-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathevents.json
119 lines (118 loc) · 5.12 KB
/
events.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
{
"title": "WAF Events Schema",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "schema/event.json",
"type": "array",
"items": {
"type": "object",
"properties": {
"rule": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The unique identifier of the rule that triggered the event. For example, ``ua-910-xax``."
},
"name": {
"type": "string",
"description": "The friendly name of the rule that triggered the event."
},
"tags": {
"type": "object",
"description": "The tags associated to the rule in the event rules file.",
"properties": {
"type": {
"type": "string",
"description": "The type of the rule as defined in the ruleset"
},
"category": {
"type": "string",
"description": "The category of the rule as defined in the ruleset"
}
},
"required": [
"type"
]
},
"on_match": {
"type": "array",
"description": "on_match actions as defined in the ruleset.",
"items": {
"type": "string"
}
}
},
"required": [
"id",
"name",
"tags"
],
"additionalProperties": false
},
"rule_matches": {
"type": "array",
"items": {
"type": "object",
"properties": {
"operator": {
"type": "string",
"description": "The rule operator that triggered this event. For example, ``match_regex`` or ``phrase_match``."
},
"operator_value": {
"type": "string",
"description": "The rule operator operand that triggered this event. For example, the word that triggered using the ``phrase_match`` operator."
},
"parameters": {
"type": "array",
"items": {
"type": "object",
"properties": {
"address": {
"type": "string",
"description": "The address containing the value that triggered the rule. For example ``http.server.query``."
},
"key_path": {
"type": "array",
"description": "The path of the value that triggered the rule. For example ``[\"query\", 0]`` to refer to the value in ``{\"query\": [\"triggering value\"]}``.",
"items": {
"anyOf": [
{ "type": "string" },
{ "type": "number" }
]
}
},
"value": {
"type": "string",
"description": "The value that triggered the rule."
},
"highlight": {
"type": "array",
"description": "The part of the value that triggered the rule.",
"items": {
"type": "string"
}
}
},
"required": [
"address",
"key_path",
"value",
"highlight"
]
}
}
},
"required": [
"operator",
"operator_value",
"parameters"
]
}
}
},
"required": [
"rule",
"rule_matches"
]
}
}