diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index d8f0a4a62..b906ee326 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -83,15 +83,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -108,9 +108,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -147,22 +146,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -178,16 +166,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -203,6 +187,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -236,6 +222,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -323,13 +310,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -344,6 +331,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -357,13 +345,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -374,8 +362,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -400,14 +387,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -434,17 +417,13 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", - "name", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index c02f1f221..c98b4fe61 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -143,15 +147,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -174,9 +178,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -216,22 +219,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -247,16 +239,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -272,6 +260,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -305,6 +295,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -392,13 +383,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -413,6 +404,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -426,13 +418,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -443,8 +435,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -475,14 +466,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_field": { "min_compat": "8.0", @@ -507,19 +494,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index 9b65120b1..1d1fb8294 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -137,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -168,9 +172,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -210,22 +213,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -241,16 +233,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -266,6 +254,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -299,6 +289,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -386,13 +377,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -407,6 +398,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -420,13 +412,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -437,8 +429,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -463,14 +454,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -489,19 +476,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index 1c6f37186..aba2ac99c 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "anomaly_threshold": { @@ -127,15 +131,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -165,9 +169,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -204,22 +207,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -235,16 +227,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -260,6 +248,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -293,6 +283,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -380,13 +371,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -401,6 +392,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -414,13 +406,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -431,8 +423,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -457,14 +448,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -483,9 +470,8 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ @@ -493,9 +479,6 @@ "author", "description", "machine_learning_job_id", - "name", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index 52f0ef274..ea0c41fc8 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -137,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -172,9 +176,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -197,6 +200,7 @@ "additionalProperties": false, "properties": { "field": { + "minLength": 1, "type": "string" }, "history_window_start": { @@ -204,31 +208,26 @@ "additionalProperties": false, "properties": { "field": { - "type": "string" - }, - "value": { + "minLength": 1, "type": "string" } }, - "required": [ - "field", - "value" - ], "type": "object" }, "type": "array" }, "value": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" } }, "required": [ - "field", - "history_window_start", - "value" + "history_window_start" ], "type": "object" }, @@ -253,22 +252,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -284,16 +272,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -309,6 +293,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -342,6 +328,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -429,13 +416,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -450,6 +437,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -463,13 +451,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -480,8 +468,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -506,14 +493,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -532,20 +515,16 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "new_terms", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index acc0c13ff..d0c06e1d7 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -137,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -172,9 +176,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -214,22 +217,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -245,16 +237,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -270,6 +258,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -303,6 +293,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -390,13 +381,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -411,6 +402,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -424,13 +416,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -441,8 +433,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -467,14 +458,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -493,19 +480,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index fa1b1435f..05f55aca7 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -74,11 +78,6 @@ "string" ] }, - "concurrent_searches": { - "type": [ - "integer" - ] - }, "data_view_id": { "type": [ "string" @@ -142,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -161,11 +160,6 @@ ], "type": "object" }, - "items_per_search": { - "type": [ - "integer" - ] - }, "language": { "enum": [ "eql", @@ -182,9 +176,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -224,22 +217,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -255,16 +237,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -280,6 +258,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -313,6 +293,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -400,13 +381,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -421,6 +402,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -434,13 +416,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -451,8 +433,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -520,6 +501,7 @@ "additionalProperties": false, "properties": { "field": { + "minLength": 1, "type": "string" }, "negate": { @@ -533,15 +515,10 @@ "mapping" ], "type": "string" - }, - "value": { - "type": "string" } }, "required": [ - "field", - "type", - "value" + "type" ], "type": "object" }, @@ -566,14 +543,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -592,19 +565,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "threat_index", "threat_mapping", diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index 9f1e14575..e953c2831 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -35,12 +35,12 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" } @@ -127,15 +127,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -162,9 +162,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -204,22 +203,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -235,16 +223,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -260,6 +244,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -293,6 +279,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -380,13 +367,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -401,6 +388,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -414,13 +402,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -431,8 +419,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -462,12 +449,12 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "field", - "value" + "field" ], "type": "object" }, @@ -477,18 +464,17 @@ }, "field": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 5, "type": "array" }, "value": { + "minimum": 1, "type": "integer" } }, - "required": [ - "field", - "value" - ], "type": "object" }, "throttle": { @@ -497,14 +483,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -523,19 +505,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "threshold", "type" diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index d90589b1a..b7945aff0 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -133,5 +133,5 @@ "T1547.011": "T1647", "T1574.002": "T1574.001" }, - "saved_date": "Fri Oct 17 17:21:42 2025" + "saved_date": "Tue Nov 11 12:54:18 2025" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v17.1.0.json.gz b/detection_rules/etc/attack-v17.1.0.json.gz deleted file mode 100644 index f6d940050..000000000 Binary files a/detection_rules/etc/attack-v17.1.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v18.0.0.json.gz b/detection_rules/etc/attack-v18.0.0.json.gz new file mode 100644 index 000000000..47ebc3ef0 Binary files /dev/null and b/detection_rules/etc/attack-v18.0.0.json.gz differ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 29d630db7..f26c3a668 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.2.0.json.gz b/detection_rules/etc/beats_schemas/v9.2.0.json.gz new file mode 100644 index 000000000..fb1fa16e7 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.2.0.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 92765d2f0..2c990bbd7 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 4e25c4670..d42152e79 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index b50566923..dcd860b45 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 781496f61..17a508d31 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 8f806bd06..7008703ec 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 4b276bd09..eb6954772 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 72d9c3a79..bb62b611a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 870d70280..74babad48 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index fd37422e7..dcbcd943d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 6f0e9f751..c190cf50b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index b30fce62e..f302b1dc7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 2c6592704..0e1df01ac 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index d54743259..a0adb062c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 5e9c10911..61cb52a6b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index 4fdf5ee0a..46da5bc3f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 61e50209a..d522e62fd 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 1836050c8..aa36b12db 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 1a421f21a..4df627c0a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 6ed00e2c9..405636961 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 99ed8301a..01b183143 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index a51ac507a..7f07a8753 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index afc888a18..bf76820eb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index a397f2c46..d985ab402 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 942970341..1dfd07877 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 3b0410559..64f174f2f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 268c199e4..d959ec8c0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 3ad6a884e..2b557e05c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 5402a828a..b29aaec22 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index dc2b4bac1..d24e7d4b0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 14fb13413..6bed5da35 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index e65034a10..9c33f1a8d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index cd8793d25..bca999598 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index c5f830cda..edc8672a7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index ad968e8be..3e4d8453b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 15479f927..a2451de57 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 0df5a1336..32f3e1673 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 6abbd1089..c0dacff01 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index f99863918..68b04c073 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 08b2cbf9c..15607ae60 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index f03fc15a7..ffab6c59b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 0be1ec60a..1daff702a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index bc5155ab9..c115b2cf6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 97c62e940..118219331 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 5b5bb4792..87d34ca70 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 5419c6b27..48080d9ee 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 562eeba5b..ef4a82a69 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 3cf283715..980275eae 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index ccadcd464..cc577f135 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 90a4ed250..192ddb350 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 748ca0a65..7ecd11e79 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index 5f7be7369..c28b653d2 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index d4267ff8b..9d421e920 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz index 7b0b15d01..a78b18786 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz index a024a6fa5..0f6855f55 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz index 0cc734483..49ddfdfd5 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz index af638fbc7..46674f519 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz index 6afb585f4..5888bc7b5 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz index a5e4b1c3d..343d5777b 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz new file mode 100644 index 000000000..76ba01818 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz new file mode 100644 index 000000000..d4db229bb Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz index 06d9ab77a..bce4528f5 100644 Binary files a/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 7d17cdc28..e1291d251 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index ee747fb53..d07a7ef8f 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 6513c9319..d61ae9fd0 