add new namespace "rule.*"

.chloggen/rule_new.yaml

@@ -0,0 +1,22 @@
+# Use this changelog template to create an entry for release notes.
+#
+# If your change doesn't affect end users you should instead start
+# your pull request title with [chore] or use the "Skip Changelog" label.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: new_component
+
+# The name of the area of concern in the attributes-registry, (e.g. http, cloud, db)
+component: rule
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Introducing a new rule namespace
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+# The values here must be integers.
+issues: [903]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -59,6 +59,7 @@ body:
         - area:peer
         - area:process
         - area:rpc
+        - area:rule
         - area:server
         - area:service
         - area:session

.github/ISSUE_TEMPLATE/change_proposal.yaml

@@ -52,6 +52,7 @@ body:
         - area:peer
         - area:process
         - area:rpc
+        - area:rule
         - area:server
         - area:service
         - area:session

.github/ISSUE_TEMPLATE/new-conventions.yaml

@@ -61,6 +61,7 @@ body:
         - area:peer
         - area:process
         - area:rpc
+        - area:rule
         - area:server
         - area:service
         - area:session

docs/attributes-registry/README.md

@@ -72,6 +72,7 @@ Currently, the following namespaces exist:
 - [Peer](peer.md)
 - [Process](process.md)
 - [RPC](rpc.md)
+- [Rule](rule.md)
 - [Server](server.md)
 - [Service](service.md)
 - [Session](session.md)

docs/attributes-registry/rule.md

@@ -0,0 +1,26 @@
+<!--- Hugo front matter used to generate the website version of this page:
+--->
+
+<!-- NOTE: THIS FILE IS AUTOGENERATED. DO NOT EDIT BY HAND. -->
+<!-- see templates/registry/markdown/attribute_namespace.md.j2 -->
+
+# Rule
+
+## Rule Attributes
+
+Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.
+
+| Attribute          | Type   | Description                                                                                                                                     | Examples                                                  | Stability                                                        |
+| ------------------ | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------- | ---------------------------------------------------------------- |
+| `rule.author`      | string | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.                                     | `username1`                                               | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.category`    | string | A categorization value keyword used by the entity using the rule for detection of this event                                                    | `Attempted Information Leak`                              | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.description` | string | The description of the rule generating the event.                                                                                               | `Block requests to public DNS over HTTPS / TLS protocols` | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.id`          | string | A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.                    | `101`                                                     | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.license`     | string | Name of the license under which the rule used to generate this event is made available.                                                         | `Apache 2.0`                                              | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.name`        | string | The name of the rule or signature generating the event.                                                                                         | `BLOCK_DNS_over_TLS`                                      | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.reference`   | string | Reference URL to additional information about the rule used to generate this event. [1]                                                         | `https://en.wikipedia.org/wiki/DNS_over_TLS`              | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.ruleset`     | string | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.                               | `Standard_Protocol_Filters`                               | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.uuid`        | string | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | `550e8400-e29b-41d4-a716-446655440000`; `1100110011`      | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+| `rule.version`     | string | The version / revision of the rule being used for analysis.                                                                                     | `1.0.0`                                                   | ![Experimental](https://img.shields.io/badge/-experimental-blue) |
+
+**[1]:** The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.

model/registry/rule.yaml

@@ -0,0 +1,73 @@
+groups:
+  - id: registry.rule
+    prefix: rule
+    type: attribute_group
+    brief: >
+      Describes rule attributes. Rule fields are used to capture the specifics of any observer or agent rules
+      that generate alerts or other notable events.
+    attributes:
+      - id: author
+        stability: experimental
+        type: string
+        brief: >
+          Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
+        examples: ['username1']
+      - id: category
+        type: string
+        stability: experimental
+        brief: >
+          A categorization value keyword used by the entity using the rule for detection of this event
+        examples: ['Attempted Information Leak']
+      - id: description
+        type: string
+        stability: experimental
+        brief: >
+          The description of the rule generating the event.
+        examples: ['Block requests to public DNS over HTTPS / TLS protocols']
+      - id: id
+        type: string
+        stability: experimental
+        brief: >
+          A rule ID that is unique within the scope of an agent, observer,
+          or other entity using the rule for detection of this event.
+        examples: ['101']
+      - id: license
+        type: string
+        stability: experimental
+        brief: >
+          Name of the license under which the rule used to generate this event is made available.
+        examples: ['Apache 2.0']
+      - id: name
+        type: string
+        stability: experimental
+        brief: >
+          The name of the rule or signature generating the event.
+        examples: ['BLOCK_DNS_over_TLS']
+      - id: reference
+        type: string
+        stability: experimental
+        brief: >
+          Reference URL to additional information about the rule used to generate this event.
+        note: >
+          The URL can point to the vendor’s documentation about the rule.
+          If that’s not available, it can also be a link to a more general page describing this type of alert.
+        examples: ['https://en.wikipedia.org/wiki/DNS_over_TLS']
+      - id: ruleset
+        type: string
+        stability: experimental
+        brief: >
+          Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
+        examples: ['Standard_Protocol_Filters']
+      - id: uuid
+        type: string
+        stability: experimental
+        brief: >
+          A rule ID that is unique within the scope of a set or group of agents, observers, or other entities
+          using the rule for detection of this event.
+        examples: ['550e8400-e29b-41d4-a716-446655440000', '1100110011']
+      - id: version
+        type: string
+        stability: experimental
+        brief: >
+          The version / revision of the rule being used for analysis.
+        examples: ['1.0.0']