detection_rules/etc/non-ecs-schema.json

{
  "endgame-*": {
    "endgame": {
      "metadata": {
        "type": "keyword"
      },
      "event_subtype_full": "keyword"
    }
  },
  "winlogbeat-*": {
    "winlog": {
      "event_data": {
        "AccessList": "keyword",
        "AccessMask": "keyword",
        "AccessMaskDescription": "keyword",
        "AllowedToDelegateTo": "keyword",
        "AttributeLDAPDisplayName": "keyword",
        "AttributeValue": "keyword",
        "CallerProcessName": "keyword",
        "CallTrace": "keyword",
        "ClientProcessId": "keyword",
        "Consumer": "keyword",
        "GrantedAccess": "keyword",
        "NewTargetUserName": "keyword",
        "ObjectClass": "keyword",
        "ObjectDN": "keyword",
        "ObjectName": "keyword",
        "OldTargetUserName": "keyword",
        "OriginalFileName": "keyword",
        "ParentProcessId": "keyword",
        "ProcessName": "keyword",
        "Properties": "keyword",
        "RelativeTargetName": "keyword",
        "ShareName": "keyword",
        "SubjectLogonId": "keyword",
        "SubjectUserName": "keyword",
        "SubjectUserSid": "keyword",
        "TargetUserName": "keyword",
        "TargetImage": "keyword",
        "TargetLogonId": "keyword",
        "TargetProcessGUID": "keyword",
        "TargetSid": "keyword",
      	"SchemaFriendlyName": "keyword",
        "Resource": "keyword",
        "RpcCallClientLocality": "keyword",
        "PrivilegeList": "keyword",
        "AuthenticationPackageName" : "keyword",
        "TargetUserSid" : "keyword",
        "LogonProcessName": "keyword",
        "DnsHostName" : "keyword",
        "ServiceFileName": "keyword",
        "ImagePath": "keyword",
        "TaskName": "keyword",
        "Status": "keyword",
        "EnabledPrivilegeList": "keyword",
        "Operation": "keyword",
        "OperationType": "keyword"
      }
    },
    "winlog.logon.type": "keyword",
    "winlog.logon.id": "keyword",
    "powershell.file.script_block_text": "text"
  },
  "filebeat-*": {
    "o365.audit.NewValue": "keyword",
    "labels.is_ioc_transform_source": "keyword"
  },
  "logs-endpoint.events.*": {
    "process.Ext.token.integrity_level_name": "keyword",
    "process.parent.Ext.real.pid": "long",
    "process.Ext.effective_parent.executable": "keyword",
    "process.Ext.effective_parent.name": "keyword",
    "file.Ext.header_bytes": "keyword",
    "file.Ext.entropy": "long",
    "file.Ext.windows.zone_identifier": "long",
    "file.size": "long",
    "file.Ext.original.name": "keyword",
    "dll.Ext.device.product_id": "keyword",
    "dll.Ext.relative_file_creation_time": "double",
    "dll.Ext.relative_file_name_modify_time": "double",
    "process.Ext.relative_file_name_modify_time": "double",
    "process.Ext.relative_file_creation_time": "double",
    "Target.process.name": "keyword",
    "process.Ext.api.name": "keyword"
  },
  "logs-windows.*": {
    "powershell.file.script_block_text": "text"
  },
  "logs-kubernetes.*": {
    "kubernetes.audit.objectRef.resource": "keyword",
    "kubernetes.audit.objectRef.subresource": "keyword",
    "kubernetes.audit.verb": "keyword",
    "kubernetes.audit.user.username": "keyword",
    "kubernetes.audit.impersonatedUser.username": "keyword",
    "kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",
    "kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",
    "kubernetes.audit.user.groups": "text",
    "kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",
    "kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",
    "kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",
    "kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",
    "kubernetes.audit.requestObject.spec.hostPID": "boolean",
    "kubernetes.audit.requestObject.spec.hostNetwork": "boolean",
    "kubernetes.audit.requestObject.spec.hostIPC": "boolean",
    "kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",
    "kubernetes.audit.requestObject.spec.type": "keyword",
    "kubernetes.audit.requestObject.rules.resources": "keyword",
    "kubernetes.audit.requestObject.rules.verb": "keyword",
    "kubernetes.audit.objectRef.namespace": "keyword",
    "kubernetes.audit.objectRef.serviceAccountName": "keyword",
