diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 5e8711903..e04a464cb 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.19,9.1,9.2,9.3' + default: '8.19,9.2,9.3,9.4' jobs: pr: diff --git a/detection_rules/etc/api_schemas/9.4/9.4.base.json b/detection_rules/etc/api_schemas/9.4/9.4.base.json new file mode 100644 index 000000000..1ed86a2d9 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.base.json @@ -0,0 +1,433 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.eql.json b/detection_rules/etc/api_schemas/9.4/9.4.eql.json new file mode 100644 index 000000000..c4d17b4b1 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.eql.json @@ -0,0 +1,512 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "event_category_override": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.esql.json b/detection_rules/etc/api_schemas/9.4/9.4.esql.json new file mode 100644 index 000000000..ec15cddbe --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.esql.json @@ -0,0 +1,494 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.machine_learning.json b/detection_rules/etc/api_schemas/9.4/9.4.machine_learning.json new file mode 100644 index 000000000..a808bb36c --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.machine_learning.json @@ -0,0 +1,488 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": [ + "string" + ] + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.new_terms.json b/detection_rules/etc/api_schemas/9.4/9.4.new_terms.json new file mode 100644 index 000000000..5066a4be4 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.new_terms.json @@ -0,0 +1,534 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "value": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "history_window_start" + ], + "type": "object" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "new_terms", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.query.json b/detection_rules/etc/api_schemas/9.4/9.4.query.json new file mode 100644 index 000000000..ff2031e49 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.query.json @@ -0,0 +1,498 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.threat_match.json b/detection_rules/etc/api_schemas/9.4/9.4.threat_match.json new file mode 100644 index 000000000..c41aaba05 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.threat_match.json @@ -0,0 +1,585 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": [ + "string" + ] + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": [ + "string" + ] + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + }, + "negate": { + "min_compat": "9.2", + "type": [ + "boolean" + ] + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": [ + "string" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.4/9.4.threshold.json b/detection_rules/etc/api_schemas/9.4/9.4.threshold.json new file mode 100644 index 000000000..0d8e9cb58 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.4/9.4.threshold.json @@ -0,0 +1,524 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK", + "MITRE ATLAS" + ], + "enumNames": [], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "field": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 5, + "type": "array" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 10feecd77..cfd658fed 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.3.3.json.gz b/detection_rules/etc/beats_schemas/v9.3.3.json.gz new file mode 100644 index 000000000..9bed69816 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.3.3.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index e3fa65772..f91eb552c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 42091090a..557b4ce41 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 40388e806..572e283ab 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 0bdceb029..7fe170ced 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 2096f1418..0b61dfb07 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 9ac5794fe..03a5ab6f9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 402359765..b265d862d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 8152179b7..79cafb147 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index 042e9f065..0b6bf515b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index b5e526f8e..41310dc5b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 2685cb56e..6fdab0a62 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 58fa5465b..779a634a4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 14f9e820c..f1936f05b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 963d5925d..7932a2ecf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 5ded0174d..6e356e750 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 91ea21016..99b4d18d0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 2963907f4..7218ff04b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 5cdb91f8e..f3546c8f5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 4dc665b21..444cc41fe 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 10c54dbfb..ecba8dc07 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 1844a6c0c..b7d20d3fb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 091978126..ec6fd293e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index 6e1bb7f7e..e962806dd 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 66ea39f23..272726730 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 042825d53..609c6d7fc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index cb0b0284c..0e56ff2bf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 1916eb607..d16e23447 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 35e4c9685..cd14c2198 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 5cd51e6bf..1a8965bfb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 698bb5f7a..a234a3da8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index a5cc133bb..5c42efb1d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 7ab20dbb8..1631400ef 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 3e97363b3..6496d19ee 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index b368be99b..7092c1deb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 6726111df..b921a37c8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index 4583ac451..a5609e100 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 202933dae..621c00447 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 22e6daa4e..10b420a12 