From eb40c52c7c9cf7e4354fe975f10f4b4e917cd077 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Thu, 13 May 2021 14:27:32 -0600 Subject: [PATCH] Port historical schemas to jsonschema (#1084) * Port historical schemas to jsonschema * Add marshmallow-json dependency * Mark etc/api_schemas as binary * Remove gitattributes attempt * Lint fix * Apply PR feedback * Additional PR feedback * Extract stack version from packages.yml * Fix the backport schemas * Cache the schema reads * Add migration for #1167 * Make a separate 'migration not found' error --- detection_rules/cli_utils.py | 8 +- detection_rules/devtools.py | 10 + detection_rules/main.py | 9 +- detection_rules/mixins.py | 51 + detection_rules/packaging.py | 9 +- detection_rules/rule.py | 41 +- detection_rules/rule_formatter.py | 20 +- detection_rules/schemas/__init__.py | 196 +++- detection_rules/schemas/base.py | 133 --- detection_rules/schemas/definitions.py | 3 +- detection_rules/schemas/v7_10.py | 37 - detection_rules/schemas/v7_11.py | 69 -- detection_rules/schemas/v7_12.py | 61 -- detection_rules/schemas/v7_8.py | 127 --- detection_rules/schemas/v7_9.py | 74 -- etc/api_schemas/7.10/7.10.base.json | 633 +++++++++++ etc/api_schemas/7.10/7.10.eql.json | 658 ++++++++++++ .../7.10/7.10.machine_learning.json | 650 ++++++++++++ etc/api_schemas/7.10/7.10.query.json | 660 ++++++++++++ etc/api_schemas/7.10/7.10.saved_query.json | 651 ++++++++++++ etc/api_schemas/7.10/7.10.threshold.json | 679 ++++++++++++ etc/api_schemas/7.11/7.11.base.json | 928 ++++++++++++++++ etc/api_schemas/7.11/7.11.eql.json | 953 +++++++++++++++++ .../7.11/7.11.machine_learning.json | 945 +++++++++++++++++ etc/api_schemas/7.11/7.11.query.json | 955 +++++++++++++++++ etc/api_schemas/7.11/7.11.saved_query.json | 946 +++++++++++++++++ etc/api_schemas/7.11/7.11.threshold.json | 974 +++++++++++++++++ etc/api_schemas/7.12/7.12.base.json | 928 ++++++++++++++++ etc/api_schemas/7.12/7.12.eql.json | 953 +++++++++++++++++ .../7.12/7.12.machine_learning.json | 945 +++++++++++++++++ etc/api_schemas/7.12/7.12.query.json | 955 +++++++++++++++++ etc/api_schemas/7.12/7.12.saved_query.json | 946 +++++++++++++++++ etc/api_schemas/7.12/7.12.threshold.json | 993 ++++++++++++++++++ etc/api_schemas/7.13/7.13.base.json | 301 ++++++ etc/api_schemas/7.13/7.13.eql.json | 306 ++++++ .../7.13/7.13.machine_learning.json | 301 ++++++ etc/api_schemas/7.13/7.13.query.json | 311 ++++++ etc/api_schemas/7.13/7.13.threat_match.json | 393 +++++++ etc/api_schemas/7.13/7.13.threshold.json | 355 +++++++ etc/api_schemas/7.8/7.8.base.json | 554 ++++++++++ etc/api_schemas/7.8/7.8.machine_learning.json | 571 ++++++++++ etc/api_schemas/7.8/7.8.query.json | 581 ++++++++++ etc/api_schemas/7.8/7.8.saved_query.json | 572 ++++++++++ etc/api_schemas/7.9/7.9.base.json | 633 +++++++++++ etc/api_schemas/7.9/7.9.machine_learning.json | 650 ++++++++++++ etc/api_schemas/7.9/7.9.query.json | 660 ++++++++++++ etc/api_schemas/7.9/7.9.saved_query.json | 651 ++++++++++++ etc/api_schemas/7.9/7.9.threshold.json | 679 ++++++++++++ etc/api_schemas/master/master.base.json | 301 ++++++ etc/api_schemas/master/master.eql.json | 306 ++++++ .../master/master.machine_learning.json | 301 ++++++ etc/api_schemas/master/master.query.json | 311 ++++++ .../master/master.threat_match.json | 393 +++++++ etc/api_schemas/master/master.threshold.json | 355 +++++++ requirements.txt | 1 + tests/test_schemas.py | 8 +- 56 files changed, 25134 insertions(+), 560 deletions(-) delete mode 100644 detection_rules/schemas/base.py delete mode 100644 detection_rules/schemas/v7_10.py delete mode 100644 detection_rules/schemas/v7_11.py delete mode 100644 detection_rules/schemas/v7_12.py delete mode 100644 detection_rules/schemas/v7_8.py delete mode 100644 detection_rules/schemas/v7_9.py create mode 100644 etc/api_schemas/7.10/7.10.base.json create mode 100644 etc/api_schemas/7.10/7.10.eql.json create mode 100644 etc/api_schemas/7.10/7.10.machine_learning.json create mode 100644 etc/api_schemas/7.10/7.10.query.json create mode 100644 etc/api_schemas/7.10/7.10.saved_query.json create mode 100644 etc/api_schemas/7.10/7.10.threshold.json create mode 100644 etc/api_schemas/7.11/7.11.base.json create mode 100644 etc/api_schemas/7.11/7.11.eql.json create mode 100644 etc/api_schemas/7.11/7.11.machine_learning.json create mode 100644 etc/api_schemas/7.11/7.11.query.json create mode 100644 etc/api_schemas/7.11/7.11.saved_query.json create mode 100644 etc/api_schemas/7.11/7.11.threshold.json create mode 100644 etc/api_schemas/7.12/7.12.base.json create mode 100644 etc/api_schemas/7.12/7.12.eql.json create mode 100644 etc/api_schemas/7.12/7.12.machine_learning.json create mode 100644 etc/api_schemas/7.12/7.12.query.json create mode 100644 etc/api_schemas/7.12/7.12.saved_query.json create mode 100644 etc/api_schemas/7.12/7.12.threshold.json create mode 100644 etc/api_schemas/7.13/7.13.base.json create mode 100644 etc/api_schemas/7.13/7.13.eql.json create mode 100644 etc/api_schemas/7.13/7.13.machine_learning.json create mode 100644 etc/api_schemas/7.13/7.13.query.json create mode 100644 etc/api_schemas/7.13/7.13.threat_match.json create mode 100644 etc/api_schemas/7.13/7.13.threshold.json create mode 100644 etc/api_schemas/7.8/7.8.base.json create mode 100644 etc/api_schemas/7.8/7.8.machine_learning.json create mode 100644 etc/api_schemas/7.8/7.8.query.json create mode 100644 etc/api_schemas/7.8/7.8.saved_query.json create mode 100644 etc/api_schemas/7.9/7.9.base.json create mode 100644 etc/api_schemas/7.9/7.9.machine_learning.json create mode 100644 etc/api_schemas/7.9/7.9.query.json create mode 100644 etc/api_schemas/7.9/7.9.saved_query.json create mode 100644 etc/api_schemas/7.9/7.9.threshold.json create mode 100644 etc/api_schemas/master/master.base.json create mode 100644 etc/api_schemas/master/master.eql.json create mode 100644 etc/api_schemas/master/master.machine_learning.json create mode 100644 etc/api_schemas/master/master.query.json create mode 100644 etc/api_schemas/master/master.threat_match.json create mode 100644 etc/api_schemas/master/master.threshold.json diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py index 4b7fd610c..7665a0a17 100644 --- a/detection_rules/cli_utils.py +++ b/detection_rules/cli_utils.py @@ -6,6 +6,7 @@ import copy import datetime import os +import typing from pathlib import Path from typing import List @@ -17,7 +18,7 @@ from . import ecs from .attack import matrix, tactics, build_threat_map_entry from .rule import TOMLRule, TOMLRuleContents from .rule_loader import RuleCollection, DEFAULT_RULES_DIR, dict_filter -from .schemas import CurrentSchema +from .schemas import definitions from .utils import clear_caches, get_path RULES_DIR = get_path("rules") @@ -111,9 +112,10 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos kwargs.update(kwargs.pop('rule')) rule_type = rule_type or kwargs.get('type') or \ - click.prompt('Rule type', type=click.Choice(CurrentSchema.RULE_TYPES)) + click.prompt('Rule type', type=click.Choice(typing.get_args(definitions.RuleType))) - schema = CurrentSchema.get_schema(role=rule_type) + target_data_subclass = TOMLRuleContents.get_data_subclass(rule_type) + schema = target_data_subclass.jsonschema() props = schema['properties'] opt_reqs = schema.get('required', []) contents = {} diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py index 027aa1f7d..2f2e181fa 100644 --- a/detection_rules/devtools.py +++ b/detection_rules/devtools.py @@ -15,6 +15,7 @@ import time from pathlib import Path import click +import typing from elasticsearch import Elasticsearch from eql import load_dump @@ -703,3 +704,12 @@ def validate_ml_detections_asset(directory): click.echo(f'description to paste with release:\n\n{description_str}\n') return zip_name, description_str + + +@dev_group.command("update-schemas") +def update_schemas(): + from . rule import BaseRuleData, AnyRuleData + classes = [BaseRuleData] + list(typing.get_args(AnyRuleData)) + + for cls in classes: + cls.save_schema() diff --git a/detection_rules/main.py b/detection_rules/main.py index dd9afdac0..8e0a75fb9 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -19,10 +19,10 @@ import click from . import rule_loader from .cli_utils import rule_prompt, multi_collection from .misc import nested_set, parse_config -from .rule import TOMLRule +from .rule import TOMLRule, TOMLRuleContents from .rule_formatter import toml_write from .rule_loader import RuleCollection -from .schemas import CurrentSchema, available_versions +from .schemas import all_versions from .utils import get_path, clear_caches, load_rule_contents RULES_DIR = get_path('rules') @@ -44,7 +44,8 @@ def root(ctx, debug): @click.argument('path', type=click.Path(dir_okay=False)) @click.option('--config', '-c', type=click.Path(exists=True, dir_okay=False), help='Rule or config file') @click.option('--required-only', is_flag=True, help='Only prompt for required fields') -@click.option('--rule-type', '-t', type=click.Choice(CurrentSchema.RULE_TYPES), help='Type of rule to create') +@click.option('--rule-type', '-t', type=click.Choice(sorted(TOMLRuleContents.all_rule_types())), + help='Type of rule to create') def create_rule(path, config, required_only, rule_type): """Create a detection rule.""" contents = load_rule_contents(config, single_only=True)[0] if config else {} @@ -176,7 +177,7 @@ def view_rule(ctx, rule_file, api_format): @click.option('--outfile', '-o', default=get_path('exports', f'{time.strftime("%Y%m%dT%H%M%SL")}.ndjson'), type=click.Path(dir_okay=False), help='Name of file for exported rules') @click.option('--replace-id', '-r', is_flag=True, help='Replace rule IDs with new IDs before export') -@click.option('--stack-version', type=click.Choice(available_versions), +@click.option('--stack-version', type=click.Choice(all_versions()), help='Downgrade a rule version to be compatible with older instances of Kibana') @click.option('--skip-unsupported', '-s', is_flag=True, help='If `--stack-version` is passed, skip rule types which are unsupported ' diff --git a/detection_rules/mixins.py b/detection_rules/mixins.py index 2ef9d2ec1..fc785e633 100644 --- a/detection_rules/mixins.py +++ b/detection_rules/mixins.py @@ -7,6 +7,7 @@ from typing import TypeVar, Type import marshmallow_dataclass +import marshmallow_jsonschema from marshmallow import Schema from .utils import cached @@ -26,6 +27,48 @@ def _strip_none_from_dict(obj: T) -> T: return obj +def patch_jsonschema(obj: dict) -> dict: + """Patch marshmallow-jsonschema output to look more like JSL.""" + + def dive(child: dict) -> dict: + if "$ref" in child: + name = child["$ref"].split("/")[-1] + definition = obj["definitions"][name] + return dive(definition) + + child = child.copy() + if "default" in child and child["default"] is None: + child.pop("default") + + child.pop("title", None) + + if isinstance(child["type"], list): + if 'null' in child["type"]: + child["type"] = [t for t in child["type"] if t != 'null'] + + if len(child["type"]) == 1: + child["type"] = child["type"][0] + + if "items" in child: + child["items"] = dive(child["items"]) + + if "properties" in child: + # .rstrip("_") is workaround for `from_` -> from + # https://github.com/fuhrysteve/marshmallow-jsonschema/issues/107 + child["properties"] = {k.rstrip("_"): dive(v) for k, v in child["properties"].items()} + + if isinstance(child.get("additionalProperties"), dict): + # .rstrip("_") is workaround for `from_` -> from + # https://github.com/fuhrysteve/marshmallow-jsonschema/issues/107 + child["additionalProperties"] = dive(child["additionalProperties"]) + + return child + + patched = {"$schema": "http://json-schema.org/draft-04/schema#"} + patched.update(dive(obj)) + return patched + + class MarshmallowDataclassMixin: """Mixin class for marshmallow serialization.""" @@ -39,6 +82,14 @@ class MarshmallowDataclassMixin: """Get a key from the query data without raising attribute errors.""" return getattr(self, key, None) + @classmethod + @cached + def jsonschema(cls): + """Get the jsonschema representation for this class.""" + jsonschema = marshmallow_jsonschema.JSONSchema().dump(cls.__schema()) + jsonschema = patch_jsonschema(jsonschema) + return jsonschema + @classmethod def from_dict(cls: Type[ClassT], obj: dict) -> ClassT: """Deserialize and validate a dataclass from a dict using marshmallow.""" diff --git a/detection_rules/packaging.py b/detection_rules/packaging.py index 3cc66c95c..91770a2a6 100644 --- a/detection_rules/packaging.py +++ b/detection_rules/packaging.py @@ -21,7 +21,7 @@ from .misc import JS_LICENSE, cached from .rule import TOMLRule, QueryRuleData, ThreatMapping from .rule import downgrade_contents_from_rule from .rule_loader import RuleCollection, DEFAULT_RULES_DIR -from .schemas import CurrentSchema, definitions +from .schemas import definitions from .utils import Ndjson, get_path, get_etc_path, load_etc_dump, save_etc_dump RELEASE_DIR = get_path("releases") @@ -100,7 +100,7 @@ def manage_versions(rules: List[TOMLRule], deprecated_rules: list = None, curren rule_deprecations[rule.id] = { 'rule_name': rule.name, 'deprecation_date': rule.contents.metadata.deprecation_date, - 'stack_version': CurrentSchema.STACK_VERSION + 'stack_version': current_stack_version() + ".0" } newly_deprecated.append(rule.id) @@ -549,3 +549,8 @@ class Package(object): importable_rules_docs.append(rule_doc) return bulk_upload_docs, importable_rules_docs + + +@cached +def current_stack_version() -> str: + return Package.load_configs()['name'] diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 524dd295d..f7a43bec3 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -3,7 +3,9 @@ # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. """Rule object.""" +import dataclasses import json +import typing from dataclasses import dataclass, field from functools import cached_property from pathlib import Path @@ -15,7 +17,7 @@ from marshmallow import ValidationError, validates_schema from . import utils from .mixins import MarshmallowDataclassMixin from .rule_formatter import toml_write, nested_normalize -from .schemas import definitions +from .schemas import definitions, SCHEMA_DIR from .schemas import downgrade from .utils import cached @@ -135,7 +137,7 @@ class BaseRuleData(MarshmallowDataclassMixin): actions: Optional[list] author: List[str] building_block_type: Optional[str] - description: Optional[str] + description: str enabled: Optional[bool] exceptions_list: Optional[list] license: Optional[str] @@ -165,9 +167,23 @@ class BaseRuleData(MarshmallowDataclassMixin): timeline_title: Optional[definitions.TimelineTemplateTitle] timestamp_override: Optional[str] to: Optional[str] - type: Literal[definitions.RuleType] + type: definitions.RuleType threat: Optional[List[ThreatMapping]] + @classmethod + def save_schema(cls): + """Save the schema as a jsonschema.""" + fields: List[dataclasses.Field] = dataclasses.fields(cls) + type_field = next(field for field in fields if field.name == "type") + rule_type = typing.get_args(type_field.type)[0] if cls != BaseRuleData else "base" + schema = cls.jsonschema() + version_dir = SCHEMA_DIR / "master" + version_dir.mkdir(exist_ok=True, parents=True) + + # expand out the jsonschema definitions + with (version_dir / f"master.