    "kubernetes.audit.requestObject.spec.serviceAccountName": "keyword",
    "kubernetes.audit.responseStatus.reason": "keyword",
    "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword",
    "kubernetes.audit.requestObject.spec.containers.image": "text"
  },
  ".alerts-security.*": {
    "signal.rule.name": "keyword",
    "signal.rule.threat.tactic.name": "keyword",
    "kibana.alert.rule.threat.tactic.id": "keyword",
    "kibana.alert.rule.rule_id": "keyword"
  },
  "logs-google_workspace*": {
    "gsuite.admin": "keyword",
    "gsuite.admin.new_value": "keyword",
    "gsuite.admin.setting.name": "keyword",
    "google_workspace.drive.owner_is_team_drive": "keyword",
    "google_workspace.drive.copy_type": "keyword",
    "google_workspace.drive.file.type": "keyword",
    "google_workspace.drive.visibility": "keyword",
    "google_workspace.token.client.id": "keyword",
    "google_workspace.token.scope.data.scope_name": "keyword"
  },
  "logs-ti_*": {
    "labels.is_ioc_transform_source": "keyword"
  },
  "logs-auditd_manager.auditd-*": {
    "auditd.data.a0": "keyword",
    "auditd.data.a1": "keyword",
    "auditd.data.a2": "keyword",
    "auditd.data.a3": "keyword"
  }
}
Add rule loader and dependencies 2020-06-29 23:17:38 -06:00			`{`
			`"endgame-*": {`
			`"endgame": {`
			`"metadata": {`
			`"type": "keyword"`
			`},`
			`"event_subtype_full": "keyword"`
			`}`
			`},`
			`"winlogbeat-*": {`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`"winlog": {`
			`"event_data": {`
			`"AccessList": "keyword",`
[New Rule] Potential Credential Access via DCSync (#1763 ) 2022-02-15 21:40:26 -03:00			`"AccessMask": "keyword",`
[New Rule] LSASS Memory Dump (#1784 ) 2022-02-24 08:14:01 -05:00			`"AccessMaskDescription": "keyword",`
[New Rule] KRBTGT Delegation Backdoor (#1743 ) 2022-02-01 10:08:54 -03:00			`"AllowedToDelegateTo": "keyword",`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`"AttributeLDAPDisplayName": "keyword",`
			`"AttributeValue": "keyword",`
[New Rule] LSASS Memory Dump (#1784 ) 2022-02-24 08:14:01 -05:00			`"CallerProcessName": "keyword",`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`"CallTrace": "keyword",`
[New Rule] Windows Service Installed via an Unusual Client (#1759 ) 2022-02-11 21:56:59 +01:00			`"ClientProcessId": "keyword",`
[New Rule] Suspicious WMI Event Subscription Created (#1860 ) 2023-08-29 16:42:19 -03:00			`"Consumer": "keyword",`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`"GrantedAccess": "keyword",`
[New Rule] Windows Service Installed via an Unusual Client (#1759 ) 2022-02-11 21:56:59 +01:00			`"NewTargetUserName": "keyword",`
[New Rule] User account exposed to Kerberoasting (#1789 ) 2022-03-23 16:31:47 -03:00			`"ObjectClass": "keyword",`
[New Rule] AdminSDHolder Backdoor (#1745 ) 2022-02-01 10:14:39 -03:00			`"ObjectDN": "keyword",`
[New Rule] LSASS Memory Dump (#1784 ) 2022-02-24 08:14:01 -05:00			`"ObjectName": "keyword",`
[New Rule] Windows Service Installed via an Unusual Client (#1759 ) 2022-02-11 21:56:59 +01:00			`"OldTargetUserName": "keyword",`
[New Rule] Startup/Logon Script added to Group Policy Object (#1607 ) 2022-01-20 09:11:23 -03:00			`"OriginalFileName": "keyword",`
[New Rule] Windows Service Installed via an Unusual Client (#1759 ) 2022-02-11 21:56:59 +01:00			`"ParentProcessId": "keyword",`
[New Rule] LSASS Memory Dump (#1784 ) 2022-02-24 08:14:01 -05:00			`"ProcessName": "keyword",`
			`"Properties": "keyword",`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`"RelativeTargetName": "keyword",`
			`"ShareName": "keyword",`
			`"SubjectLogonId": "keyword",`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"SubjectUserName": "keyword",`
[New Rules] T1134 Access Token Manipulation (#2373 ) 2022-11-15 19:50:47 +00:00			`"SubjectUserSid": "keyword",`
[New Rule] Scheduled Task Creation using winlog (#2277 ) 2022-09-19 18:50:45 +02:00			`"TargetUserName": "keyword",`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`"TargetImage": "keyword",`
			`"TargetLogonId": "keyword",`
			`"TargetProcessGUID": "keyword",`
[Bug] Remove duplicate key in non-ecs-schema (#2319 ) 2022-09-21 18:03:08 -04:00			`"TargetSid": "keyword",`
