11{
22 "attributes" : {
3- "wazuh-rule" : {
4- "description" : " Full Wazuh rule XML content."
5- "disable_correlation" : true ,
6- "misp-attribute" : " text"
7- "ui-priority" : 0
8- },
9- "rule-id" : {
10- "description" : " Wazuh rule identifier from the rule id attribute."
11- "disable_correlation" : true ,
12- "misp-attribute" : " text"
3+ "comment" : {
4+ "description" : " Comment or analyst note about the Wazuh rule."
5+ "misp-attribute" : " comment"
136 "ui-priority" : 0
147 },
15- "level " : {
16- "description" : " Wazuh alert level from the rule level attribute ."
8+ "decoded_as " : {
9+ "description" : " Decoder name required for the rule to match ."
1710 "disable_correlation" : true ,
1811 "misp-attribute" : " text"
1912 "ui-priority" : 0
2417 "misp-attribute" : " text"
2518 "ui-priority" : 0
2619 },
27- "group " : {
28- "description" : " Wazuh group or groups associated with the rule."
20+ "field " : {
21+ "description" : " Decoded field condition used by the rule."
2922 "disable_correlation" : true ,
3023 "misp-attribute" : " text"
3124 "multiple" : true ,
3225 "ui-priority" : 0
3326 },
34- "decoded_as " : {
35- "description" : " Decoder name required for the rule to match."
27+ "frequency " : {
28+ "description" : " Number of times the rule must match before alerting ."
3629 "disable_correlation" : true ,
3730 "misp-attribute" : " text"
3831 "ui-priority" : 0
3932 },
40- "if_sid " : {
41- "description" : " Parent or prerequisite rule ID list ."
33+ "group " : {
34+ "description" : " Wazuh group or groups associated with the rule ."
4235 "disable_correlation" : true ,
4336 "misp-attribute" : " text"
4437 "multiple" : true ,
5750 "misp-attribute" : " text"
5851 "ui-priority" : 0
5952 },
60- "if_matched_sid" : {
61- "description" : " Previously matched rule ID required within a time window."
62- "disable_correlation" : true ,
63- "misp-attribute" : " text"
64- "multiple" : true ,
65- "ui-priority" : 0
66- },
6753 "if_matched_group" : {
6854 "description" : " Previously matched group required within a time window."
6955 "disable_correlation" : true ,
7056 "misp-attribute" : " text"
7157 "multiple" : true ,
7258 "ui-priority" : 0
7359 },
74- "match " : {
75- "description" : " Regular expression or string used to match log content ."
60+ "if_matched_sid " : {
61+ "description" : " Previously matched rule ID required within a time window ."
7662 "disable_correlation" : true ,
7763 "misp-attribute" : " text"
7864 "multiple" : true ,
7965 "ui-priority" : 0
8066 },
81- "field " : {
82- "description" : " Decoded field condition used by the rule ."
67+ "if_sid " : {
68+ "description" : " Parent or prerequisite rule ID list ."
8369 "disable_correlation" : true ,
8470 "misp-attribute" : " text"
8571 "multiple" : true ,
8672 "ui-priority" : 0
8773 },
88- "options " : {
89- "description" : " Additional Wazuh rule options ."
74+ "ignore " : {
75+ "description" : " Time interval during which repeated alerts are ignored ."
9076 "disable_correlation" : true ,
9177 "misp-attribute" : " text"
92- "multiple" : true ,
9378 "ui-priority" : 0
9479 },
95- "frequency " : {
96- "description" : " Number of times the rule must match before alerting ."
80+ "level " : {
81+ "description" : " Wazuh alert level from the rule level attribute ."
9782 "disable_correlation" : true ,
9883 "misp-attribute" : " text"
9984 "ui-priority" : 0
10085 },
101- "timeframe " : {
102- "description" : " Time window used with frequency-based matching ."
86+ "match " : {
87+ "description" : " Regular expression or string used to match log content ."
10388 "disable_correlation" : true ,
10489 "misp-attribute" : " text"
90+ "multiple" : true ,
10591 "ui-priority" : 0
10692 },
107- "ignore " : {
108- "description" : " Time interval during which repeated alerts are ignored ."
93+ "mitre-id " : {
94+ "description" : " MITRE ATT&CK technique ID associated with the rule ."
10995 "disable_correlation" : true ,
11096 "misp-attribute" : " text"
97+ "multiple" : true ,
11198 "ui-priority" : 0
11299 },
113100 "noalert" : {
116103 "misp-attribute" : " text"
117104 "ui-priority" : 0
118105 },
119- "mitre-id " : {
120- "description" : " MITRE ATT&CK technique ID associated with the rule."
106+ "options " : {
107+ "description" : " Additional Wazuh rule options ."
121108 "disable_correlation" : true ,
122109 "misp-attribute" : " text"
123110 "multiple" : true ,
128115 "misp-attribute" : " link"
129116 "ui-priority" : 0
130117 },
131- "comment" : {
132- "description" : " Comment or analyst note about the Wazuh rule."
133- "misp-attribute" : " comment"
118+ "rule-id" : {
119+ "description" : " Wazuh rule identifier from the rule id attribute."
120+ "disable_correlation" : true ,
121+ "misp-attribute" : " text"
122+ "ui-priority" : 0
123+ },
124+ "timeframe" : {
125+ "description" : " Time window used with frequency-based matching."
126+ "disable_correlation" : true ,
127+ "misp-attribute" : " text"
134128 "ui-priority" : 0
135129 },
136130 "version" : {
137131 "description" : " Version of Wazuh or ruleset associated with the rule."
138132 "disable_correlation" : true ,
139133 "misp-attribute" : " text"
140134 "ui-priority" : 0
135+ },
136+ "wazuh-rule" : {
137+ "description" : " Full Wazuh rule XML content."
138+ "disable_correlation" : true ,
139+ "misp-attribute" : " text"
140+ "ui-priority" : 0
141141 }
142142 },
143143 "description" : " An object describing a Wazuh XML rule using common fields from the official Wazuh rule syntax."
149149 ],
150150 "uuid" : " 5150952e-4a21-4011-aa20-204b6459e657"
151151 "version" : 1
152- }
152+ }
0 commit comments