
-
timeline:
223
-
2023-01-01 - 2023-03-06: Ducktail, MerlinAgent
224
-
2023-02-04: Lazarus
225
-
```
218
+
Format: `text (max 128 characters)`
219
+
220
+
Required: *mandatory*
221
+
222
+
Description: The field should specify the name of the SIEM/EDR/XDR in the appropriate format. See the list of supported platforms in the Possible Values section.
223
+
224
+
Possible Values:
225
+
226
+
-`sentinel-kql-query` for Microsoft Sentinel Query
227
+
-`splunk-spl-query` for Splunk Query
228
+
-`crowdstrike-spl-query` for CrowdStrike Query
229
+
-`elastic-lucene-query` for Elasticsearch Query
230
+
-`opensearch-lucene-query` for AWS OpenSearch Query
231
+
-`logscale-lql-query` for Falcon LogScale Query
232
+
-`mde-kql-query` for Microsoft Defender for Endpoint Query
233
+
-`qradar-aql-query` for IBM QRadar Query
234
+
-`sigma-yml-rule` for Sigma Rule
235
+
-`athena-sql-query` for AWS Athena Query (Security Lake)
236
+
-`chronicle-yaral-query` for Chronicle Security Query
237
+
238
+
Example: `language: splunk-spl-query`
239
+
240
+
241
+
### body
242
+
243
+
Format: `text (max 8192 characters)`
244
+
245
+
Required: *mandatory*
246
+
247
+
Description: This section should contain the rule's logic. It should be a SIEM/EDR/XDR query in the native format. The query should be in one line. In case you have a multiline query, you should join lines before adding it to the RootA rule.
248
+
249
+
Example: `index=* source="WinEventLog:*" AND (Image="*.exe" OR Image="*.com")`
226
250
227
251
228
252
## logsource
@@ -315,47 +339,25 @@ Description: This section provides detailed instructions on how to enable the re
315
339
Example: `enable: 'Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Detailed Tracking -> Audit Process Creation'`
316
340
317
341
318
-
## detection
319
-
320
-
Required: *mandatory*
321
-
322
-
Description: This section contains the fields that specify the detection logic and the language used to express it. See the specifications of the fields below.
323
-
324
-
325
-
### language
326
-
327
-
Format: `text (max 128 characters)`
328
-
329
-
Required: *mandatory*
330
-
331
-
Description: The field should specify the name of the SIEM/EDR/XDR in the appropriate format. See the list of supported platforms in the Possible Values section.
332
-
333
-
Possible Values:
334
-
335
-
-`sentinel-kql-query` for Microsoft Sentinel Query
336
-
-`splunk-spl-query` for Splunk Query
337
-
-`crowdstrike-spl-query` for CrowdStrike Query
338
-
-`elastic-lucene-query` for Elasticsearch Query
339
-
-`opensearch-lucene-query` for AWS OpenSearch Query
340
-
-`logscale-lql-query` for Falcon LogScale Query
341
-
-`mde-kql-query` for Microsoft Defender for Endpoint Query
342
-
-`qradar-aql-query` for IBM QRadar Query
343
-
-`sigma-yml-rule` for Sigma Rule
344
-
-`athena-sql-query` for AWS Athena Query (Security Lake)
345
-
-`chronicle-yaral-query` for Chronicle Security Query
Description: This section should contain the rule's logic. It should be a SIEM/EDR/XDR query in the native format. The query should be in one line. In case you have a multiline query, you should join lines before adding it to the RootA rule.
353
+
Description: It has to include the name of the actor, TLP:key, and dates when the behavior described in the RootA rule was used by the Actor. On the contrary to indicators of compromise, which are Actor specific, behaviors are constant while Actor is a variable. If the TLP:key is not defined, it is perceived as TLP:CLEAR. The period can be defined with two dates (first and last seen) or with one date.
357
354
358
-
Example: `index=* source="WinEventLog:*" AND (Image="*.exe" OR Image="*.com")`
355
+
Example:
356
+
```
357
+
timeline:
358
+
2023-01-01 - 2023-03-06: Ducktail, MerlinAgent
359
+
2023-02-04: Lazarus
360
+
```
359
361
360
362
361
363
## references
@@ -411,10 +413,41 @@ Required: *optional*
411
413
412
414
Description: Unique ID of the rule. UUID version 4 is recommended for use.
Description: The correlation section is responsible for the correlation of query results.
422
+
423
+
Example:
424
+
```
425
+
correlation:
426
+
timeframe: 1m
427
+
functions: count() > 10
428
+
```
429
+
430
+
### timeframe
431
+
Format: `text (8 characters)`
432
+
433
+
Required: *optional*
434
+
435
+
Description: A time frame for the functions, which is defined as a span of seconds (s), minutes (m), hours (h), days (d), and weeks(w).
436
+
437
+
Example: `timeframe: 1m`
438
+
439
+
### functions
440
+
Format: `text (128 characters)`
441
+
442
+
Required: *optional*
443
+
444
+
Description: Functions can be used for correlation of query results, for example, to trigger only in case certain thresholds of certain fields are met. This is still under development. First functions to be released:
0 commit comments