# appsec-event-rules **Repository Path**: mirrors_DataDog/appsec-event-rules ## Basic Information - **Project Name**: appsec-event-rules - **Description**: No description available - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: main - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2022-01-31 - **Last Updated**: 2025-09-20 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # Appsec Event Rules This repo contains default AppSec Event rules, created by our security team. ## Rules rules lives in `rules` folder and there is three main collections of the rules - recommended: this is the rules that currently bundles with the Appsec libraries - strict: Under developed rules which can generate some false positives - risky: Under developed rules which can generate alot false positives - shadow-deployed: Rules under qualification that won't appear in the interface until they're certified not to trigger false positives. Those rules also won't trigger signals ## Rule Structure Example Every rule must have `id`, `name` and `conditions` Example: ``` id: crs-913-110 name: Found request header associated with Acunetix security scanner tags: type: security_scanner crs_id: '913110' category: attack_attempt conditions: - parameters: inputs: - address: server.request.headers.no_cookies list: - acunetix-product - (acunetix web vulnerability scanner - acunetix-scanning-agreement - acunetix-user-agreement operator: phrase_match transformers: - lowercase ``` ## Build the rules Based on the rules collection you want to generate, you can generate it by running the following script ``` node tools/build.js --source ./rules --output ./build --collection "recommended" ``` ## Validation This repository currently represents the source of truth: the rules present here are shipped to clients. The CI has a rule validation step (see the [schema sub folder](https://github.com/DataDog/appsec-event-rules/tree/main/schemas)). Any rule validation must currently be enforced in this repository.