--- type: map mapping: # Id field enhancement possibility commenting out for now # "Id": # type: str # required: true # pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}' "Name": type: str required: true "Description": type: str required: true "Author": type: str required: true "Created": type: date required: true "Commands": type: seq required: true sequence: - type: map mapping: "Command": type: str required: true "Description": type: str required: true "Usecase": type: str required: true "Category": type: str required: true enum: [ADS, AWL Bypass, Compile, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, UAC Bypass, Upload] "Privileges": type: str required: true "MitreID": type: str required: true pattern: 'T[0-9]{4}' "OperatingSystem": type: str required: true "Full_Path": type: seq required: true sequence: - type: map mapping: "Path": type: str required: true "Code_Sample": type: seq required: false sequence: - type: map mapping: "Code": type: str "Detection": type: seq required: false sequence: - type: map mapping: "IOC": type: str "Sigma": type: str pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Analysis": type: str pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Elastic": type: str pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Splunk": type: str pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "BlockRule": type: str pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Resources": type: seq required: false sequence: - type: map mapping: "Link": type: str pattern: 'http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+' "Acknowledgement": type: seq required: false sequence: - type: map mapping: "Person": type: str "Handle": type: str