[New Rule] Multiple Vault Web credentials were read (#2281 ) 2022-09-19 19:07:05 +02:00			`"SchemaFriendlyName": "keyword",`
[Bug] Remove duplicate key in non-ecs-schema (#2319 ) 2022-09-21 18:03:08 -04:00			`"Resource": "keyword",`
[Tuning] Remote Scheduled Task Creation (#3337 ) 2023-12-14 23:39:52 +00:00			`"RpcCallClientLocality": "keyword",`
[Bug] Remove duplicate key in non-ecs-schema (#2319 ) 2022-09-21 18:03:08 -04:00			`"PrivilegeList": "keyword",`
			`"AuthenticationPackageName" : "keyword",`
			`"TargetUserSid" : "keyword",`
[New Rule] Process Creation via Secondary Logon (#2282 ) 2022-09-19 20:04:08 +02:00			`"LogonProcessName": "keyword",`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"DnsHostName" : "keyword",`
			`"ServiceFileName": "keyword",`
			`"ImagePath": "keyword",`
			`"TaskName": "keyword",`
[New Rule] Windows Services - winlog (#2280 ) 2022-11-16 10:08:02 +00:00			`"Status": "keyword",`
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265 ) 2023-12-12 10:31:45 -05:00			`"EnabledPrivilegeList": "keyword",`
[New Rule] Suspicious WMI Event Subscription Created (#1860 ) 2023-08-29 16:42:19 -03:00			`"Operation": "keyword",`
[New Rules] T1134 Access Token Manipulation (#2373 ) 2022-11-15 19:50:47 +00:00			`"OperationType": "keyword"`
[New Rule] Scheduled Task Execution at Scale via GPO (#1605 ) 2022-01-19 22:06:48 -03:00			`}`
			`},`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"winlog.logon.type": "keyword",`
[New Rule] Windows Services - winlog (#2280 ) 2022-11-16 10:08:02 +00:00			`"winlog.logon.id": "keyword",`
[New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548 ) 2021-10-14 06:54:45 -03:00			`"powershell.file.script_block_text": "text"`
[New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657 ) 2020-12-08 17:36:47 -05:00			`},`
			`"filebeat-*": {`
[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777 ) 2023-06-28 10:22:24 -03:00			`"o365.audit.NewValue": "keyword",`
			`"labels.is_ioc_transform_source": "keyword"`
[New Rule] Parent Process PID Spoofing (#1338 ) 2021-07-15 22:55:46 +02:00			`},`
			`"logs-endpoint.events.*": {`
			`"process.Ext.token.integrity_level_name": "keyword",`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"process.parent.Ext.real.pid": "long",`
			`"process.Ext.effective_parent.executable": "keyword",`
[New Rule] Suspicious Inter-Process Communication via Outlook (#2458 ) 2023-01-25 17:44:32 +00:00			`"process.Ext.effective_parent.name": "keyword",`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"file.Ext.header_bytes": "keyword",`
[New Rules] T1134 Access Token Manipulation (#2373 ) 2022-11-15 19:50:47 +00:00			`"file.Ext.entropy": "long",`
[New Rule] New BBR Rules - Part 3 (#3034 ) 2023-09-12 21:28:01 -03:00			`"file.Ext.windows.zone_identifier": "long",`
[New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409 ) 2023-01-25 13:23:20 +00:00			`"file.size": "long",`
[New Rules] C2 via BITS and CertReq (#2466 ) 2023-01-27 20:17:36 +00:00			`"file.Ext.original.name": "keyword",`
[New Rule] Building Block Rules - Part 2 (#2923 ) 2023-08-17 13:00:50 -03:00			`"dll.Ext.device.product_id": "keyword",`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"dll.Ext.relative_file_creation_time": "double",`
[New Rules] C2 via BITS and CertReq (#2466 ) 2023-01-27 20:17:36 +00:00			`"dll.Ext.relative_file_name_modify_time": "double",`
[New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477 ) 2023-01-25 17:11:38 +00:00			`"process.Ext.relative_file_name_modify_time": "double",`
[New Rule] Lsass Process Access - Generic (#2613 ) 2023-04-03 14:34:30 +01:00			`"process.Ext.relative_file_creation_time": "double",`
			`"Target.process.name": "keyword",`
[FR] Add Support for Multi-Fields and Validation in Rules (#2882 ) 2023-06-28 20:35:33 -04:00			`"process.Ext.api.name": "keyword"`
[New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548 ) 2021-10-14 06:54:45 -03:00			`},`
			`"logs-windows.*": {`
			`"powershell.file.script_block_text": "text"`
[New Rule] Kubernetes execution_user_exec_to_pod (#1979 ) 2022-06-09 17:52:45 -04:00			`},`
			`"logs-kubernetes.*": {`
			`"kubernetes.audit.objectRef.resource": "keyword",`
[New Rule] Kubernetes Pod Created with Sensitive hostPath Volume (#2094 ) 2022-07-28 13:09:26 -04:00			`"kubernetes.audit.objectRef.subresource": "keyword",`