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -140,11 +140,11 @@ endgame: "8.4.0" "9.2.0": - beats: "9.1.5" - ecs: "9.2.0-rc1" + beats: "9.2.0" + ecs: "9.2.0" endgame: "8.4.0" "9.3.0": - beats: "9.1.5" - ecs: "9.2.0-rc1" + beats: "9.2.0" + ecs: "9.2.0" endgame: "8.4.0" \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index c2808a4c7..79d3df012 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.5" +version = "1.5.6" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 56b37d8eb..dceb1356b 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/30" +updated_date = "2025/11/11" [rule] author = ["Elastic"] @@ -17,6 +17,37 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via SUID/SGID Proxy Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Privilege Escalation via SUID/SGID Proxy Execution + +This rule surfaces executions of well-known SUID/SGID helpers on Linux that run with root privileges while the launching user remains non‑root, signaling an attempt to proxy elevated rights. It matters because a non‑privileged process invoking pkexec can spawn /bin/sh as root via environment manipulation, turning a low-privilege foothold into full system control. + +### Possible investigation steps + +- Determine if the invocation is interactive and expected (e.g., admin using su/sudo) by correlating with a TTY/SSH session, recent successful authentication logs, and sudo/polkit policy outcomes in journald. +- For pkexec events, inspect the environment for exploit indicators (e.g., unset argv or suspicious GCONV_PATH, PATH, LD_PRELOAD, LC_* values) and look for attacker-created files in /tmp or the user's home that match gconv or loader artifacts. +- Review the child/descendant process tree of the SUID/SGID helper to see if it spawned a root shell or arbitrary interpreter, and pivot to concurrent network connections or file writes by those children. +- Validate whether the executable’s SUID/SGID file on disk has been tampered with by checking its hash, permissions, ownership, and recent mtime against package manager metadata and known-good baselines. +- If the binary is mount/umount/fusermount or newuidmap/newgidmap, correlate with container or FUSE activity to confirm a legitimate workflow and inspect mounts or namespace changes for risky options (e.g., suid, exec) or unusual target directories. + +### False positive analysis + +- An authorized pkexec or polkit-agent-helper invocation by a user to perform a permitted administrative task may run as root while the real user is non‑root, often with a single‑argument parent, and should align with an interactive prompt and expected policy. +- Normal unprivileged workflows using fusermount3 or newuidmap/newgidmap legitimately leverage SUID/SGID helpers, typically launched by a simple shell with one argument, and should correlate with expected mount or user‑namespace activity. + +### Response and remediation + +- Immediately isolate the host, kill the offending SUID/SGID child processes (e.g., pkexec spawning /bin/sh), and temporarily remove the setuid/setgid bit from the abused binary (chmod u-s /usr/bin/pkexec or chmod g-s /usr/bin/newgrp) to halt further elevation. +- Reinstall and verify integrity of abused packages and SUID helpers (e.g., polkit to replace /usr/bin/pkexec, dbus-daemon-launch-helper, fusermount3) and delete attacker artifacts such as gconv modules or LD_PRELOAD payloads from /tmp, /var/tmp, and user homes. +- Undo attacker changes by restoring /etc/sudoers, /etc/passwd and /etc/shadow, and polkit rules under /usr/share/polkit-1 or /etc/polkit-1, unmount suspicious FUSE or bind mounts created by fusermount3/mount, and rotate credentials and keys. +- Escalate to incident command if you observe a SUID helper launching an interactive root shell (/bin/sh -p or bash -p), root-owned droppers in /tmp or /usr/local/bin, or similar events on more than one host or account. +- Permanently reduce the SUID/SGID attack surface by auditing and removing setuid bits from rarely used binaries (e.g., chfn, chsh, newgrp, ssh-keysign), restricting pkexec via polkit rules to specific callers, and mounting /tmp, /var/tmp, and home directories with nosuid,nodev,noexec. +- Strengthen monitoring and policy by enabling AppArmor/SELinux confinement for pkexec and mount helpers, adding auditd rules for exec of setuid binaries and writes to /tmp by root, and enforcing least-privilege sudoers by removing broad NOPASSWD entries and requiring MFA for privileged tasks. +""" references = [ "https://dfir.ch/posts/today_i_learned_binfmt_misc/", "https://gtfobins.github.io/#+suid", @@ -58,6 +89,7 @@ tags = [ "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 906e6cd15..c728a7ba0 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/11" [rule] author = ["Elastic"] @@ -15,6 +15,41 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Delayed Execution via Ping" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Delayed Execution via Ping + +Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes. + +### Possible investigation steps + +- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe. +- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior. +- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused. +- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious. +- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed. +- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity. + +### False positive analysis + +- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe. +- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures. +- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list. +- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths. +- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise. + +### Response and remediation + +- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. +- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems. +- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question. +- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" @@ -64,41 +99,6 @@ sequence by process.parent.entity_id with maxspan=1m "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\")) ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Delayed Execution via Ping - -Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes. - -### Possible investigation steps - -- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe. -- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior. -- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused. -- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious. -- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed. -- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity. - -### False positive analysis - -- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe. -- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures. -- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list. -- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths. -- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise. - -### Response and remediation - -- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. -- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems. -- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question. -- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] @@ -176,7 +176,7 @@ name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" [[rule.threat.technique.subtechnique]] id = "T1497.003" -name = "Time Based Evasion" +name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/"