{rule_type}.json").open("w") as f: + json.dump(schema, f, indent=2, sort_keys=True) + def validate_query(self, meta: RuleMeta) -> None: pass @@ -300,6 +316,25 @@ class TOMLRuleContents(MarshmallowDataclassMixin): metadata: RuleMeta data: AnyRuleData = field(metadata=dict(data_key="rule")) + @classmethod + def all_rule_types(cls) -> set: + types = set() + for subclass in typing.get_args(AnyRuleData): + field = next(field for field in dataclasses.fields(subclass) if field.name == "type") + types.update(typing.get_args(field.type)) + + return types + + @classmethod + def get_data_subclass(cls, rule_type: str) -> typing.Type[BaseRuleData]: + """Get the proper subclass depending on the rule type""" + for subclass in typing.get_args(AnyRuleData): + field = next(field for field in dataclasses.fields(subclass) if field.name == "type") + if (rule_type, ) == typing.get_args(field.type): + return subclass + + raise ValueError(f"Unknown rule type {rule_type}") + @property def id(self) -> definitions.UUIDString: return self.data.rule_id diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index 859178842..e3e8a2923 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -5,13 +5,16 @@ """Helper functions for managing rules in the repository.""" import copy +import dataclasses import io import textwrap +import typing from collections import OrderedDict import toml -from .schemas import CurrentSchema +from .schemas import definitions +from .utils import cached SQ = "'" DQ = '"' @@ -19,6 +22,17 @@ TRIPLE_SQ = SQ * 3 TRIPLE_DQ = DQ * 3 +@cached +def get_preserved_fmt_fields(): + from .rule import BaseRuleData + preserved_keys = set() + + for field in dataclasses.fields(BaseRuleData): # type: dataclasses.Field + if field.type in (definitions.Markdown, typing.Optional[definitions.Markdown]): + preserved_keys.add(field.metadata.get("data_key", field.name)) + return preserved_keys + + def cleanup_whitespace(val): if isinstance(val, str): return " ".join(line.strip() for line in val.strip().splitlines()) @@ -39,7 +53,7 @@ def nested_normalize(d, skip_cleanup=False, eql_rule=False): d.update({k: v}) else: d.update({k: nested_normalize(v)}) - elif k in CurrentSchema.markdown_fields(): + elif k in get_preserved_fmt_fields(): # let these maintain newlines and whitespace for markdown support d.update({k: nested_normalize(v, skip_cleanup=True, eql_rule=eql_rule)}) else: @@ -166,7 +180,7 @@ def toml_write(rule_contents, outfile=None): bottom[k] = v else: top[k] = v - elif k in CurrentSchema.markdown_fields(): + elif k in get_preserved_fmt_fields(): top[k] = NonformattedField(v) else: top[k] = v diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index 8528561b6..7f0ecdf6e 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -2,64 +2,182 @@ # or more contributor license agreements. Licensed under the Elastic License # 2.0; you may not use this file except in compliance with the Elastic License # 2.0. +import json +from typing import List, Optional + +import jsonschema -from .base import TomlMetadata from .rta_schema import validate_rta_mapping from ..semver import Version +from ..utils import cached, get_etc_path from . import definitions +from pathlib import Path -# import all of the schema versions -from .v7_8 import ApiSchema78 -from .v7_9 import ApiSchema79 -from .v7_10 import ApiSchema710 -from .v7_11 import ApiSchema711 -from .v7_12 import ApiSchema712 __all__ = ( - "all_schemas", - "available_versions", + "SCHEMA_DIR", "definitions", "downgrade", - "CurrentSchema", "validate_rta_mapping", - "TomlMetadata", + "all_versions", ) -all_schemas = [ - ApiSchema78, - ApiSchema79, - ApiSchema710, - ApiSchema711, - ApiSchema712, -] -CurrentSchema = all_schemas[-1] -available_versions = [cls.STACK_VERSION for cls in all_schemas] +SCHEMA_DIR = Path(get_etc_path("api_schemas")) +migrations = {} -def downgrade(api_contents: dict, target_version: str): +def all_versions() -> List[str]: + """Get all known stack versions.""" + return [str(v) for v in sorted(migrations)] + + +def migrate(version: str): + """Decorator to set a migration.""" + version = Version(version) + + def wrapper(f): + assert version not in migrations + migrations[version] = f + return f + + return wrapper + + +@cached +def get_schema_file(version: Version, rule_type: str) -> dict: + path = Path(SCHEMA_DIR) / str(version) / f"{version}.{rule_type}.json" + + if not path.exists(): + raise ValueError(f"Unsupported rule type {rule_type}. Unable to downgrade to {version}") + + return json.loads(path.read_text(encoding="utf8")) + + +def strip_additional_properties(version: Version, api_contents: dict) -> dict: + """Remove all fields that the target schema doesn't recognize.""" + stripped = {} + target_schema = get_schema_file(version, api_contents["type"]) + + for field, field_schema in target_schema["properties"].items(): + if field in api_contents: + stripped[field] = api_contents[field] + + # finally, validate against the json schema + jsonschema.validate(stripped, target_schema) + return stripped + + +@migrate("7.8") +def migrate_to_7_8(version: Version, api_contents: dict) -> dict: + """Default migration for 7.8.""" + return strip_additional_properties(version, api_contents) + + +@migrate("7.9") +def migrate_to_7_9(version: Version, api_contents: dict) -> dict: + """Default migration for 7.9.""" + return strip_additional_properties(version, api_contents) + + +@migrate("7.10") +def downgrade_threat_to_7_10(version: Version, api_contents: dict) -> dict: + """Downgrade the threat mapping changes from 7.11 to 7.10.""" + if "threat" in api_contents: + v711_threats = api_contents.get("threat", []) + v710_threats = [] + + for threat in v711_threats: + # drop tactic without threat + if "technique" not in threat: + continue + + threat = threat.copy() + threat["technique"] = [t.copy() for t in threat["technique"]] + + # drop subtechniques + for technique in threat["technique"]: + technique.pop("subtechnique", None) + + v710_threats.append(threat) + + api_contents = api_contents.copy() + api_contents.pop("threat") + + # only add if the array is not empty + if len(v710_threats) > 0: + api_contents["threat"] = v710_threats + + # finally, downgrade any additional properties that were added + return strip_additional_properties(version, api_contents) + + +@migrate("7.11") +def downgrade_threshold_to_7_11(version: Version, api_contents: dict) -> dict: + """Remove 7.12 threshold changes that don't impact the rule.""" + if "threshold" in api_contents: + threshold = api_contents['threshold'] + threshold_field = threshold['field'] + + # attempt to convert threshold field to a string + if len(threshold_field) > 1: + raise ValueError('Cannot downgrade a threshold rule that has multiple threshold fields defined') + + if threshold.get('cardinality', {}).get('field') or threshold.get('cardinality', {}).get('value'): + raise ValueError('Cannot downgrade a threshold rule that has a defined cardinality') + + api_contents = api_contents.copy() + api_contents["threshold"] = api_contents["threshold"].copy() + + # if cardinality was defined with no field or value + api_contents['threshold'].pop('cardinality', None) + api_contents["threshold"]["field"] = api_contents["threshold"]["field"][0] + + # finally, downgrade any additional properties that were added + return strip_additional_properties(version, api_contents) + + +@migrate("7.12") +def migrate_to_7_12(version: Version, api_contents: dict) -> dict: + """Default migration for 7.9.""" + return strip_additional_properties(version, api_contents) + + +@migrate("7.13") +def downgrade_ml_multijob_713(version: Version, api_contents: dict) -> dict: + """Convert `machine_learning_job_id` as an array to a string for < 7.13.""" + if "machine_learning_job_id" in api_contents: + job_id = api_contents["machine_learning_job_id"] + + if isinstance(job_id, list): + if len(job_id) > 1: + raise ValueError('Cannot downgrade an ML rule with multiple jobs defined') + + api_contents = api_contents.copy() + api_contents["machine_learning_job_id"] = job_id[0] + + # finally, downgrade any additional properties that were added + return strip_additional_properties(version, api_contents) + + +def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" - # truncate to (major, minor) - target_version_str = target_version - target_version = Version(target_version)[:2] - versions = set(Version(schema_cls.STACK_VERSION) for schema_cls in all_schemas) - role = api_contents.get("type") + from ..packaging import current_stack_version - check_versioned = "version" in api_contents + if current_version is None: + current_version = current_stack_version() - if target_version not in versions: - raise ValueError(f"Unable to downgrade from {CurrentSchema.STACK_VERSION} to {target_version_str}") + current_major, current_minor = Version(current_version)[:2] + target_major, target_minor = Version(target_version)[:2] - current_schema = None + # get all the versions between