{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://spec.agentthreatrule.org/correlation/v1.0/schema.json", "title": "ATR Correlation Rule v1.0", "description": "Machine-readable schema for ATR correlation rule format. Normative spec at spec/atr-correlation-v1.0.md. License: CC BY 4.0.", "type": "object", "required": ["correlation", "source_rules", "correlation_logic", "response"], "additionalProperties": false, "properties": { "correlation": { "type": "object", "required": [ "schema_version", "id", "title", "description", "status", "severity", "author", "date", "license" ], "properties": { "schema_version": {"const": "1.0"}, "id": { "type": "string", "pattern": "^ATR-COR-(?:[A-Z]{2}-)?[0-9]{4}-[0-9]{5}$" }, "title": {"type": "string", "minLength": 3}, "description": {"type": "string", "minLength": 20}, "status": { "type": "string", "enum": ["draft", "experimental", "stable", "deprecated"] }, "severity": { "type": "string", "enum": ["critical", "high", "medium", "low", "informational"] }, "author": {"type": "string"}, "date": {"type": "string", "format": "date"}, "license": {"type": "string"}, "references": { "type": "object", "additionalProperties": true } } }, "source_rules": { "type": "array", "minItems": 1, "items": { "type": "object", "required": ["alias"], "oneOf": [ {"required": ["rule_id"], "properties": {"alias": {"type": "string"}, "rule_id": {"type": "string", "pattern": "^ATR-(?:[A-Z]{2}-)?[0-9]{4}-[0-9]{5}$"}}, "additionalProperties": false}, {"required": ["rule_id_pattern"], "properties": {"alias": {"type": "string"}, "rule_id_pattern": {"type": "string"}}, "additionalProperties": false}, {"required": ["category"], "properties": {"alias": {"type": "string"}, "category": {"type": "string"}}, "additionalProperties": false} ] } }, "correlation_logic": { "type": "object", "required": ["type"], "properties": { "type": { "type": "string", "enum": [ "temporal_sequence", "temporal_unordered", "count_threshold", "value_overlap", "chain_propagation" ] }, "sequence": { "type": "array", "items": {"type": "object", "required": ["alias"], "properties": {"alias": {"type": "string"}}} }, "count": { "type": "object", "properties": { "rule_alias": {"type": "string"}, "threshold": {"type": "integer", "minimum": 1} } }, "value_overlap_field": {"type": "string"}, "join_keys": { "type": "array", "items": {"type": "string"}, "minItems": 1 }, "window": { "type": "object", "oneOf": [ {"required": ["type", "duration"], "properties": {"type": {"const": "wall_time"}, "duration": {"type": "string", "pattern": "^[0-9]+[smhd]$"}}, "additionalProperties": false}, {"required": ["type", "max_session_count"], "properties": {"type": {"const": "session_chain"}, "max_session_count": {"type": "integer", "minimum": 2}, "max_wall_time": {"type": "string", "pattern": "^[0-9]+[smhd]$"}}, "additionalProperties": false}, {"required": ["type", "max_depth"], "properties": {"type": {"const": "chain_depth"}, "max_depth": {"type": "integer", "minimum": 2}}, "additionalProperties": false}, {"required": ["type"], "properties": {"type": {"const": "unbounded"}}, "additionalProperties": false} ] } } }, "response": { "type": "object", "required": ["severity_uplift", "actions"], "properties": { "severity_uplift": { "type": "string", "enum": ["critical", "high", "medium", "low", "informational"] }, "actions": { "type": "array", "items": { "type": "string", "enum": [ "block_input", "block_output", "redact", "alert", "snapshot", "quarantine", "terminate_session" ] }, "minItems": 1 }, "message_template": {"type": "string"} } }, "test_cases": { "type": "object", "properties": { "true_positive_streams": { "type": "array", "items": {"type": "string", "description": "Path to JSONL fixture stream (positive case)"} }, "true_negative_streams": { "type": "array", "items": {"type": "string", "description": "Path to JSONL fixture stream (negative case)"} } } } } }