Mika Ayenson
107 lines
2.5 KiB
YAML
107 lines
2.5 KiB
YAML
name: New Rule
|
|
description: Suggestions and ideas for new rules
|
|
title: "[New Rule] Name of rule"
|
|
labels: ["Rule: New", "Team: TRADE"]
|
|
assignees: []
|
|
projects: ["elastic/1268"]
|
|
|
|
body:
|
|
- type: textarea
|
|
id: description
|
|
attributes:
|
|
label: Description
|
|
description: "Provide a detailed description of the activity to be detected."
|
|
placeholder: "Detailed description..."
|
|
|
|
- type: dropdown
|
|
id: target_ruleset
|
|
attributes:
|
|
label: Target Ruleset
|
|
description: "Select the target rulset."
|
|
options:
|
|
- apm
|
|
- cross-platform
|
|
- aws
|
|
- aws_bedrock
|
|
- azure
|
|
- azure_openai
|
|
- beaconing
|
|
- cloud_defend
|
|
- cyberparkpas
|
|
- ded
|
|
- dga
|
|
- endpoint
|
|
- fim
|
|
- gcp
|
|
- github
|
|
- google_workspace
|
|
- kubernetes
|
|
- lmd
|
|
- o365
|
|
- okta
|
|
- problemchild
|
|
- linux
|
|
- macos
|
|
- ml
|
|
- network
|
|
- promotions
|
|
- threat_intel
|
|
- windows
|
|
- other
|
|
|
|
- type: dropdown
|
|
id: rule_type
|
|
attributes:
|
|
label: Target Rule Type
|
|
description: "Select the target type."
|
|
options:
|
|
- Custom (KQL or Lucene)
|
|
- Machine Learning
|
|
- Threshold
|
|
- Event Correlation (EQL)
|
|
- Indicator Match
|
|
- New Terms
|
|
- ES|QL
|
|
|
|
- type: input
|
|
id: ecs_version
|
|
attributes:
|
|
label: Tested ECS Version
|
|
description: "Specify the tested ECS version."
|
|
placeholder: "x.x.x"
|
|
|
|
- type: textarea
|
|
id: query
|
|
attributes:
|
|
label: Query
|
|
description: "Provide the query for the rule (optional)."
|
|
placeholder: "Query..."
|
|
|
|
- type: textarea
|
|
id: new_fields
|
|
attributes:
|
|
label: New fields required in ECS/data sources for this rule?
|
|
description: "List any new fields required in ECS or data sources for this rule (optional)."
|
|
placeholder: "New fields..."
|
|
|
|
- type: textarea
|
|
id: related_issues_prs
|
|
attributes:
|
|
label: Related issues or PRs
|
|
description: "Link any related issues or PRs (optional)."
|
|
placeholder: "Related issues or PRs..."
|
|
|
|
- type: textarea
|
|
id: references
|
|
attributes:
|
|
label: References
|
|
description: "List any references (optional)."
|
|
placeholder: "References..."
|
|
|
|
- type: textarea
|
|
id: example_data
|
|
attributes:
|
|
label: Redacted Example Data
|
|
description: "Provide a redacted example JSON data from the actual activity."
|
|
placeholder: "Example JSON data..."
|