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index ccc5764a7..9bd652022 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 599f9f42e..f38a20b93 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 62f66f52f..7388a7467 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 77e8d8f5f..95c7d7f9a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index e6f0d7281..56ea0990a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index a624476ac..7e1b0b584 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index cc946cb70..83d17f686 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index 1060b61f0..685a52367 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz index aa33ea13f..d7d9c9e78 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz index 8d253b98a..d47b89057 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz index fc3a6ac62..c83c0c11d 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz index 4669f5aed..dd09c7c7a 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz index 0b1a93225..3116aa8c1 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz index 25407f9e9..848dc4373 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz index 5f39ebcf1..03bac894c 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz index c64e3ff71..bd39bcf96 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz index 83d2c403d..1f5d46621 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz index d722baedd..497c9f8ca 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz index 86afc2b8c..aa93b0ffd 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz index 8631937d5..f26d8241a 100644 Binary files a/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.4.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz similarity index 99% rename from detection_rules/etc/ecs_schemas/master_9.4.0-dev/ecs_flat.json.gz rename to detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz index 15abb2c77..a32fe24a7 100644 Binary files a/detection_rules/etc/ecs_schemas/master_9.4.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz new file mode 100644 index 000000000..a3b3b0e00 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 28a370043..b4664f048 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index a235fcec9..d43100d67 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index fa87d0d7f..e769b04f6 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -3,7 +3,7 @@ package: maturity: - production log_deprecated: true - name: '9.4' + name: '9.5' registry_data: categories: - security @@ -13,7 +13,7 @@ package: capabilities: - security subscription: basic - kibana.version: ^9.4.0 + kibana.version: ^9.5.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -28,5 +28,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 9.4.0-beta.1 + version: 9.5.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 0cc592c76..a532c8585 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -127,6 +127,11 @@ # ecs: "9.0.0" # endgame: "8.4.0" +#"9.1.0": +# beats: "9.1.5" +# ecs: "9.1.0" +# endgame: "8.4.0" + ## Supported "8.19.0": @@ -134,22 +139,22 @@ ecs: "8.17.0" endgame: "8.4.0" -"9.1.0": - beats: "9.1.5" - ecs: "9.1.0" - endgame: "8.4.0" - "9.2.0": beats: "9.2.0" ecs: "9.2.0" endgame: "8.4.0" "9.3.0": - beats: "9.3.2" + beats: "9.3.3" ecs: "9.3.0" endgame: "8.4.0" "9.4.0": - beats: "9.3.2" - ecs: "9.3.0" + beats: "9.3.3" + ecs: "9.4.0-rc1" + endgame: "8.4.0" + +"9.5.0": + beats: "9.3.3" + ecs: "9.4.0-rc1" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index e06c22fef..d9e675394 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -343,6 +343,12 @@ def migrate_to_9_3(version: Version, api_contents: dict[str, Any]) -> dict[str, return strip_additional_properties(version, api_contents) +@migrate("9.4") +def migrate_to_9_4(version: Version, api_contents: dict[str, Any]) -> dict[str, Any]: + """Default migration for 9.4.""" + return strip_additional_properties(version, api_contents) + + def downgrade( api_contents: dict[str, Any], target_version: str, current_version_val: str | None = None ) -> dict[str, Any]: diff --git a/docs-dev/versioning.md b/docs-dev/versioning.md index 984ee0284..1f9ce560f 100644 --- a/docs-dev/versioning.md +++ b/docs-dev/versioning.md @@ -4,14 +4,14 @@ This document provides detailed information about the different versions that ar ## Current Version -The current version of prebuilt detection rules is `v9.3`. +The current version of prebuilt detection rules is `v9.4`. ## Previous Versions Released The following version(s) are released along with the current version. - `v8.19` -- `v9.1` +- `v9.2` - `v9.3` ## End of Life Policy diff --git a/pyproject.toml b/pyproject.toml index d91d456fb..85c22b55c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.6.21" +version = "1.6.22" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index ebad6768f..9ee9d1d0b 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -2,9 +2,9 @@ creation_date = "2025/07/01" integration = ["azure"] maturity = "production" -min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." -min_stack_version = "9.1.0" -updated_date = "2026/04/10" +min_stack_comments = "Changing min stack to 9.2.0, the latest minimum supported version for 9.X releases." +min_stack_version = "9.2.0" +updated_date = "2026/04/22" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index db76f5efd..d3f6abe75 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -2,9 +2,9 @@ creation_date = "2025/11/12" integration = ["endpoint", "windows", "system"] maturity = "production" -updated_date = "2026/04/10" -min_stack_version = "9.1.0" -min_stack_comments = "The esql match operator was introduced in version 9.1.0" +min_stack_comments = "Changing min stack to 9.2.0, the latest minimum supported version for 9.X releases." +min_stack_version = "9.2.0" +updated_date = "2026/04/22" [rule] diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index 1df195731..ec8df252a 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -2,9 +2,9 @@ creation_date = "2025/01/31" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" -min_stack_version = "9.1.0" -min_stack_comments = "Changing min stack to 9.1.0, the latest minimum supported version for 9.X releases." +min_stack_comments = "Changing min stack to 9.2.0, the latest minimum supported version for 9.X releases." +min_stack_version = "9.2.0" +updated_date = "2026/04/22" [rule] author = ["Elastic"]