From 36792a17fef9e6ef7a79b2611a4cd985dab3d5f3 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Mon, 8 Apr 2024 18:57:35 +0200 Subject: [PATCH 01/12] add new namespace rule --- .chloggen/rule_new.yaml | 22 +++++++ .github/ISSUE_TEMPLATE/bug_report.yaml | 1 + .github/ISSUE_TEMPLATE/change_proposal.yaml | 1 + .github/ISSUE_TEMPLATE/new-conventions.yaml | 1 + docs/attributes-registry/README.md | 1 + docs/attributes-registry/rule.md | 24 +++++++ model/registry/rule.yaml | 73 +++++++++++++++++++++ 7 files changed, 123 insertions(+) create mode 100755 .chloggen/rule_new.yaml create mode 100644 docs/attributes-registry/rule.md create mode 100644 model/registry/rule.yaml diff --git a/.chloggen/rule_new.yaml b/.chloggen/rule_new.yaml new file mode 100755 index 0000000000..932f6aa053 --- /dev/null +++ b/.chloggen/rule_new.yaml @@ -0,0 +1,22 @@ +# Use this changelog template to create an entry for release notes. +# +# If your change doesn't affect end users you should instead start +# your pull request title with [chore] or use the "Skip Changelog" label. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: new_component + +# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) +component: rule + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Introducing a new rule namespace + +# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. +# The values here must be integers. +issues: [903] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 138ec6c592..6f29fe6d08 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -55,6 +55,7 @@ body: - area:peer - area:process - area:rpc + - area:rule - area:server - area:service - area:session diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 117491cb40..319522da23 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -48,6 +48,7 @@ body: - area:peer - area:process - area:rpc + - area:rule - area:server - area:service - area:session diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index f663263c59..f92d1d41a2 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -57,6 +57,7 @@ body: - area:peer - area:process - area:rpc + - area:rule - area:server - area:service - area:session diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index c9f832ec74..2380023883 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -62,6 +62,7 @@ Currently, the following namespaces exist: * [Peer](peer.md) * [Process](process.md) * [RPC](rpc.md) +* [Rule](rule.md) * [Server](server.md) * [Service](service.md) * [Session](session.md) diff --git a/docs/attributes-registry/rule.md b/docs/attributes-registry/rule.md new file mode 100644 index 0000000000..b8e3210a24 --- /dev/null +++ b/docs/attributes-registry/rule.md @@ -0,0 +1,24 @@ + + +# Rule + +## Rule Attributes + + +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `rule.author` | string | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | `username1` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | + +**[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. + diff --git a/model/registry/rule.yaml b/model/registry/rule.yaml new file mode 100644 index 0000000000..044a40ed73 --- /dev/null +++ b/model/registry/rule.yaml @@ -0,0 +1,73 @@ +groups: + - id: registry.rule + prefix: rule + type: attribute_group + brief: > + Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules + that generate alerts or other notable events. + attributes: + - id: author + stability: experimental + type: string + brief: > + Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. + examples: ['username1'] + - id: category + type: string + stability: experimental + brief: > + A categorization value keyword used by the entity using the rule for detection of this event + examples: ['Attempted Information Leak'] + - id: description + type: string + stability: experimental + brief: > + The description of the rule generating the event. + examples: ['Block requests to public DNS over HTTPS / TLS protocols'] + - id: id + type: string + stability: experimental + brief: > + A rule ID that is unique within the scope of an agent, observer, + or other entity using the rule for detection of this event. + examples: ['101'] + - id: license + type: string + stability: experimental + brief: > + Name of the license under which the rule used to generate this event is made available. + examples: ['Apache 2.0'] + - id: name + type: string + stability: experimental + brief: > + The name of the rule or signature generating the event. + examples: ['BLOCK_DNS_over_TLS'] + - id: reference + type: string + stability: experimental + brief: > + Reference URL to additional information about the rule used to generate this event. + note: > + The URL can point to the vendor’s documentation about the rule. + If that’s not available, it can also be a link to a more general page describing this type of alert. + examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS'] + - id: ruleset + type: string + stability: experimental + brief: > + Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. + examples: ['Standard_Protocol_Filters'] + - id: uuid + type: string + stability: experimental + brief: > + A rule ID that is unique within the scope of a set or group of agents, observers, or other entities + using the rule for detection of this event. + examples: ['550e8400-e29b-41d4-a716-446655440000', '1100110011'] + - id: version + type: string + stability: experimental + brief: > + The version / revision of the