diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index f46c97e46..bda7d3dbe 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13' + default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.base.json b/detection_rules/etc/api_schemas/8.14/master/8.14.base.json new file mode 100644 index 000000000..af501ab7d --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.base.json @@ -0,0 +1,524 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.eql.json b/detection_rules/etc/api_schemas/8.14/master/8.14.eql.json new file mode 100644 index 000000000..3ae345171 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.eql.json @@ -0,0 +1,602 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.esql.json b/detection_rules/etc/api_schemas/8.14/master/8.14.esql.json new file mode 100644 index 000000000..636ddbd0c --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.esql.json @@ -0,0 +1,590 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.machine_learning.json b/detection_rules/etc/api_schemas/8.14/master/8.14.machine_learning.json new file mode 100644 index 000000000..af5c31c4a --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.machine_learning.json @@ -0,0 +1,534 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.new_terms.json b/detection_rules/etc/api_schemas/8.14/master/8.14.new_terms.json new file mode 100644 index 000000000..7096144f3 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.new_terms.json @@ -0,0 +1,645 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.query.json b/detection_rules/etc/api_schemas/8.14/master/8.14.query.json new file mode 100644 index 000000000..89ffd98a7 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.query.json @@ -0,0 +1,594 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.threat_match.json b/detection_rules/etc/api_schemas/8.14/master/8.14.threat_match.json new file mode 100644 index 000000000..9d2901f09 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.threat_match.json @@ -0,0 +1,685 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.14/master/8.14.threshold.json b/detection_rules/etc/api_schemas/8.14/master/8.14.threshold.json new file mode 100644 index 000000000..7cf6e1ac0 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.14/master/8.14.threshold.json @@ -0,0 +1,620 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } + }, + "required": [ + "meta" + ], + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index 5691d283c..af501ab7d 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -52,15 +52,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -73,14 +167,30 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "license": { "type": "string" }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -96,7 +206,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -168,10 +278,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index 546c0be36..3ae345171 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -31,9 +31,8 @@ }, "value": { "description": "AlertSupressionValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -81,6 +80,9 @@ ], "type": "string" }, + "data_view_id": { + "type": "string" + }, "description": { "type": "string" }, @@ -111,15 +113,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -138,6 +234,23 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "language": { "enum": [ "eql" @@ -149,9 +262,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -167,7 +279,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -242,10 +354,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index 9d5e12bf2..636ddbd0c 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -31,9 +31,8 @@ }, "value": { "description": "AlertSupressionValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -81,6 +80,9 @@ ], "type": "string" }, + "data_view_id": { + "type": "string" + }, "description": { "type": "string" }, @@ -107,15 +109,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -134,6 +230,23 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "language": { "enum": [ "esql" @@ -145,9 +258,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -163,7 +275,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -238,10 +350,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index 863cd6e9d..af5c31c4a 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -15,8 +15,7 @@ "type": "array" }, "anomaly_threshold": { - "format": "integer", - "type": "number" + "type": "integer" }, "author": { "items": { @@ -56,15 +55,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -77,6 +170,23 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "license": { "type": "string" }, @@ -95,9 +205,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -113,7 +222,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -185,10 +294,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index 08cb8fb74..7096144f3 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -31,9 +31,8 @@ }, "value": { "description": "AlertSupressionValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -81,6 +80,9 @@ ], "type": "string" }, + "data_view_id": { + "type": "string" + }, "description": { "type": "string" }, @@ -107,15 +109,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -134,6 +230,23 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "language": { "enum": [ "eql", @@ -149,9 +262,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -167,7 +279,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "new_terms": { @@ -292,10 +404,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index b20167b18..89ffd98a7 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -31,9 +31,8 @@ }, "value": { "description": "AlertSupressionValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -81,6 +80,9 @@ ], "type": "string" }, + "data_view_id": { + "type": "string" + }, "description": { "type": "string" }, @@ -107,15 +109,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -134,6 +230,23 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "language": { "enum": [ "eql", @@ -149,9 +262,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -167,7 +279,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -242,10 +354,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index 55e701d2d..9d2901f09 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -31,9 +31,8 @@ }, "value": { "description": "AlertSupressionValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -83,9 +82,11 @@ }, "concurrent_searches": { "description": "PositiveInteger", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" + }, + "data_view_id": { + "type": "string" }, "description": { "type": "string" @@ -113,15 +114,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -140,11 +235,27 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "items_per_search": { "description": "PositiveInteger", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "language": { "enum": [ @@ -161,9 +272,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -179,7 +289,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -254,10 +364,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index b803fc96d..7cf6e1ac0 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -31,9 +31,8 @@ }, "value": { "description": "AlertSupressionValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -60,6 +59,9 @@ ], "type": "string" }, + "data_view_id": { + "type": "string" + }, "description": { "type": "string" }, @@ -86,15 +88,109 @@ }, "filters": { "items": { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "enum": [ + "appState", + "globalState" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "store" + ], + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "controlledBy": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "group": { + "type": "string" + }, + "index": { + "type": "string" + }, + "isMultiIndex": { + "type": "boolean" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "anyOf": [ + { + "additionalProperties": false, + "properties": { + "wildcard": { + "additionalProperties": { + "additionalProperties": false, + "properties": { + "case_insensitive": { + "type": "boolean" + }, + "value": { + "type": "string" + } + }, + "required": [ + "case_insensitive", + "value" + ], + "type": "object" + }, + "type": "object" + } + }, + "type": "object" + }, + { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + } + ] + } }, + "required": [ + "meta" + ], "type": "object" }, "type": "array" @@ -113,6 +209,23 @@ "pattern": "^\\d+[mshd]$", "type": "string" }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, "language": { "enum": [ "eql", @@ -128,9 +241,8 @@ }, "max_signals": { "description": "MaxSignals", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" }, "meta": { "additionalProperties": { @@ -146,7 +258,7 @@ }, "name": { "description": "RuleName", - "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", "type": "string" }, "note": { @@ -221,10 +333,9 @@ }, "risk_score": { "description": "MaxSignals", - "format": "integer", "maximum": 100, "minimum": 1, - "type": "number" + "type": "integer" }, "risk_score_mapping": { "items": { @@ -409,9 +520,8 @@ }, "value": { "description": "ThresholdValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ @@ -434,9 +544,8 @@ }, "value": { "description": "ThresholdValue", - "format": "integer", "minimum": 1, - "type": "number" + "type": "integer" } }, "required": [ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 775d9fa3e..c499e176d 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.13.4.json.gz b/detection_rules/etc/beats_schemas/v8.13.4.json.gz new file mode 100644 index 000000000..d6ee29c6d Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.13.4.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index 36c39fe2a..e5191996f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index 8cd045726..101bf1940 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index a3156aafa..308c01607 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index fc2c946ad..7fa6e41b4 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index 043ac47bc..2ea7a5eaf 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 48b6807c3..73f3b2977 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index c1da95170..b4d8d8d03 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index 2544555c3..32923a26f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 42ee3ea8e..be3f12b1b 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 4f2f7ea5a..f67edaedc 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz index 76362bc06..fa49b0451 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz index 341431182..c83abbaf4 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index e944020f7..41abef8c5 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index ec0282c93..d3028e7fa 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index 001386b1f..3342706e2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index db2576d6c..71bb49002 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 1caf595ba..b2daee501 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index a9fc284c2..e2f2c6fe7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index e60a68b42..027a22a99 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index b0d2f1408..087b86f30 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 8c5713094..6fa41576a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index d7b1bed86..f6931cb85 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 01696bf66..85b90f6fb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index a779d91ac..554bd9a8a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index ba9fbae7c..56279aa94 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 704f7d2fb..cf076502c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 60465acd3..2d1daab05 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index e1740ba2e..07d6d4258 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 14b5f04da..77356dc42 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 1fa801c69..5c511a042 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index cd5c1370f..05e742b78 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 873aee3f8..8c2aa0988 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 80ce35f3d..87e729e0b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 292957685..68de0b27b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 38d2c3f12..f5063ffab 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 287773f7c..7f05f813c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 89aeb00ac..ac9ec9f87 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 2663ef530..42abc0bca 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index 777f1fc59..4d5897672 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 60f461d91..3fbaa8e56 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index cb330f7c7..1e457c8a7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 7ce2b3dff..62498d665 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 45865141c..bf37a704d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index b8c6ba58a..91b794a97 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 215428618..f04329a12 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 7a5d7cfde..47af0f73a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index ed328403f..b3036ba3a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 4efa4dde9..b5dd97e3b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index b36e52a04..e7b2412a1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 4e0e9cbd0..fdd10da3f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 3f820f485..33c2534d1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index f697ed4f1..bc4e6ccf8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 8bb922e91..2e1f28dac 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 1a1fdb729..5aed1007e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index b861f7f10..44e08e82d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 12dda85ef..373d8105c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 42f2da7dc..009a8cb61 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 2ac3ce9e2..61c9bb928 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 3313fffb0..c878f4f08 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 7056a434d..7f96d056e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz index 03deab327..1c1b0b7cb 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 432cb80c7..01b409294 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index e582c0383..be636f3c5 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yml b/detection_rules/etc/packages.yml index 27df7bb2d..2c1777fe2 100644 --- a/detection_rules/etc/packages.yml +++ b/detection_rules/etc/packages.yml @@ -4,27 +4,27 @@ package: maturity: - production log_deprecated: true - name: '8.14' + name: '8.15' registry_data: categories: - security conditions: elastic: subscription: basic - kibana.version: ^8.14.0 + kibana.version: ^8.15.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: - size: 16x16 src: /img/security-logo-color-64px.svg type: image/svg+xml - source: - license: Elastic-2.0 name: security_detection_engine owner: github: elastic/protections type: elastic + source: + license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 8.14.0-beta.0 + version: 8.15.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index de0f3721c..9daf9547d 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -103,4 +103,9 @@ "8.14.0": beats: "8.12.2" ecs: "8.11.0" + endgame: "8.4.0" + +"8.15.0": + beats: "8.13.4" + ecs: "8.11.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index 1a170222f..b91ee6b0b 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -280,6 +280,12 @@ def migrate_to_8_13(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("8.14") +def migrate_to_8_14(version: Version, api_contents: dict) -> dict: + """Default migration for 8.14.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version