current_semver and target_semver + if target_major != current_major: + raise ValueError(f"Cannot backport to major version {target_major}") - for target_schema in reversed(all_schemas): - if check_versioned: - target_schema = target_schema.versioned() + for minor in reversed(range(target_minor, current_minor)): + version = Version([target_major, minor]) + if version not in migrations: + raise ValueError(f"Missing migration for {target_version}") - if current_schema is not None: - api_contents = current_schema.downgrade(target_schema, api_contents, role) - - current_schema = target_schema - if Version(current_schema.STACK_VERSION) == target_version: - break + api_contents = migrations[version](version, api_contents) return api_contents diff --git a/detection_rules/schemas/base.py b/detection_rules/schemas/base.py deleted file mode 100644 index 64ea45b0f..000000000 --- a/detection_rules/schemas/base.py +++ /dev/null @@ -1,133 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Definitions for rule metadata and schemas.""" - -import time - -import jsl -import jsonschema - -from .definitions import ( - DATE_PATTERN, MATURITY_LEVELS, OS_OPTIONS, UUID_PATTERN, VERSION_PATTERN, BRANCH_PATTERN -) -from ..utils import cached - - -class MarkdownField(jsl.StringField): - """Helper class for noting which fields are markdown.""" - - def __init__(self, *args, **kwargs): - kwargs["format"] = "markdown" - jsl.StringField.__init__(self, *args, **kwargs) - - -class GenericSchema(jsl.Document): - """Generic schema with helper methods.""" - - @classmethod - @cached - def get_schema(cls, role=jsl.DEFAULT_ROLE, ordered=False): - """Wrap jsl.Document.get_schema to add caching.""" - return super(GenericSchema, cls).get_schema(role=role, ordered=ordered) - - @classmethod - @cached - def validate(cls, document, role=None): - """Validate a document against this schema.""" - schema = cls.get_schema(role=role) - return jsonschema.validate(document, schema) - - @classmethod - def strip_additional_properties(cls, document, role=None): - """Strip properties that aren't defined in the schema.""" - if role is None: - role = document.get("type", jsl.DEFAULT_ROLE) - - if role not in cls.RULE_TYPES: - raise ValueError(f"Unsupported rule type {role}") - - target_schema = cls.get_schema(role)["properties"] - stripped = {} - - # simple version, can customize or walk structures deeper when we have a need and use case - for field in target_schema: - if field in document: - stripped[field] = document[field] - elif target_schema[field].get("required") and "default" in target_schema: - stripped[field] = target_schema[field]["required"] - - # finally, validate against the json schema - cls.validate(stripped, role) - return stripped - - -class TomlMetadata(GenericSchema): - """Schema for rule toml metadata.""" - - creation_date = jsl.StringField(required=True, pattern=DATE_PATTERN, default=time.strftime('%Y/%m/%d')) - - # rule validated against each ecs schema contained - beats_version = jsl.StringField(pattern=VERSION_PATTERN, required=False) - comments = jsl.StringField(required=False) - deprecation_date = jsl.StringField(required=False, pattern=DATE_PATTERN, default=time.strftime('%Y/%m/%d')) - ecs_versions = jsl.ArrayField(jsl.StringField(pattern=BRANCH_PATTERN, required=True), required=False) - maturity = jsl.StringField(enum=MATURITY_LEVELS, default='development', required=True) - - os_type_list = jsl.ArrayField(jsl.StringField(enum=OS_OPTIONS), required=False) - query_schema_validation = jsl.BooleanField(required=False) - related_endpoint_rules = jsl.ArrayField(jsl.ArrayField(jsl.StringField(), min_items=2, max_items=2), - required=False) - updated_date = jsl.StringField(required=True, pattern=DATE_PATTERN, default=time.strftime('%Y/%m/%d')) - - -class BaseApiSchema(GenericSchema): - """Base API schema with generic methods.""" - - STACK_VERSION = str() - - rule_id = jsl.StringField(pattern=UUID_PATTERN, required=True) - type = jsl.StringField(required=True) - - @classmethod - @cached - def versioned(cls): - """Get a subclass that is version aware.""" - attrs = {"version": jsl.IntField(minimum=1, default=1, required=True)} - return type("Versioned" + cls.__name__, (cls, ), attrs) - - @classmethod - def validate(cls, document, role=None, toml=False): - """Validate a document against this API schema.""" - if toml: - role = role or document.get("rule", {}).get("type") - return cls.toml_schema().validate(document, role=role) - - role = role or document.get("type") - return super(BaseApiSchema, cls).validate(document, role=role) - - @classmethod - @cached - def markdown_fields(cls, role=None): - properties = cls.get_schema(role)["properties"] - return {p for p in properties if properties[p].get("format") == "markdown"} - - @classmethod - @cached - def toml_schema(cls): - """Create a custom TOML schema class that includes this API schema.""" - attrs = { - "metadata": jsl.DocumentField(TomlMetadata, required=True), - "rule": jsl.DocumentField(cls, required=True) - } - return type("Versioned" + cls.__name__, (GenericSchema, ), attrs) - - @classmethod - def downgrade(cls, target_cls, document, role=None): - """Downgrade from one schema to its predecessor.""" - # by default, we'll just strip extra properties - # different schemas can override this to provide a more advanced migration path - # and deeper evaluation of the schema. - return target_cls.strip_additional_properties(document, role=role) diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 51643f2dd..88cb9ae55 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -33,6 +33,7 @@ MACHINE_LEARNING = 'machine_learning' SAVED_QUERY = 'saved_query' QUERY = 'query' + OPERATORS = ['equals'] TIMELINE_TEMPLATES: Final[dict] = { @@ -57,7 +58,7 @@ NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1)) Operator = Literal['equals'] OSType = Literal['windows', 'linux', 'macos'] RiskScore = NewType("MaxSignals", int, validate=validate.Range(min=1, max=100)) -RuleType = Literal['query', 'saved_query', 'machine_learning', 'eql'] +RuleType = Literal['query', 'saved_query', 'machine_learning', 'eql', 'threshold', 'threat_match'] SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN)) Severity = Literal['low', 'medium', 'high', 'critical'] Sha256 = NewType('Sha256', str, validate=validate.Regexp(SHA256_PATTERN)) diff --git a/detection_rules/schemas/v7_10.py b/detection_rules/schemas/v7_10.py deleted file mode 100644 index 3d99ba64b..000000000 --- a/detection_rules/schemas/v7_10.py +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Definitions for rule metadata and schemas.""" - -import jsl -from .v7_9 import ApiSchema79 - - -# rule types -EQL = "eql" - - -class ApiSchema710(ApiSchema79): - """Schema for siem rule in API format.""" - - STACK_VERSION = "7.10" - RULE_TYPES = ApiSchema79.RULE_TYPES + [EQL] - - type = jsl.StringField(enum=RULE_TYPES, required=True) - - # there might be a bug in jsl that requires us to redefine these here - query_scope = ApiSchema79.query_scope - saved_id_scope = ApiSchema79.saved_id_scope - ml_scope = ApiSchema79.ml_scope - threshold_scope = ApiSchema79.threshold_scope - - with jsl.Scope(EQL) as eql_scope: - eql_scope.index = jsl.ArrayField(jsl.StringField(), required=False) - eql_scope.query = jsl.StringField(required=True) - eql_scope.language = jsl.StringField(enum=[EQL], required=True, default=EQL) - eql_scope.type = jsl.StringField(enum=[EQL], required=True) - - with jsl.Scope(jsl.DEFAULT_ROLE) as default_scope: - default_scope.type = type diff --git a/detection_rules/schemas/v7_11.py b/detection_rules/schemas/v7_11.py deleted file mode 100644 index f6987cffd..000000000 --- a/detection_rules/schemas/v7_11.py +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Definitions for rule metadata and schemas.""" - -import jsl -from .v7_8 import Threat as Threat78 -from .definitions import SUBTECHNIQUE_URL -from .v7_10 import ApiSchema710 -from ..attack import sub_technique_id_list - - -class Threat711(Threat78): - """Threat framework mapping such as MITRE ATT&CK.""" - - class