rule being used for analysis. + examples: ['1.0.0'] From ca5b8ea6114facfb11deb81ee0e92eb9ce4abbb7 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Tue, 7 May 2024 16:44:24 +0200 Subject: [PATCH 02/12] updated for the weaver --- docs/attributes-registry/README.md | 1 + docs/attributes-registry/rule.md | 32 ++++++++++++++++-------------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index 66f750c036..62a8ea6aed 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -72,6 +72,7 @@ Currently, the following namespaces exist: - [Peer](peer.md) - [Process](process.md) - [RPC](rpc.md) +- [Rule](rule.md) - [Server](server.md) - [Service](service.md) - [Session](session.md) diff --git a/docs/attributes-registry/rule.md b/docs/attributes-registry/rule.md index b8e3210a24..c2cd25a42f 100644 --- a/docs/attributes-registry/rule.md +++ b/docs/attributes-registry/rule.md @@ -1,24 +1,26 @@ + + + # Rule ## Rule Attributes - -| Attribute | Type | Description | Examples | Stability | -|---|---|---|---|---| -| `rule.author` | string | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | `username1` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. + +| Attribute | Type | Description | Examples | Stability | +| ------------------ | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | +| `rule.author` | string | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | `username1` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. - From d8ce7fae1f2f30573006f669f2e5ed8ef4546111 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Fri, 10 May 2024 13:18:41 +0200 Subject: [PATCH 03/12] remove author until further discussion --- model/registry/rule.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/model/registry/rule.yaml b/model/registry/rule.yaml index 044a40ed73..7f11017d2e 100644 --- a/model/registry/rule.yaml +++ b/model/registry/rule.yaml @@ -6,12 +6,6 @@ groups: Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. attributes: - - id: author - stability: experimental - type: string - brief: > - Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. - examples: ['username1'] - id: category type: string stability: experimental From 6c9c59368312c1fcdab209df037c10505413ad33 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Fri, 10 May 2024 15:28:54 +0200 Subject: [PATCH 04/12] fix registry --- docs/attributes-registry/rule.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/attributes-registry/rule.md b/docs/attributes-registry/rule.md index c2cd25a42f..1142ce3fb6 100644 --- a/docs/attributes-registry/rule.md +++ b/docs/attributes-registry/rule.md @@ -12,7 +12,6 @@ Describes rule attributes. Rule fields are used to capture the specifics of any | Attribute | Type | Description | Examples | Stability | | ------------------ | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | -| `rule.author` | string | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | `username1` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | From eedc6d08fc3601c3d4413fe48d6a59d12c56efcf Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Thu, 18 Jul 2024 16:17:14 +0200 Subject: [PATCH 05/12] update rule sub namespace to be security --- docs/attributes-registry/rule.md | 26 +++++++++++++------------- model/registry/rule.yaml | 6 +++--- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/attributes-registry/rule.md b/docs/attributes-registry/rule.md index 1142ce3fb6..dfca0eb7f1 100644 --- a/docs/attributes-registry/rule.md +++ b/docs/attributes-registry/rule.md @@ -6,20 +6,20 @@ # Rule -## Rule Attributes +## Rule Security Attributes -Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. +Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -| Attribute | Type | Description | Examples | Stability | -| ------------------ | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | -| `rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +| --------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | +| `rule.security.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `rule.security.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. diff --git a/model/registry/rule.yaml b/model/registry/rule.yaml index 7f11017d2e..539ef02a27 100644 --- a/model/registry/rule.yaml +++ b/model/registry/rule.yaml @@ -1,9 +1,9 @@ groups: - - id: registry.rule - prefix: rule + - id: registry.rule.security + prefix: rule.security type: attribute_group brief: > - Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules + Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. attributes: - id: category From 7b90fc8d84a343c8d21da6f521d245b15f18a41a Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Tue, 23 Jul 2024 16:59:55 +0200 Subject: [PATCH 06/12] rename rule.security to security_rule --- docs/attributes-registry/README.md | 2 +- .../{rule.md => security-rule.md} | 22 +++++++++---------- .../{rule.yaml => security-rule.yaml} | 5 +++-- 3 files changed, 15 insertions(+), 14 deletions(-) rename docs/attributes-registry/{rule.md => security-rule.md} (84%) rename model/registry/{rule.yaml => security-rule.yaml} (96%) diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md index fcb412c54a..2d389a3b44 100644 --- a/docs/attributes-registry/README.md +++ b/docs/attributes-registry/README.md @@ -76,7 +76,7 @@ Currently, the following namespaces exist: - [Peer](peer.md) - [Process](process.md) - [RPC](rpc.md) -- [Rule](rule.md) +- [Security Rule](security-rule.md) - [Server](server.md) - [Service](service.md) - [Session](session.md) diff --git a/docs/attributes-registry/rule.md b/docs/attributes-registry/security-rule.md similarity index 84% rename from docs/attributes-registry/rule.md rename to docs/attributes-registry/security-rule.md index dfca0eb7f1..296228ef00 100644 --- a/docs/attributes-registry/rule.md +++ b/docs/attributes-registry/security-rule.md @@ -4,22 +4,22 @@ -# Rule +# Security Rule -## Rule Security Attributes +## Security Rule Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. | Attribute | Type | Description | Examples | Stability | | --------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | -| `rule.security.