security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prepare for creation of 8.1 branch (#1700)

Browse Source 
Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 2e78da5c9a)
This commit is contained in:
Justin Ibarra
2022-01-25 18:11:59 -09:00
committed by github-actions[bot]
parent 363556fffa
commit 59b6d6dd08
16 changed files with 2247 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/backport.yml
+2 -1
View File
@@ -55,7 +55,8 @@ jobs:
strategy:
max-parallel: 1
matrix:
target_branch: [7.13, 7.14, 7.15, 7.16]
# 7.17 was intentionally skipped because it was added late and was bug fix only
target_branch: [7.13, 7.14, 7.15, 7.16, 8.0]
steps:
- name: Checkout repo
.github/workflows/lock-versions.yml
+2 -1
View File
@@ -5,7 +5,8 @@ on:
branches:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
default: '7.13,7.14,7.15,7.16'
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '7.13,7.14,7.15,7.16,8.0'
jobs:
pr:
detection_rules/rule_validators.py
+8 -1
View File
@@ -5,7 +5,7 @@
"""Validation logic for rules containing queries."""
from functools import cached_property
from typing import List
from typing import List, Optional, Union
import eql
@@ -104,3 +104,10 @@ class EQLValidator(QueryValidator):
except Exception:
print(err_trailer)
raise
def extract_error_field(exc: Union[eql.EqlParseError, kql.KqlParseError]) -> Optional[str]:
line = exc.source.splitlines()[exc.line]
start = exc.column
stop = start + len(exc.caret.strip())
return line[start:stop]
detection_rules/schemas/__init__.py
+6
View File
@@ -178,6 +178,12 @@ def migrate_to_7_16(version: Version, api_contents: dict) -> dict:
return strip_additional_properties(version, api_contents)
@migrate("8.0")
def migrate_to_8_0(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.0."""
return strip_additional_properties(version, api_contents)
def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict:
"""Downgrade a rule to a target stack version."""
from ..packaging import current_stack_version
detection_rules/semver.py
+15 -10
View File
@@ -10,17 +10,22 @@ from typing import Iterable, Union
class Version(tuple):
def __new__(cls, version: Union[Iterable, str]) -> 'Version':
if not isinstance(version, (int, list, tuple)):
version = tuple(int(a) if a.isdigit() else a for a in re.split(r'[.-]', version))
return version if isinstance(version, int) else tuple.__new__(cls, version)
def __new__(cls, version: Union[str, Iterable]) -> 'Version':
if isinstance(version, (int, list, tuple)):
version_class = tuple.__new__(cls, version)
else:
version_tuple = tuple(int(a) if a.isdigit() else a for a in re.split(r'[.-]', version))
version_class = tuple.__new__(cls, version_tuple)
def bump(self):
"""Increment the version."""
versions = list(self)
versions[-1] += 1
return Version(versions)
return version_class
def __str__(self):
"""Convert back to a string."""
return ".".join(str(dig) for dig in self)
recovered_str = str(self[0])
for additional in self[1:]:
if isinstance(additional, str):
recovered_str += "-" + additional
else:
recovered_str += "." + str(additional)
return recovered_str
etc/api_schemas/8.0/8.0.base.json
+334
View File
@@ -0,0 +1,334 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"threshold",
"threat_match"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
etc/api_schemas/8.0/8.0.eql.json
+345
View File
@@ -0,0 +1,345 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
etc/api_schemas/8.0/8.0.machine_learning.json
+347
View File
@@ -0,0 +1,347 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"anomaly_threshold": {
"format": "integer",
"type": "number"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
etc/api_schemas/8.0/8.0.query.json
+347
View File
@@ -0,0 +1,347 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
etc/api_schemas/8.0/8.0.threat_match.json
+438
View File
@@ -0,0 +1,438 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"items_per_search": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
etc/api_schemas/8.0/8.0.threshold.json
+396
View File
@@ -0,0 +1,396 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
etc/beats_schemas/v7.16.2.json.gz
BIN
View File
Binary file not shown.
etc/beats_schemas/v8.0.0-rc1.json.gz
BIN
View File
Binary file not shown.
etc/ecs_schemas/master_8.0.0.dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
etc/ecs_schemas/master_8.2.0.dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
etc/stack-schema-map.yaml
+7 -1
View File
@@ -18,9 +18,15 @@
ecs: "1.11.0"
"7.16.0":
beats: "7.15.1" # TODO: update this once beats releases
beats: "7.16.2" # TODO: update this once beats releases
ecs: "1.12.1"
# 7.17 was intentionally skipped because it was added late and was bug fix only
"8.0.0":
beats: "8.0.0-rc1" # TODO: update this once beats releases
ecs: "1.12.1"
"8.1.0":
beats: "master" # TODO: update this once beats releases
ecs: "1.12.1"