SigmaHQ/sigma-schema.rx.yml

type: //rec
required:
    title:
        type: //str
        length:
            min: 1
            max: 256
    logsource:
        type: //rec
        optional:
            category: //str
            product: //str
            service: //str
            definition: //str
    detection:
        type: //rec
        required:
            condition:
                type: //any
                of:
                    - type: //str
                    - type: //arr
                      contents: //str
                      length:
                          min: 2
        optional:
            timeframe: //str
        rest:
            type: //any
            of:
                - type: //arr
                  contents: //str
                - type: //map
                  values:
                      type: //any
                      of:
                          - type: //str
                          - type: //arr
                            contents: //str
                            length:
                                min: 2
optional:
    status:
        type: //any
        of:
            - type: //str
              value: stable
            - type: //str
              value: testing
            - type: //str
              value: experimental
    description: //str
    author: //str
    references:
        type: //arr
        contents: //str
    fields:
        type: //arr
        contents: //str
    falsepositives:
        type: //any
        of:
            - type: //str
            - type: //arr
              contents: //str
              length:
                  min: 2
    level:
        type: //any
        of:
            - type: //str
              value: low
            - type: //str
              value: medium
            - type: //str
              value: high
            - type: //str
              value: critical
rest: //any
First draft of Rx schema 2018-02-03 23:27:09 +00:00			`type: //rec`
			`required:`
			`title:`
			`type: //str`
			`length:`
			`min: 1`
			`max: 256`
			`logsource:`
			`type: //rec`
			`optional:`
			`category: //str`
			`product: //str`
			`service: //str`
			`definition: //str`
			`detection:`
			`type: //rec`
			`required:`
			`condition:`
			`type: //any`
			`of:`
			`- type: //str`
			`- type: //arr`
			`contents: //str`
			`length:`
			`min: 2`
			`optional:`
			`timeframe: //str`
			`rest:`
			`type: //any`
			`of:`
			`- type: //arr`
			`contents: //str`
			`- type: //map`
			`values:`
			`type: //any`
			`of:`
			`- type: //str`
			`- type: //arr`
			`contents: //str`
			`length:`
			`min: 2`
			`optional:`
			`status:`
			`type: //any`
			`of:`
			`- type: //str`
			`value: stable`
			`- type: //str`
			`value: testing`
			`- type: //str`
			`value: experimental`
			`description: //str`
			`author: //str`
			`references:`
			`type: //arr`
			`contents: //str`
			`fields:`
			`type: //arr`
			`contents: //str`
			`falsepositives:`
			`type: //any`
			`of:`
			`- type: //str`
			`- type: //arr`
			`contents: //str`
			`length:`
			`min: 2`
			`level:`
			`type: //any`
			`of:`
			`- type: //str`
			`value: low`
			`- type: //str`
			`value: medium`
			`- type: //str`
			`value: high`
			`- type: //str`
			`value: critical`
			`rest: //any`