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `rule.security.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. diff --git a/model/registry/rule.yaml b/model/registry/security-rule.yaml similarity index 96% rename from model/registry/rule.yaml rename to model/registry/security-rule.yaml index 539ef02a27..f00397fac7 100644 --- a/model/registry/rule.yaml +++ b/model/registry/security-rule.yaml @@ -1,6 +1,7 @@ groups: - - id: registry.rule.security - prefix: rule.security + - id: registry.security_rule + prefix: security_rule + display_name: Security Rule type: attribute_group brief: > Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules From ffc315a2b33c4b609aa2543c2916d769cd3e7732 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Tue, 23 Jul 2024 19:32:16 +0200 Subject: [PATCH 07/12] update templates for the new name --- .github/ISSUE_TEMPLATE/bug_report.yaml | 2 +- .github/ISSUE_TEMPLATE/change_proposal.yaml | 2 +- .github/ISSUE_TEMPLATE/new-conventions.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml index 90b7979375..84e99b5b37 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yaml +++ b/.github/ISSUE_TEMPLATE/bug_report.yaml @@ -62,7 +62,7 @@ body: - area:peer - area:process - area:rpc - - area:rule + - area:security-rule - area:server - area:service - area:session diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml index 45a77e2d8a..870d68967c 100644 --- a/.github/ISSUE_TEMPLATE/change_proposal.yaml +++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml @@ -55,7 +55,7 @@ body: - area:peer - area:process - area:rpc - - area:rule + - area:security-rule - area:server - area:service - area:session diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml index e2b05c13b9..f8915fb802 100644 --- a/.github/ISSUE_TEMPLATE/new-conventions.yaml +++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml @@ -64,7 +64,7 @@ body: - area:peer - area:process - area:rpc - - area:rule + - area:security-rule - area:server - area:service - area:session From 908b0f2d71d7ee12c3f9d00db4a90fc6fa7cf01a Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Mon, 5 Aug 2024 14:10:20 +0200 Subject: [PATCH 08/12] remove prefix --- .chloggen/rule_new.yaml | 2 +- model/registry/security-rule.yaml | 19 +++++++++---------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.chloggen/rule_new.yaml b/.chloggen/rule_new.yaml index 932f6aa053..db8c77489f 100755 --- a/.chloggen/rule_new.yaml +++ b/.chloggen/rule_new.yaml @@ -7,7 +7,7 @@ change_type: new_component # The name of the area of concern in the attributes-registry, (e.g. http, cloud, db) -component: rule +component: security-rule # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). note: Introducing a new rule namespace diff --git a/model/registry/security-rule.yaml b/model/registry/security-rule.yaml index f00397fac7..d80dda3f66 100644 --- a/model/registry/security-rule.yaml +++ b/model/registry/security-rule.yaml @@ -1,44 +1,43 @@ groups: - id: registry.security_rule - prefix: security_rule display_name: Security Rule type: attribute_group brief: > Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. attributes: - - id: category + - id: security_rule.category type: string stability: experimental brief: > A categorization value keyword used by the entity using the rule for detection of this event examples: ['Attempted Information Leak'] - - id: description + - id: security_rule.description type: string stability: experimental brief: > The description of the rule generating the event. examples: ['Block requests to public DNS over HTTPS / TLS protocols'] - - id: id + - id: security_rule.id type: string stability: experimental brief: > A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. examples: ['101'] - - id: license + - id: security_rule.license type: string stability: experimental brief: > Name of the license under which the rule used to generate this event is made available. examples: ['Apache 2.0'] - - id: name + - id: security_rule.name type: string stability: experimental brief: > The name of the rule or signature generating the event. examples: ['BLOCK_DNS_over_TLS'] - - id: reference + - id: security_rule.reference type: string stability: experimental brief: > @@ -47,20 +46,20 @@ groups: The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS'] - - id: ruleset + - id: security_rule.ruleset type: string stability: experimental brief: > Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. examples: ['Standard_Protocol_Filters'] - - id: uuid + - id: security_rule.uuid type: string stability: experimental brief: > A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. examples: ['550e8400-e29b-41d4-a716-446655440000', '1100110011'] - - id: version + - id: security_rule.version type: string