-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathschema.yml
65 lines (65 loc) · 2.42 KB
/
schema.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Generic infrastructure tracking rule schema
# This is a schema file for https://pypi.org/project/yamale/#examples
include('rule')
---
rule:
# Every rule needs a titlem which is a string
title: str()
# The uuid is an uuid4 value in order to uniquely identify rules
uuid: str(36)
# Related is a list of related rules, the definition can be found below
related: list(include('relation'), required=False)
# Status can be one of
# - experimental
# - production
# - deprecated
status: enum('experimental', 'production', 'deprecated')
# Description is a string which is not required, but recommended
description: str(required=False)
# Similar to description, author is an optional string, but should be used
author: str()
# Created date as YYYY-mm-dd string
created: day()
# Optional modified date as YYYY-mm-dd string
modified: day(required=False)
# Classification is a list of classifications, the definition can be found below
# Example:
# classification:
# - type: tlp
# value: white
classification: list(include('classification', min=1))
# Condition is a combination of queries and logical operators. This allows query chaining, but can be used for single queries also:
# condition:
# - servcie: shodan
# query: HTTP/1.1 418 teapot
condition: list(include('logic'), include('query'))
# Information related to clustering, as string
threatactor: str(required=False)
malwarefamily: str(required=False)
# References can be a list of strings, e.g. links to blog posts or similar
references: list(str(), required=False)
# Allow custom properties under this key
custom: any(required=False)
---
# A logic object itself can include several logic objects or queries
logic:
AND: list(include('logic'), include('query'), min=2, required=False)
OR: list(include('logic'), include('query'), min=2, required=False)
NOT: any(include('query'), list(include('logic'), min=2), required=False)
---
# A query itself contains the service and a query string
query:
# Query type can either be a service or something like a local processor. This was named "service" before.
type: str()
# The actual query
query: str()
---
# Relations to other rules need the uuid and the type of relation
relation:
uuid: str(36)
type: enum('derives', 'deprecates')
---
# Due to several different classification taxonomies, the classification can be adjusted this way
classification:
type: str()
value: str()