security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep for Release 9.3 (#5548)

Browse Source
This commit is contained in:
shashank-elastic
2026-01-12 21:07:07 +05:30
committed by GitHub
parent 8b84c26286
commit 1ce072a4e5
99 changed files with 4599 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/api_schemas/9.3/9.3.base.json
+433
View File
@@ -0,0 +1,433 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"esql",
"threshold",
"threat_match",
"new_terms"
],
"enumNames": [],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.eql.json
+512
View File
@@ -0,0 +1,512 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"data_view_id": {
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"event_category_override": {
"min_compat": "8.0",
"type": [
"string"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"index": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"throttle": {
"type": [
"string"
]
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": [
"string"
]
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"eql"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"query",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.esql.json
+494
View File
@@ -0,0 +1,494 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"data_view_id": {
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"index": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"esql"
],
"type": "string"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"esql"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"query",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.machine_learning.json
+488
View File
@@ -0,0 +1,488 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"type": "object"
},
"anomaly_threshold": {
"type": "integer"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": [
"string"
]
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.new_terms.json
+534
View File
@@ -0,0 +1,534 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"data_view_id": {
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"index": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"new_terms": {
"additionalProperties": false,
"properties": {
"field": {
"minLength": 1,
"type": "string"
},
"history_window_start": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"type": "array"
},
"value": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"history_window_start"
],
"type": "object"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"new_terms"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"new_terms",
"query",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.query.json
+498
View File
@@ -0,0 +1,498 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"data_view_id": {
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"index": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"query"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"query",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.threat_match.json
+585
View File
@@ -0,0 +1,585 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
},
"group_by": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"data_view_id": {
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"index": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": [
"string"
]
},
"threat_language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": [
"string"
]
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"minLength": 1,
"type": "string"
},
"negate": {
"min_compat": "9.2",
"type": [
"boolean"
]
},
"type": {
"enum": [
"mapping"
],
"type": "string"
}
},
"required": [
"type"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": [
"string"
]
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"query",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/9.3/9.3.threshold.json
+524
View File
@@ -0,0 +1,524 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit"
],
"type": "object"
}
},
"required": [
"duration"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": [
"string"
]
},
"data_view_id": {
"type": [
"string"
]
},
"description": {
"type": "string"
},
"enabled": {
"type": [
"boolean"
]
},
"exceptions_list": {
"items": {
"additionalProperties": {
"type": "string"
},
"type": "object"
},
"type": [
"array"
]
},
"false_positives": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": [
"array"
]
},
"from": {
"type": [
"string"
]
},
"index": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"interval": {
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": [
"string"
]
},
"max_signals": {
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": [
"object"
]
},
"name": {
"type": "string"
},
"note": {
"description": "Markdown",
"type": [
"string"
]
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"package": {
"minLength": 1,
"type": "string"
}
},
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs"
],
"type": "object"
},
"min_compat": "8.3",
"type": [
"array"
]
},
"revision": {
"min_compat": "8.8",
"type": [
"integer"
]
},
"risk_score": {
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"rule_id": {
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$",
"type": "string"
},
"rule_name_override": {
"type": [
"string"
]
},
"setup": {
"description": "Markdown",
"min_compat": "8.3",
"type": [
"string"
]
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": [
"string"
]
},
"severity": {
"type": [
"string"
]
},
"value": {
"type": [
"string"
]
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"tags": {
"items": {
"type": "string"
},
"type": [
"array"
]
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK",
"MITRE ATLAS"
],
"enumNames": [],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$",
"type": "string"
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"id",
"name"
],
"type": "object"
},
"type": [
"array"
]
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": [
"array"
]
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"field"
],
"type": "object"
},
"type": [
"array"
]
},
"field": {
"items": {
"minLength": 1,
"type": "string"
},
"maxItems": 5,
"type": "array"
},
"value": {
"minimum": 1,
"type": "integer"
}
},
"type": "object"
},
"throttle": {
"type": [
"string"
]
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"timestamp_override": {
"type": [
"string"
]
},
"to": {
"type": [
"string"
]
},
"type": {
"enum": [
"threshold"
],
"type": "string"
},
"version": {
"minimum": 1,
"type": "integer"
}
},
"required": [
"author",
"description",
"language",
"query",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/attack-technique-redirects.json
+1 -1
View File
@@ -133,5 +133,5 @@
"T1547.011": "T1647",
"T1574.002": "T1574.001"
},
"saved_date": "Mon Dec 8 17:34:00 2025"
"saved_date": "Mon Jan 12 12:10:34 2026"
}
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v9.2.3.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_9.4.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/packages.yaml
+3 -3
View File
@@ -3,7 +3,7 @@ package:
maturity:
- production
log_deprecated: true
name: '9.3'
name: '9.4'
registry_data:
categories:
- security
@@ -13,7 +13,7 @@ package:
capabilities:
- security
subscription: basic
kibana.version: ^9.3.0
kibana.version: ^9.4.0
description: Prebuilt detection rules for Elastic Security
format_version: 3.0.0
icons:
@@ -28,5 +28,5 @@ package:
license: Elastic-2.0
title: Prebuilt Security Detection Rules
type: integration
version: 9.3.0-beta.1
version: 9.4.0-beta.1
release: true
detection_rules/etc/stack-schema-map.yaml
+12 -7
View File
@@ -122,6 +122,11 @@
# ecs: "8.17.0"
# endgame: "8.4.0"
#"9.0.0":
# beats: "9.0.0"
# ecs: "9.0.0"
# endgame: "8.4.0"
## Supported
"8.19.0":
@@ -129,11 +134,6 @@
ecs: "8.17.0"
endgame: "8.4.0"
"9.0.0":
beats: "9.0.0"
ecs: "9.0.0"
endgame: "8.4.0"
"9.1.0":
beats: "9.1.5"
ecs: "9.1.0"
@@ -145,6 +145,11 @@
endgame: "8.4.0"
"9.3.0":
beats: "9.2.2"
ecs: "9.2.0"
beats: "9.2.3"
ecs: "9.3.0-rc1"
endgame: "8.4.0"
"9.4.0":
beats: "9.2.3"
ecs: "9.3.0-rc1"
endgame: "8.4.0"