stability: experimental brief: > From 962a1e769fad330f121e7a8b93425a7dca81d400 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Tue, 20 Aug 2024 15:57:42 +0200 Subject: [PATCH 09/12] remove rule.id from namespace --- docs/attributes-registry/security-rule.md | 1 - model/registry/security-rule.yaml | 7 ------- 2 files changed, 8 deletions(-) diff --git a/docs/attributes-registry/security-rule.md b/docs/attributes-registry/security-rule.md index 296228ef00..9190fda105 100644 --- a/docs/attributes-registry/security-rule.md +++ b/docs/attributes-registry/security-rule.md @@ -14,7 +14,6 @@ Describes security rule attributes. Rule fields are used to capture the specific | --------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | | `security_rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.id` | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. | `101` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | diff --git a/model/registry/security-rule.yaml b/model/registry/security-rule.yaml index d80dda3f66..98f29a6fb2 100644 --- a/model/registry/security-rule.yaml +++ b/model/registry/security-rule.yaml @@ -18,13 +18,6 @@ groups: brief: > The description of the rule generating the event. examples: ['Block requests to public DNS over HTTPS / TLS protocols'] - - id: security_rule.id - type: string - stability: experimental - brief: > - A rule ID that is unique within the scope of an agent, observer, - or other entity using the rule for detection of this event. - examples: ['101'] - id: security_rule.license type: string stability: experimental From 14ae89325dc5f7d0dbc4f4a0db10a2fb15a0724c Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Mon, 23 Sep 2024 16:53:18 +0200 Subject: [PATCH 10/12] update to the new structure --- .chloggen/rule_new.yaml | 2 +- .../security-rule.yaml => security-rule/registry.yaml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename model/{registry/security-rule.yaml => security-rule/registry.yaml} (100%) diff --git a/.chloggen/rule_new.yaml b/.chloggen/rule_new.yaml index db8c77489f..35b29d4c95 100755 --- a/.chloggen/rule_new.yaml +++ b/.chloggen/rule_new.yaml @@ -10,7 +10,7 @@ change_type: new_component component: security-rule # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). -note: Introducing a new rule namespace +note: Introducing a new security rule namespace # Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists. # The values here must be integers. diff --git a/model/registry/security-rule.yaml b/model/security-rule/registry.yaml similarity index 100% rename from model/registry/security-rule.yaml rename to model/security-rule/registry.yaml From 177e10d57e051bf968bf849507bdbd96ff581b70 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Mon, 28 Oct 2024 16:23:03 +0100 Subject: [PATCH 11/12] update markdown --- docs/attributes-registry/security-rule.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/attributes-registry/security-rule.md b/docs/attributes-registry/security-rule.md index 9190fda105..ff38eb0060 100644 --- a/docs/attributes-registry/security-rule.md +++ b/docs/attributes-registry/security-rule.md @@ -10,15 +10,15 @@ Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events. -| Attribute | Type | Description | Examples | Stability | -| --------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- | -| `security_rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| Attribute | Type | Description | Examples | Stability | +|---|---|---|---|---| +| `security_rule.category` | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.description` | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | **[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. From d6b97210268a4ec5f9b0e35d0a5c45b6f4ddd886 Mon Sep 17 00:00:00 2001 From: Alexandra Konrad Date: Tue, 3 Dec 2024 16:34:20 +0100 Subject: [PATCH 12/12] make ruleset a namespace --- docs/attributes-registry/security-rule.md | 4 ++-- model/security-rule/registry.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/attributes-registry/security-rule.md b/docs/attributes-registry/security-rule.md index ff38eb0060..ada53fab99 100644 --- a/docs/attributes-registry/security-rule.md +++ b/docs/attributes-registry/security-rule.md @@ -17,8 +17,8 @@ Describes security rule attributes. Rule fields are used to capture the specific | `security_rule.license` | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.name` | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.reference` | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `security_rule.ruleset` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `security_rule.ruleset.name` | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.uuid` | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `security_rule.version` | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -**[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. +**[1] `security_rule.reference`:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. diff --git a/model/security-rule/registry.yaml b/model/security-rule/registry.yaml index 98f29a6fb2..bd4c9cb5ff 100644 --- a/model/security-rule/registry.yaml +++ b/model/security-rule/registry.yaml @@ -39,7 +39,7 @@ groups: The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert. examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS'] - - id: security_rule.ruleset + - id: security_rule.ruleset.name type: string stability: experimental brief: >