Variable in the Meta Section

New to SecOps and I am creating a detection rule based on MS Defender events. I'd like to set the severity of the detection based on the severity from Defender. Can a variable be used in the meta section?

meta:

author = "JAB"

id = "asdfasdfasdf"

severity = "$Severity"

I created the $Severity variable in the outcomes section. Any ideas or suggestions?

Page 1 / 1

Unfortunately, this is not possible today. There is a feature request for it already but I don't know when it will be implemented. The only thing you can do today is set a variable (say severity_outcome) in the outcome section and use that in your downstream processing.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded