security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prepare For Next Elastic Stack 8.15 (#3670)

Browse Source 
Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 50a8b52cd5)
This commit is contained in:
shashank-elastic
2024-05-15 00:31:02 +05:30
committed by github-actions[bot]
parent ca8af123d2
commit 891da3623d
84 changed files with 5811 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13'
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14'
jobs:
pr:
detection_rules/etc/api_schemas/8.14/master/8.14.base.json
+524
View File
@@ -0,0 +1,524 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"esql",
"threshold",
"threat_match",
"new_terms"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.eql.json
+602
View File
@@ -0,0 +1,602 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"event_category_override": {
"min_compat": "8.0",
"type": "string"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.esql.json
+590
View File
@@ -0,0 +1,590 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"esql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"esql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.machine_learning.json
+534
View File
@@ -0,0 +1,534 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"anomaly_threshold": {
"type": "integer"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.new_terms.json
+645
View File
@@ -0,0 +1,645 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"new_terms": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"history_window_start": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"value": {
"description": "NewTermsFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"field",
"history_window_start",
"value"
],
"type": "object"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"new_terms"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"new_terms",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.query.json
+594
View File
@@ -0,0 +1,594 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.threat_match.json
+685
View File
@@ -0,0 +1,685 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"description": "AlertSuppressionGroupBy",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
},
"missing_fields_strategy": {
"description": "AlertSuppressionMissing",
"enum": [
"suppress",
"doNotSuppress"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"group_by",
"missing_fields_strategy"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"items_per_search": {
"description": "PositiveInteger",
"minimum": 1,
"type": "integer"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.14/master/8.14.threshold.json
+620
View File
@@ -0,0 +1,620 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"description": "AlertSupressionValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"unit",
"value"
],
"type": "object"
}
},
"required": [
"duration"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
"esql",
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"minimum": 1,
"type": "integer"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"maximum": 100,
"minimum": 1,
"type": "integer"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"description": "MarkdownField",
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"minimum": 1,
"type": "integer"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/master/master.base.json
+122 -13
View File
@@ -52,15 +52,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -73,14 +167,30 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -96,7 +206,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -168,10 +278,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.eql.json
+126 -15
View File
@@ -31,9 +31,8 @@
},
"value": {
"description": "AlertSupressionValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -81,6 +80,9 @@
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
@@ -111,15 +113,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -138,6 +234,23 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql"
@@ -149,9 +262,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -167,7 +279,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -242,10 +354,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.esql.json
+126 -15
View File
@@ -31,9 +31,8 @@
},
"value": {
"description": "AlertSupressionValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -81,6 +80,9 @@
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
@@ -107,15 +109,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -134,6 +230,23 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"esql"
@@ -145,9 +258,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -163,7 +275,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -238,10 +350,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.machine_learning.json
+123 -15
View File
@@ -15,8 +15,7 @@
"type": "array"
},
"anomaly_threshold": {
"format": "integer",
"type": "number"
"type": "integer"
},
"author": {
"items": {
@@ -56,15 +55,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -77,6 +170,23 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"license": {
"type": "string"
},
@@ -95,9 +205,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -113,7 +222,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -185,10 +294,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.new_terms.json
+126 -15
View File
@@ -31,9 +31,8 @@
},
"value": {
"description": "AlertSupressionValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -81,6 +80,9 @@
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
@@ -107,15 +109,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -134,6 +230,23 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
@@ -149,9 +262,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -167,7 +279,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"new_terms": {
@@ -292,10 +404,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.query.json
+126 -15
View File
@@ -31,9 +31,8 @@
},
"value": {
"description": "AlertSupressionValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -81,6 +80,9 @@
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
@@ -107,15 +109,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -134,6 +230,23 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
@@ -149,9 +262,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -167,7 +279,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -242,10 +354,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.threat_match.json
+128 -19
View File
@@ -31,9 +31,8 @@
},
"value": {
"description": "AlertSupressionValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -83,9 +82,11 @@
},
"concurrent_searches": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
@@ -113,15 +114,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -140,11 +235,27 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"items_per_search": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"language": {
"enum": [
@@ -161,9 +272,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -179,7 +289,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -254,10 +364,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
detection_rules/etc/api_schemas/master/master.threshold.json
+128 -19
View File
@@ -31,9 +31,8 @@
},
"value": {
"description": "AlertSupressionValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -60,6 +59,9 @@
],
"type": "string"
},
"data_view_id": {
"type": "string"
},
"description": {
"type": "string"
},
@@ -86,15 +88,109 @@
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"enum": [
"appState",
"globalState"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"store"
],
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"controlledBy": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"group": {
"type": "string"
},
"index": {
"type": "string"
},
"isMultiIndex": {
"type": "boolean"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"type": "string"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"anyOf": [
{
"additionalProperties": false,
"properties": {
"wildcard": {
"additionalProperties": {
"additionalProperties": false,
"properties": {
"case_insensitive": {
"type": "boolean"
},
"value": {
"type": "string"
}
},
"required": [
"case_insensitive",
"value"
],
"type": "object"
},
"type": "object"
}
},
"type": "object"
},
{
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
}
]
}
},
"required": [
"meta"
],
"type": "object"
},
"type": "array"
@@ -113,6 +209,23 @@
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"investigation_fields": {
"additionalProperties": false,
"properties": {
"field_names": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"field_names"
],
"type": "object"
},
"language": {
"enum": [
"eql",
@@ -128,9 +241,8 @@
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
},
"meta": {
"additionalProperties": {
@@ -146,7 +258,7 @@
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$",
"type": "string"
},
"note": {
@@ -221,10 +333,9 @@
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
"type": "integer"
},
"risk_score_mapping": {
"items": {
@@ -409,9 +520,8 @@
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
@@ -434,9 +544,8 @@
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
"type": "integer"
}
},
"required": [
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v8.13.4.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/stack-schema-map.yaml
+5
View File
@@ -103,4 +103,9 @@
"8.14.0":
beats: "8.12.2"
ecs: "8.11.0"
endgame: "8.4.0"
"8.15.0":
beats: "8.13.4"
ecs: "8.11.0"
endgame: "8.4.0"
detection_rules/schemas/__init__.py
+6
View File
@@ -280,6 +280,12 @@ def migrate_to_8_13(version: Version, api_contents: dict) -> dict:
return strip_additional_properties(version, api_contents)
@migrate("8.14")
def migrate_to_8_14(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.14."""
return strip_additional_properties(version, api_contents)
def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict:
"""Downgrade a rule to a target stack version."""
from ..packaging import current_stack_version