Security rule
November 25, 2025 · View on GitHub
Security Rule
Describes security rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
Attributes:
| Key | Stability | Value Type | Description | Example Values |
|---|---|---|---|---|
security_rule.category |  | string | A categorization value keyword used by the entity using the rule for detection of this event | Attempted Information Leak |
security_rule.description | | string | The description of the rule generating the event. | Block requests to public DNS over HTTPS / TLS protocols |
security_rule.license | | string | Name of the license under which the rule used to generate this event is made available. | Apache 2.0 |
security_rule.name | | string | The name of the rule or signature generating the event. | BLOCK_DNS_over_TLS |
security_rule.reference | | string | Reference URL to additional information about the rule used to generate this event. [1] | https://en.wikipedia.org/wiki/DNS_over_TLS |
security_rule.ruleset.name | | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | Standard_Protocol_Filters |
security_rule.uuid | | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | 550e8400-e29b-41d4-a716-446655440000; 1100110011 |
security_rule.version | | string | The version / revision of the rule being used for analysis. | 1.0.0 |
[1] security_rule.reference: The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.