From 373a69574ec9605895102205d561b2476972e20c Mon Sep 17 00:00:00 2001
From: Alexandra Konrad <alexandra.konrad@elastic.co>
Date: Sun, 8 Dec 2024 20:51:14 +0100
Subject: [PATCH] =?UTF-8?q?add=20new=20namespace=20=E2=80=9Csecurity=5Frul?=
 =?UTF-8?q?e.*"=20(#903)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Joao Grassi <5938087+joaopgrassi@users.noreply.github.com>
Co-authored-by: Liudmila Molkova <limolkova@microsoft.com>
---
 .chloggen/rule_new.yaml                     | 22 ++++++++
 .github/ISSUE_TEMPLATE/bug_report.yaml      |  1 +
 .github/ISSUE_TEMPLATE/change_proposal.yaml |  1 +
 .github/ISSUE_TEMPLATE/new-conventions.yaml |  1 +
 docs/attributes-registry/README.md          |  1 +
 docs/attributes-registry/security-rule.md   | 24 +++++++++
 model/security-rule/registry.yaml           | 60 +++++++++++++++++++++
 7 files changed, 110 insertions(+)
 create mode 100755 .chloggen/rule_new.yaml
 create mode 100644 docs/attributes-registry/security-rule.md
 create mode 100644 model/security-rule/registry.yaml

diff --git a/.chloggen/rule_new.yaml b/.chloggen/rule_new.yaml
new file mode 100755
index 0000000000..35b29d4c95
--- /dev/null
+++ b/.chloggen/rule_new.yaml
@@ -0,0 +1,22 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: new_component
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: security-rule
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Introducing a new security rule namespace
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [903]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yaml b/.github/ISSUE_TEMPLATE/bug_report.yaml
index 35d7e1ad75..d65a7ffc55 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -71,6 +71,7 @@ body:
         - area:process
         - area:profile
         - area:rpc
+        - area:security-rule
         - area:server
         - area:service
         - area:session
diff --git a/.github/ISSUE_TEMPLATE/change_proposal.yaml b/.github/ISSUE_TEMPLATE/change_proposal.yaml
index 7ca9195edb..920ab75c84 100644
--- a/.github/ISSUE_TEMPLATE/change_proposal.yaml
+++ b/.github/ISSUE_TEMPLATE/change_proposal.yaml
@@ -63,6 +63,7 @@ body:
         - area:process
         - area:profile
         - area:rpc
+        - area:security-rule
         - area:server
         - area:service
         - area:session
diff --git a/.github/ISSUE_TEMPLATE/new-conventions.yaml b/.github/ISSUE_TEMPLATE/new-conventions.yaml
index 89ab5516f4..e63b412b75 100644
--- a/.github/ISSUE_TEMPLATE/new-conventions.yaml
+++ b/.github/ISSUE_TEMPLATE/new-conventions.yaml
@@ -72,6 +72,7 @@ body:
         - area:process
         - area:profile
         - area:rpc
+        - area:security-rule
         - area:server
         - area:service
         - area:session
diff --git a/docs/attributes-registry/README.md b/docs/attributes-registry/README.md
index 4d80dbfe2f..91df4271b1 100644
--- a/docs/attributes-registry/README.md
+++ b/docs/attributes-registry/README.md
@@ -84,6 +84,7 @@ Currently, the following namespaces exist:
 - [Process](process.md)
 - [Profile](profile.md)
 - [RPC](rpc.md)
+- [Security Rule](security-rule.md)
 - [Server](server.md)
 - [Service](service.md)
 - [Session](session.md)
diff --git a/docs/attributes-registry/security-rule.md b/docs/attributes-registry/security-rule.md
new file mode 100644
index 0000000000..ada53fab99
--- /dev/null
+++ b/docs/attributes-registry/security-rule.md
@@ -0,0 +1,24 @@
+<!--- Hugo front matter used to generate the website version of this page:
+--->
+
+<!-- NOTE: THIS FILE IS AUTOGENERATED. DO NOT EDIT BY HAND. -->
+<!-- see templates/registry/markdown/attribute_namespace.md.j2 -->
+
+# Security Rule
+
+## Security Rule
+
+Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
+
+| Attribute | Type | Description | Examples | Stability |
+|---|---|---|---|---|
+| <a id="security-rule-category" href="#security-rule-category">`security_rule.category`</a> | string | A categorization value keyword used by the entity using the rule for detection of this event | `Attempted Information Leak` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-description" href="#security-rule-description">`security_rule.description`</a> | string | The description of the rule generating the event. | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-license" href="#security-rule-license">`security_rule.license`</a> | string | Name of the license under which the rule used to generate this event is made available. | `Apache 2.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-name" href="#security-rule-name">`security_rule.name`</a> | string | The name of the rule or signature generating the event. | `BLOCK_DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-reference" href="#security-rule-reference">`security_rule.reference`</a> | string | Reference URL to additional information about the rule used to generate this event. [1] | `https://en.wikipedia.org/wiki/DNS_over_TLS` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-ruleset-name" href="#security-rule-ruleset-name">`security_rule.ruleset.name`</a> | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | `Standard_Protocol_Filters` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-uuid" href="#security-rule-uuid">`security_rule.uuid`</a> | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| <a id="security-rule-version" href="#security-rule-version">`security_rule.version`</a> | string | The version / revision of the rule being used for analysis. | `1.0.0` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+
+**[1] `security_rule.reference`:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.
diff --git a/model/security-rule/registry.yaml b/model/security-rule/registry.yaml
new file mode 100644
index 0000000000..bd4c9cb5ff
--- /dev/null
+++ b/model/security-rule/registry.yaml
@@ -0,0 +1,60 @@
+groups:
+  - id: registry.security_rule
+    display_name: Security Rule
+    type: attribute_group
+    brief: >
+      Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules
+      that generate alerts or other notable events.
+    attributes:
+      - id: security_rule.category
+        type: string
+        stability: experimental
+        brief: >
+          A categorization value keyword used by the entity using the rule for detection of this event
+        examples: ['Attempted Information Leak']
+      - id: security_rule.description
+        type: string
+        stability: experimental
+        brief: >
+          The description of the rule generating the event.
+        examples: ['Block requests to public DNS over HTTPS / TLS protocols']
+      - id: security_rule.license
+        type: string
+        stability: experimental
+        brief: >
+          Name of the license under which the rule used to generate this event is made available.
+        examples: ['Apache 2.0']
+      - id: security_rule.name
+        type: string
+        stability: experimental
+        brief: >
+          The name of the rule or signature generating the event.
+        examples: ['BLOCK_DNS_over_TLS']
+      - id: security_rule.reference
+        type: string
+        stability: experimental
+        brief: >
+          Reference URL to additional information about the rule used to generate this event.
+        note: >
+          The URL can point to the vendor’s documentation about the rule.
+          If that’s not available, it can also be a link to a more general page describing this type of alert.
+        examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS']
+      - id: security_rule.ruleset.name
+        type: string
+        stability: experimental
+        brief: >
+          Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+        examples: ['Standard_Protocol_Filters']
+      - id: security_rule.uuid
+        type: string
+        stability: experimental
+        brief: >
+          A rule ID that is unique within the scope of a set or group of agents, observers, or other entities
+          using the rule for detection of this event.
+        examples: ['550e8400-e29b-41d4-a716-446655440000', '1100110011']
+      - id: security_rule.version
+        type: string
+        stability: experimental
+        brief: >
+          The version / revision of the rule being used for analysis.
+        examples: ['1.0.0']