ThreatTechnique(Threat78.ThreatTechnique): - """Patched threat.technique to add threat.technique.subtechnique.""" - - class ThreatSubTechnique(jsl.Document): - id = jsl.StringField(enum=sub_technique_id_list, required=True) - name = jsl.StringField(required=True) - reference = jsl.StringField(pattern=SUBTECHNIQUE_URL) - - subtechnique = jsl.ArrayField(jsl.DocumentField(ThreatSubTechnique), required=False) - - # override the `technique` field definition - technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=False) - - -class ApiSchema711(ApiSchema710): - """Schema for siem rule in API format.""" - - STACK_VERSION = "7.11" - - threat = jsl.ArrayField(jsl.DocumentField(Threat711)) - - @classmethod - def downgrade(cls, target_cls, document, role=None): - """Remove 7.11 additions from the rule.""" - # ignore when this method is inherited by subclasses - if cls in (ApiSchema711, ApiSchema711.versioned()) and "threat" in document: - v711_threats = document.get("threat", []) - v710_threats = [] - - for threat in v711_threats: - # drop tactic without threat - if "technique" not in threat: - continue - - threat = threat.copy() - threat["technique"] = [t.copy() for t in threat["technique"]] - - # drop subtechniques - for technique in threat["technique"]: - technique.pop("subtechnique", None) - - v710_threats.append(threat) - - document = document.copy() - document.pop("threat") - - # only add if the array is not empty - if len(v710_threats) > 0: - document["threat"] = v710_threats - - # now strip any any unrecognized properties - return target_cls.strip_additional_properties(document, role) diff --git a/detection_rules/schemas/v7_12.py b/detection_rules/schemas/v7_12.py deleted file mode 100644 index 861b89179..000000000 --- a/detection_rules/schemas/v7_12.py +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Definitions for rule metadata and schemas.""" - -import jsl - -from .v7_9 import ThresholdMapping -from .v7_11 import ApiSchema711 - - -class ApiSchema712(ApiSchema711): - """Schema for siem rule in API format.""" - - STACK_VERSION = "7.12" - - # there might be a bug in jsl that requires us to redefine these here - query_scope = ApiSchema711.query_scope - saved_id_scope = ApiSchema711.saved_id_scope - ml_scope = ApiSchema711.ml_scope - eql_scope = ApiSchema711.eql_scope - - class ThresholdMappingV12(ThresholdMapping): - """7.12 schema for threshold mapping.""" - - class ThresholdCardinality(jsl.Document): - """Threshold cardinality field.""" - - field = jsl.StringField(required=True) - value = jsl.IntField(minimum=1, required=True) - - field = jsl.ArrayField(jsl.StringField(min_length=1), required=True) - cardinality = jsl.DocumentField(ThresholdCardinality, required=False) - - threshold_scope = ApiSchema711.threshold_scope - threshold_scope.threshold = jsl.DocumentField(ThresholdMappingV12, required=True) - - @classmethod - def downgrade(cls, target_cls, document, role=None): - """Remove 7.12 additions from the rule.""" - # ignore when this method is inherited by subclasses - if cls in (ApiSchema712, ApiSchema712.versioned()) and 'threshold' in document: - threshold = document['threshold'] - threshold_field = threshold['field'] - - # attempt to convert threshold field to a string - if len(threshold_field) > 1: - raise ValueError('Cannot downgrade a threshold rule that has multiple threshold fields defined') - if threshold.get('cardinality', {}).get('field') or threshold.get('cardinality', {}).get('value'): - raise ValueError('Cannot downgrade a threshold rule that has a defined cardinality') - - document = document.copy() - document["threshold"] = document["threshold"].copy() - # if cardinality was defined with no field or value - document['threshold'].pop('cardinality', None) - document["threshold"]["field"] = document["threshold"]["field"][0] - - # now strip any any unrecognized properties - return target_cls.strip_additional_properties(document, role) diff --git a/detection_rules/schemas/v7_8.py b/detection_rules/schemas/v7_8.py deleted file mode 100644 index 37c5a94c8..000000000 --- a/detection_rules/schemas/v7_8.py +++ /dev/null @@ -1,127 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Definitions for rule metadata and schemas.""" - -import jsl - -from .base import BaseApiSchema, MarkdownField -from .definitions import INTERVAL_PATTERN, TACTIC_URL, TECHNIQUE_URL, MACHINE_LEARNING, SAVED_QUERY, QUERY -from ..attack import tactics, tactics_map, technique_id_list - - -# kibana/.../siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts -# /detection_engine/routes/schemas/schemas.ts -# rule_id is required here -# output_index is not allowed (and instead the space index must be used) -# immutable defaults to true instead of to false and if it is there can only be true -# enabled defaults to false instead of true -# version is a required field that must exist - -# rule types - - -class Filters(jsl.Document): - """Intermediate schema for handling DSL-like filters.""" - - class FilterMetadata(jsl.Document): - negate = jsl.BooleanField() - type = jsl.StringField() - key = jsl.StringField() - value = jsl.StringField() - disabled = jsl.BooleanField() - indexRefName = jsl.StringField() - alias = jsl.StringField() # null acceptable - params = jsl.DictField(properties={'query': jsl.StringField()}) - - class FilterQuery(jsl.Document): - match = jsl.DictField({ - 'event.action': jsl.DictField(properties={ - 'query': jsl.StringField(), - 'type': jsl.StringField() - }) - }) - - class FilterState(jsl.Document): - store = jsl.StringField() - - class FilterExists(jsl.Document): - field = jsl.StringField() - - exists = jsl.DocumentField(FilterExists) - meta = jsl.DocumentField(FilterMetadata) - state = jsl.DocumentField(FilterState, name='$state') - query = jsl.DictField() - - -class Threat(jsl.Document): - """Threat framework mapping such as MITRE ATT&CK.""" - - class ThreatTactic(jsl.Document): - id = jsl.StringField(enum=tactics_map.values(), required=True) - name = jsl.StringField(enum=tactics, required=True) - reference = jsl.StringField(pattern=TACTIC_URL, required=True) - - class ThreatTechnique(jsl.Document): - id = jsl.StringField(enum=technique_id_list, required=True) - name = jsl.StringField(required=True) - reference = jsl.StringField(pattern=TECHNIQUE_URL, required=True) - - framework = jsl.StringField(default='MITRE ATT&CK', required=True) - tactic = jsl.DocumentField(ThreatTactic, required=True) - technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=True) - - -class ApiSchema78(BaseApiSchema): - """Schema for siem rule in API format.""" - - STACK_VERSION = "7.8" - RULE_TYPES = [MACHINE_LEARNING, SAVED_QUERY, QUERY] - - actions = jsl.ArrayField(required=False) - description = jsl.StringField(required=True) - # api defaults to false if blank - enabled = jsl.BooleanField(default=False, required=False) - # _ required since `from` is a reserved word in python - from_ = jsl.StringField(required=False, default='now-6m', name='from') - false_positives = jsl.ArrayField(jsl.StringField(), required=False) - filters = jsl.ArrayField(jsl.DocumentField(Filters)) - interval = jsl.StringField(pattern=INTERVAL_PATTERN, default='5m', required=False) - max_signals = jsl.IntField(minimum=1, required=False, default=100) # cap a max? - meta = jsl.DictField(required=False) - name = jsl.StringField(required=True) - note = MarkdownField(required=False) - # output_index =jsl.StringField(required=False) # this is NOT allowed! - references = jsl.ArrayField(jsl.StringField(), required=False) - risk_score = jsl.IntField(minimum=0, maximum=100, required=True, default=21) - severity = jsl.StringField(enum=['low', 'medium', 'high', 'critical'], default='low', required=True) - tags = jsl.ArrayField(jsl.StringField(), required=False) - throttle = jsl.StringField(required=False) - timeline_id = jsl.StringField(required=False) - timeline_title = jsl.StringField(required=False) - to = jsl.StringField(required=False, default='now') - - type = jsl.StringField(enum=[MACHINE_LEARNING, QUERY, SAVED_QUERY], required=True) - threat = jsl.ArrayField(jsl.DocumentField(Threat), required=False, min_items=1) - - with jsl.Scope(MACHINE_LEARNING) as ml_scope: - ml_scope.anomaly_threshold = jsl.IntField(required=True, minimum=0) - ml_scope.machine_learning_job_id = jsl.StringField(required=True) - ml_scope.type = jsl.StringField(enum=[MACHINE_LEARNING], required=True, default=MACHINE_LEARNING) - - with jsl.Scope(SAVED_QUERY) as saved_id_scope: - saved_id_scope.index = jsl.ArrayField(jsl.StringField(), required=False) - saved_id_scope.saved_id = jsl.StringField(required=True) - saved_id_scope.type = jsl.StringField(enum=[SAVED_QUERY], required=True, default=SAVED_QUERY) - - with jsl.Scope(QUERY) as query_scope: - query_scope.index = jsl.ArrayField(jsl.StringField(), required=False) - # this is not required per the API but we will enforce it here - query_scope.language = jsl.StringField(enum=['kuery', 'lucene'], required=True, default='kuery') - query_scope.query = jsl.StringField(required=True) - query_scope.type = jsl.StringField(enum=[QUERY], required=True, default=QUERY) - - with jsl.Scope(jsl.DEFAULT_ROLE) as default_scope: - default_scope.type = type diff --git a/detection_rules/schemas/v7_9.py b/detection_rules/schemas/v7_9.py deleted file mode 100644 index 48656bb65..000000000 --- a/detection_rules/schemas/v7_9.py +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -# or more contributor license agreements. Licensed under the Elastic License -# 2.0; you may not use this file except in compliance with the Elastic License -# 2.0. - -"""Definitions for rule metadata and schemas.""" - -import jsl - -from .definitions import OPERATORS -from .v7_8 import ApiSchema78 - -# kibana/.../siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts -# /detection_engine/routes/schemas/schemas.ts -# rule_id is required here -# output_index is not allowed (and instead the space index must be used) -# immutable defaults to true instead of to false and if it is there can only be true -# enabled defaults to false instead of true -# version is a required field that must exist - -# rule types -THRESHOLD = "threshold" - - -class RiskScoreMapping(jsl.Document): - field = jsl.StringField(required=True) - operator = jsl.StringField(required=False, enum=OPERATORS) - value = jsl.StringField(required=False) - - -class SeverityMapping(jsl.Document): - field = jsl.StringField(required=True) - operator = jsl.StringField(required=False, enum=OPERATORS) - value = jsl.StringField(required=False) - severity = jsl.StringField(required=False) - - -class ThresholdMapping(jsl.Document): - field = jsl.StringField(required=True, default="") - value = jsl.IntField(minimum=1, required=True) - - -class ApiSchema79(ApiSchema78): - """Schema for siem rule in API format.""" - - STACK_VERSION = "7.9" - RULE_TYPES = ApiSchema78.RULE_TYPES + [THRESHOLD] - - author = jsl.ArrayField(jsl.StringField(default="Elastic"), required=True, min_items=1) - building_block_type = jsl.StringField(required=False) - exceptions_list = jsl.ArrayField(required=False) - license = jsl.StringField(required=True, default="Elastic License v2") - risk_score_mapping = jsl.ArrayField(jsl.DocumentField(RiskScoreMapping), required=False, min_items=1) - rule_name_override = jsl.StringField(required=False) - severity_mapping = jsl.ArrayField(jsl.DocumentField(SeverityMapping), required=False, min_items=1) - timestamp_override = jsl.StringField(required=False) - - type = jsl.StringField(enum=RULE_TYPES, required=True) - - # there might be a bug in jsl that requires us to redefine these here - query_scope = ApiSchema78.query_scope - saved_id_scope = ApiSchema78.saved_id_scope - ml_scope = ApiSchema78.ml_scope - - with jsl.Scope(THRESHOLD) as threshold_scope: - threshold_scope.index = jsl.ArrayField(jsl.StringField(), required=False) - # this is not required per the API but we will enforce it here - threshold_scope.language = jsl.StringField(enum=['kuery', 'lucene'], required=True, default='kuery') - threshold_scope.query = jsl.StringField(required=True) - threshold_scope.type = jsl.StringField(enum=[THRESHOLD], required=True, default=THRESHOLD) - threshold_scope.threshold = jsl.DocumentField(ThresholdMapping, required=True) - - with jsl.Scope(jsl.DEFAULT_ROLE) as default_scope: - default_scope.type = type diff --git a/etc/api_schemas/7.10/7.10.base.json b/etc/api_schemas/7.10/7.10.base.json new file mode 100644 index 000000000..1cf3e934c --- /dev/null +++ b/etc/api_schemas/7.10/7.10.base.json @@ -0,0 +1,633 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + } + }, + "required": [ + "rule_id", + "description", + "name", + "risk_score", + "severity", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.10/7.10.eql.json b/etc/api_schemas/7.10/7.10.eql.json new file mode 100644 index 000000000..7d7792503 --- /dev/null +++ b/etc/api_schemas/7.10/7.10.eql.json @@ -0,0 +1,658 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "eql", + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.10/7.10.machine_learning.json b/etc/api_schemas/7.10/7.10.machine_learning.json new file mode 100644 index 000000000..e7b7c8d43 --- /dev/null +++ b/etc/api_schemas/7.10/7.10.machine_learning.json @@ -0,0 +1,650 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "anomaly_threshold": { + "minimum": 0, + "type": "integer" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "machine_learning", + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "anomaly_threshold", + "machine_learning_job_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.10/7.10.query.json b/etc/api_schemas/7.10/7.10.query.json new file mode 100644 index 000000000..0cbf8532a --- /dev/null +++ b/etc/api_schemas/7.10/7.10.query.json @@ -0,0 +1,660 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "query", + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.10/7.10.saved_query.json b/etc/api_schemas/7.10/7.10.saved_query.json new file mode 100644 index 000000000..532d4a68d --- /dev/null +++ b/etc/api_schemas/7.10/7.10.saved_query.json @@ -0,0 +1,651 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "saved_id": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "saved_query", + "enum": [ + "saved_query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "saved_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.10/7.10.threshold.json b/etc/api_schemas/7.10/7.10.threshold.json new file mode 100644 index 000000000..44001ca89 --- /dev/null +++ b/etc/api_schemas/7.10/7.10.threshold.json @@ -0,0 +1,679 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "field": { + "default": "", + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "threshold", + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license", + "threshold" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.11/7.11.base.json b/etc/api_schemas/7.11/7.11.base.json new file mode 100644 index 000000000..55a0cac5d --- /dev/null +++ b/etc/api_schemas/7.11/7.11.base.json @@ -0,0 +1,928 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + } + }, + "required": [ + "rule_id", + "description", + "name", + "risk_score", + "severity", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.11/7.11.eql.json b/etc/api_schemas/7.11/7.11.eql.json new file mode 100644 index 000000000..ef4282932 --- /dev/null +++ b/etc/api_schemas/7.11/7.11.eql.json @@ -0,0 +1,953 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "eql", + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.11/7.11.machine_learning.json b/etc/api_schemas/7.11/7.11.machine_learning.json new file mode 100644 index 000000000..e9ef79ca7 --- /dev/null +++ b/etc/api_schemas/7.11/7.11.machine_learning.json @@ -0,0 +1,945 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "anomaly_threshold": { + "minimum": 0, + "type": "integer" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "machine_learning", + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "anomaly_threshold", + "machine_learning_job_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.11/7.11.query.json b/etc/api_schemas/7.11/7.11.query.json new file mode 100644 index 000000000..0d1fc7179 --- /dev/null +++ b/etc/api_schemas/7.11/7.11.query.json @@ -0,0 +1,955 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "query", + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.11/7.11.saved_query.json b/etc/api_schemas/7.11/7.11.saved_query.json new file mode 100644 index 000000000..d085ba476 --- /dev/null +++ b/etc/api_schemas/7.11/7.11.saved_query.json @@ -0,0 +1,946 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "saved_id": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "saved_query", + "enum": [ + "saved_query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "saved_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.11/7.11.threshold.json b/etc/api_schemas/7.11/7.11.threshold.json new file mode 100644 index 000000000..68c2a8b05 --- /dev/null +++ b/etc/api_schemas/7.11/7.11.threshold.json @@ -0,0 +1,974 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "field": { + "default": "", + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "threshold", + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license", + "threshold" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.12/7.12.base.json b/etc/api_schemas/7.12/7.12.base.json new file mode 100644 index 000000000..55a0cac5d --- /dev/null +++ b/etc/api_schemas/7.12/7.12.base.json @@ -0,0 +1,928 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + } + }, + "required": [ + "rule_id", + "description", + "name", + "risk_score", + "severity", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.12/7.12.eql.json b/etc/api_schemas/7.12/7.12.eql.json new file mode 100644 index 000000000..ef4282932 --- /dev/null +++ b/etc/api_schemas/7.12/7.12.eql.json @@ -0,0 +1,953 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "eql", + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.12/7.12.machine_learning.json b/etc/api_schemas/7.12/7.12.machine_learning.json new file mode 100644 index 000000000..e9ef79ca7 --- /dev/null +++ b/etc/api_schemas/7.12/7.12.machine_learning.json @@ -0,0 +1,945 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "anomaly_threshold": { + "minimum": 0, + "type": "integer" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "machine_learning", + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "anomaly_threshold", + "machine_learning_job_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.12/7.12.query.json b/etc/api_schemas/7.12/7.12.query.json new file mode 100644 index 000000000..0d1fc7179 --- /dev/null +++ b/etc/api_schemas/7.12/7.12.query.json @@ -0,0 +1,955 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "query", + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.12/7.12.saved_query.json b/etc/api_schemas/7.12/7.12.saved_query.json new file mode 100644 index 000000000..d085ba476 --- /dev/null +++ b/etc/api_schemas/7.12/7.12.saved_query.json @@ -0,0 +1,946 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "saved_id": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "saved_query", + "enum": [ + "saved_query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "saved_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.12/7.12.threshold.json b/etc/api_schemas/7.12/7.12.threshold.json new file mode 100644 index 000000000..d426ff868 --- /dev/null +++ b/etc/api_schemas/7.12/7.12.threshold.json @@ -0,0 +1,993 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001.001", + "T1001.002", + "T1001.003", + "T1003.001", + "T1003.002", + "T1003.003", + "T1003.004", + "T1003.005", + "T1003.006", + "T1003.007", + "T1003.008", + "T1011.001", + "T1021.001", + "T1021.002", + "T1021.003", + "T1021.004", + "T1021.005", + "T1021.006", + "T1027.001", + "T1027.002", + "T1027.003", + "T1027.004", + "T1027.005", + "T1036.001", + "T1036.002", + "T1036.003", + "T1036.004", + "T1036.005", + "T1036.006", + "T1037.001", + "T1037.002", + "T1037.003", + "T1037.004", + "T1037.005", + "T1048.001", + "T1048.002", + "T1048.003", + "T1052.001", + "T1053.001", + "T1053.002", + "T1053.003", + "T1053.004", + "T1053.005", + "T1055.001", + "T1055.002", + "T1055.003", + "T1055.004", + "T1055.005", + "T1055.008", + "T1055.009", + "T1055.011", + "T1055.012", + "T1055.013", + "T1055.014", + "T1056.001", + "T1056.002", + "T1056.003", + "T1056.004", + "T1059.001", + "T1059.002", + "T1059.003", + "T1059.004", + "T1059.005", + "T1059.006", + "T1059.007", + "T1069.001", + "T1069.002", + "T1069.003", + "T1070.001", + "T1070.002", + "T1070.003", + "T1070.004", + "T1070.005", + "T1070.006", + "T1071.001", + "T1071.002", + "T1071.003", + "T1071.004", + "T1074.001", + "T1074.002", + "T1078.001", + "T1078.002", + "T1078.003", + "T1078.004", + "T1087.001", + "T1087.002", + "T1087.003", + "T1087.004", + "T1090.001", + "T1090.002", + "T1090.003", + "T1090.004", + "T1098.001", + "T1098.002", + "T1098.003", + "T1098.004", + "T1102.001", + "T1102.002", + "T1102.003", + "T1110.001", + "T1110.002", + "T1110.003", + "T1110.004", + "T1114.001", + "T1114.002", + "T1114.003", + "T1127.001", + "T1132.001", + "T1132.002", + "T1134.001", + "T1134.002", + "T1134.003", + "T1134.004", + "T1134.005", + "T1136.001", + "T1136.002", + "T1136.003", + "T1137.001", + "T1137.002", + "T1137.003", + "T1137.004", + "T1137.005", + "T1137.006", + "T1195.001", + "T1195.002", + "T1195.003", + "T1204.001", + "T1204.002", + "T1205.001", + "T1213.001", + "T1213.002", + "T1216.001", + "T1218.001", + "T1218.002", + "T1218.003", + "T1218.004", + "T1218.005", + "T1218.007", + "T1218.008", + "T1218.009", + "T1218.010", + "T1218.011", + "T1222.001", + "T1222.002", + "T1480.001", + "T1491.001", + "T1491.002", + "T1497.001", + "T1497.002", + "T1497.003", + "T1498.001", + "T1498.002", + "T1499.001", + "T1499.002", + "T1499.003", + "T1499.004", + "T1505.001", + "T1505.002", + "T1505.003", + "T1518.001", + "T1542.001", + "T1542.002", + "T1542.003", + "T1543.001", + "T1543.002", + "T1543.003", + "T1543.004", + "T1546.001", + "T1546.002", + "T1546.003", + "T1546.004", + "T1546.005", + "T1546.006", + "T1546.007", + "T1546.008", + "T1546.009", + "T1546.010", + "T1546.011", + "T1546.012", + "T1546.013", + "T1546.014", + "T1546.015", + "T1547.001", + "T1547.002", + "T1547.003", + "T1547.004", + "T1547.005", + "T1547.006", + "T1547.007", + "T1547.008", + "T1547.009", + "T1547.010", + "T1547.011", + "T1548.001", + "T1548.002", + "T1548.003", + "T1548.004", + "T1550.001", + "T1550.002", + "T1550.003", + "T1550.004", + "T1552.001", + "T1552.002", + "T1552.003", + "T1552.004", + "T1552.005", + "T1552.006", + "T1553.001", + "T1553.002", + "T1553.003", + "T1553.004", + "T1555.001", + "T1555.002", + "T1555.003", + "T1556.001", + "T1556.002", + "T1556.003", + "T1557.001", + "T1558.001", + "T1558.002", + "T1558.003", + "T1559.001", + "T1559.002", + "T1560.001", + "T1560.002", + "T1560.003", + "T1561.001", + "T1561.002", + "T1562.001", + "T1562.002", + "T1562.003", + "T1562.004", + "T1562.006", + "T1562.007", + "T1563.001", + "T1563.002", + "T1564.001", + "T1564.002", + "T1564.003", + "T1564.004", + "T1564.005", + "T1564.006", + "T1565.001", + "T1565.002", + "T1565.003", + "T1566.001", + "T1566.002", + "T1566.003", + "T1567.001", + "T1567.002", + "T1568.001", + "T1568.002", + "T1568.003", + "T1569.001", + "T1569.002", + "T1573.001", + "T1573.002", + "T1574.001", + "T1574.002", + "T1574.004", + "T1574.005", + "T1574.006", + "T1574.007", + "T1574.008", + "T1574.009", + "T1574.010", + "T1574.011", + "T1574.012", + "T1578.001", + "T1578.002", + "T1578.003", + "T1578.004" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "field": { + "items": { + "default": "", + "type": "string" + }, + "type": "array" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "threshold", + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license", + "threshold" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.13/7.13.base.json b/etc/api_schemas/7.13/7.13.base.json new file mode 100644 index 000000000..7750cc1ac --- /dev/null +++ b/etc/api_schemas/7.13/7.13.base.