			`"kubernetes.audit.verb": "keyword",`
			`"kubernetes.audit.user.username": "keyword",`
			`"kubernetes.audit.impersonatedUser.username": "keyword",`
			`"kubernetes.audit.annotations.authorization_k8s_io/decision": "keyword",`
			`"kubernetes.audit.annotations.authorization_k8s_io/reason": "keyword",`
			`"kubernetes.audit.user.groups": "text",`
[Bug] Remove duplicate key in non-ecs-schema (#2319 ) 2022-09-21 18:03:08 -04:00			`"kubernetes.audit.requestObject.spec.containers.securityContext.privileged": "boolean",`
[New Rule] Kubernetes Pod Created with Sensitive hostPath Volume (#2094 ) 2022-07-28 13:09:26 -04:00			`"kubernetes.audit.requestObject.spec.containers.securityContext.allowPrivilegeEscalation": "boolean",`
			`"kubernetes.audit.requestObject.spec.securityContext.runAsUser": "long",`
			`"kubernetes.audit.requestObject.spec.containers.securityContext.runAsUser": "long",`
			`"kubernetes.audit.requestObject.spec.hostPID": "boolean",`
			`"kubernetes.audit.requestObject.spec.hostNetwork": "boolean",`
			`"kubernetes.audit.requestObject.spec.hostIPC": "boolean",`
			`"kubernetes.audit.requestObject.spec.volumes.hostPath.path": "keyword",`
			`"kubernetes.audit.requestObject.spec.type": "keyword",`
			`"kubernetes.audit.requestObject.rules.resources": "keyword",`
[New Rule] Kubernetes Denied Service Account Request (#2299 ) 2022-09-19 13:22:20 -04:00			`"kubernetes.audit.requestObject.rules.verb": "keyword",`
[New Rule] Kubernetes Suspicious Assignment of Controller Service Account (#2298 ) 2022-09-19 13:35:37 -04:00			`"kubernetes.audit.objectRef.namespace": "keyword",`
			`"kubernetes.audit.objectRef.serviceAccountName": "keyword",`
			`"kubernetes.audit.requestObject.spec.serviceAccountName": "keyword",`
Rule Changes (#2337 ) 2022-10-04 16:56:45 -04:00			`"kubernetes.audit.responseStatus.reason": "keyword",`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`"kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword",`
Rule Changes (#2337 ) 2022-10-04 16:56:45 -04:00			`"kubernetes.audit.requestObject.spec.containers.image": "text"`
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2399 ) 2022-11-18 12:38:27 -08:00			`},`
[Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2423 ) 2022-12-16 11:05:18 -08:00			`".alerts-security.*": {`
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2399 ) 2022-11-18 12:38:27 -08:00			`"signal.rule.name": "keyword",`
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265 ) 2023-12-12 10:31:45 -05:00			`"signal.rule.threat.tactic.name": "keyword",`
[Tuning] Windows Discovery Rule Tuning for UEBA (#3097 ) 2023-10-11 09:43:26 +02:00			`"kibana.alert.rule.threat.tactic.id": "keyword",`
			`"kibana.alert.rule.rule_id": "keyword"`
Check integrations cross major versions for older release support (#2520 ) 2023-02-02 18:17:02 -05:00			`},`
			`"logs-google_workspace*": {`
			`"gsuite.admin": "keyword",`
			`"gsuite.admin.new_value": "keyword",`
[New Rule] Google Workspace Resource Copied from External Drive (#2627 ) 2023-03-20 14:37:58 -04:00			`"gsuite.admin.setting.name": "keyword",`
			`"google_workspace.drive.owner_is_team_drive": "keyword",`
			`"google_workspace.drive.copy_type": "keyword",`
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User (#2654 ) 2023-03-24 12:21:56 -04:00			`"google_workspace.drive.file.type": "keyword",`
[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674 ) 2023-04-12 09:15:58 -04:00			`"google_workspace.drive.visibility": "keyword",`
[New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677 ) 2023-04-12 09:40:31 -04:00			`"google_workspace.token.client.id": "keyword",`
			`"google_workspace.token.scope.data.scope_name": "keyword"`
[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777 ) 2023-06-28 10:22:24 -03:00			`},`
			`"logs-ti_*": {`
			`"labels.is_ioc_transform_source": "keyword"`
[New Rule] Pspy Process Monitoring Detected (#2945 ) 2023-07-26 15:58:33 +02:00			`},`
			`"logs-auditd_manager.auditd-*": {`
			`"auditd.data.a0": "keyword",`
			`"auditd.data.a1": "keyword",`
			`"auditd.data.a2": "keyword",`
			`"auditd.data.a3": "keyword"`
Add rule loader and dependencies 2020-06-29 23:17:38 -06:00			`}`
			`}`