groups:
  - id: registry.security_rule
    display_name: Security Rule
    type: attribute_group
    brief: >
      Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules
      that generate alerts or other notable events.
    attributes:
      - id: security_rule.category
        type: string
        stability: development
        brief: >
          A categorization value keyword used by the entity using the rule for detection of this event
        examples: ['Attempted Information Leak']
      - id: security_rule.description
        type: string
        stability: development
        brief: >
          The description of the rule generating the event.
        examples: ['Block requests to public DNS over HTTPS / TLS protocols']
      - id: security_rule.license
        type: string
        stability: development
        brief: >
          Name of the license under which the rule used to generate this event is made available.
        examples: ['Apache 2.0']
      - id: security_rule.name
        type: string
        stability: development
        brief: >
          The name of the rule or signature generating the event.
        examples: ['BLOCK_DNS_over_TLS']
      - id: security_rule.reference
        type: string
        stability: development
        brief: >
          Reference URL to additional information about the rule used to generate this event.
        note: >
          The URL can point to the vendor’s documentation about the rule.
          If that’s not available, it can also be a link to a more general page describing this type of alert.
        examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS']
      - id: security_rule.ruleset.name
        type: string
        stability: development
        brief: >
          Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
        examples: ['Standard_Protocol_Filters']
      - id: security_rule.uuid
        type: string
        stability: development
        brief: >
          A rule ID that is unique within the scope of a set or group of agents, observers, or other entities
          using the rule for detection of this event.
        examples: ['550e8400-e29b-41d4-a716-446655440000', '1100110011']
      - id: security_rule.version
        type: string
        stability: development
        brief: >
          The version / revision of the rule being used for analysis.
        examples: ['1.0.0']