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "threshold", + "threat_match" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.13/7.13.eql.json b/etc/api_schemas/7.13/7.13.eql.json new file mode 100644 index 000000000..381659f5e --- /dev/null +++ b/etc/api_schemas/7.13/7.13.eql.json @@ -0,0 +1,306 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.13/7.13.machine_learning.json b/etc/api_schemas/7.13/7.13.machine_learning.json new file mode 100644 index 000000000..181f305aa --- /dev/null +++ b/etc/api_schemas/7.13/7.13.machine_learning.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "anomaly_threshold": { + "format": "integer", + "type": "number" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.13/7.13.query.json b/etc/api_schemas/7.13/7.13.query.json new file mode 100644 index 000000000..9e47b2969 --- /dev/null +++ b/etc/api_schemas/7.13/7.13.query.json @@ -0,0 +1,311 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.13/7.13.threat_match.json b/etc/api_schemas/7.13/7.13.threat_match.json new file mode 100644 index 000000000..84a603c3d --- /dev/null +++ b/etc/api_schemas/7.13/7.13.threat_match.json @@ -0,0 +1,393 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "items_per_search": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.13/7.13.threshold.json b/etc/api_schemas/7.13/7.13.threshold.json new file mode 100644 index 000000000..724d46cce --- /dev/null +++ b/etc/api_schemas/7.13/7.13.threshold.json @@ -0,0 +1,355 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "field": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.8/7.8.base.json b/etc/api_schemas/7.8/7.8.base.json new file mode 100644 index 000000000..099551624 --- /dev/null +++ b/etc/api_schemas/7.8/7.8.base.json @@ -0,0 +1,554 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + } + }, + "required": [ + "rule_id", + "description", + "name", + "risk_score", + "severity" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.8/7.8.machine_learning.json b/etc/api_schemas/7.8/7.8.machine_learning.json new file mode 100644 index 000000000..0b65815e3 --- /dev/null +++ b/etc/api_schemas/7.8/7.8.machine_learning.json @@ -0,0 +1,571 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "anomaly_threshold": { + "minimum": 0, + "type": "integer" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "machine_learning", + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "anomaly_threshold", + "machine_learning_job_id" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.8/7.8.query.json b/etc/api_schemas/7.8/7.8.query.json new file mode 100644 index 000000000..40b92fa39 --- /dev/null +++ b/etc/api_schemas/7.8/7.8.query.json @@ -0,0 +1,581 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "query", + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.8/7.8.saved_query.json b/etc/api_schemas/7.8/7.8.saved_query.json new file mode 100644 index 000000000..32ddb4cda --- /dev/null +++ b/etc/api_schemas/7.8/7.8.saved_query.json @@ -0,0 +1,572 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "saved_id": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "saved_query", + "enum": [ + "saved_query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "saved_id" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.9/7.9.base.json b/etc/api_schemas/7.9/7.9.base.json new file mode 100644 index 000000000..1cf3e934c --- /dev/null +++ b/etc/api_schemas/7.9/7.9.base.json @@ -0,0 +1,633 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + } + }, + "required": [ + "rule_id", + "description", + "name", + "risk_score", + "severity", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.9/7.9.machine_learning.json b/etc/api_schemas/7.9/7.9.machine_learning.json new file mode 100644 index 000000000..e7b7c8d43 --- /dev/null +++ b/etc/api_schemas/7.9/7.9.machine_learning.json @@ -0,0 +1,650 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "anomaly_threshold": { + "minimum": 0, + "type": "integer" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "machine_learning", + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "anomaly_threshold", + "machine_learning_job_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.9/7.9.query.json b/etc/api_schemas/7.9/7.9.query.json new file mode 100644 index 000000000..0cbf8532a --- /dev/null +++ b/etc/api_schemas/7.9/7.9.query.json @@ -0,0 +1,660 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "query", + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.9/7.9.saved_query.json b/etc/api_schemas/7.9/7.9.saved_query.json new file mode 100644 index 000000000..532d4a68d --- /dev/null +++ b/etc/api_schemas/7.9/7.9.saved_query.json @@ -0,0 +1,651 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "saved_id": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "saved_query", + "enum": [ + "saved_query" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "saved_id", + "author", + "license" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/7.9/7.9.threshold.json b/etc/api_schemas/7.9/7.9.threshold.json new file mode 100644 index 000000000..44001ca89 --- /dev/null +++ b/etc/api_schemas/7.9/7.9.threshold.json @@ -0,0 +1,679 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "type": "array" + }, + "author": { + "items": { + "default": "Elastic", + "type": "string" + }, + "minItems": 1, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "default": false, + "type": "boolean" + }, + "exceptions_list": { + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": false, + "properties": { + "$state": { + "additionalProperties": false, + "properties": { + "store": { + "type": "string" + } + }, + "type": "object" + }, + "exists": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + } + }, + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "alias": { + "type": "string" + }, + "disabled": { + "type": "boolean" + }, + "indexRefName": { + "type": "string" + }, + "key": { + "type": "string" + }, + "negate": { + "type": "boolean" + }, + "params": { + "properties": { + "query": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "query": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "default": "now-6m", + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "default": "5m", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "default": "kuery", + "enum": [ + "kuery", + "lucene" + ], + "type": "string" + }, + "license": { + "default": "Elastic License v2", + "type": "string" + }, + "max_signals": { + "default": 100, + "minimum": 1, + "type": "integer" + }, + "meta": { + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "format": "markdown", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "default": 21, + "maximum": 100, + "minimum": 0, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "rule_id": { + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "default": "low", + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "default": "MITRE ATT&CK", + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "TA0009", + "TA0011", + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0010", + "TA0040", + "TA0001", + "TA0008", + "TA0003", + "TA0004" + ], + "type": "string" + }, + "name": { + "enum": [ + "Collection", + "Command and Control", + "Credential Access", + "Defense Evasion", + "Discovery", + "Execution", + "Exfiltration", + "Impact", + "Initial Access", + "Lateral Movement", + "Persistence", + "Privilege Escalation" + ], + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "enum": [ + "T1001", + "T1002", + "T1003", + "T1004", + "T1005", + "T1006", + "T1007", + "T1008", + "T1009", + "T1010", + "T1011", + "T1012", + "T1013", + "T1014", + "T1015", + "T1016", + "T1017", + "T1018", + "T1019", + "T1020", + "T1021", + "T1022", + "T1023", + "T1024", + "T1025", + "T1026", + "T1027", + "T1028", + "T1029", + "T1030", + "T1031", + "T1032", + "T1033", + "T1034", + "T1035", + "T1036", + "T1037", + "T1038", + "T1039", + "T1040", + "T1041", + "T1042", + "T1043", + "T1044", + "T1045", + "T1046", + "T1047", + "T1048", + "T1049", + "T1050", + "T1051", + "T1052", + "T1053", + "T1054", + "T1055", + "T1056", + "T1057", + "T1058", + "T1059", + "T1060", + "T1061", + "T1062", + "T1063", + "T1064", + "T1065", + "T1066", + "T1067", + "T1068", + "T1069", + "T1070", + "T1071", + "T1072", + "T1073", + "T1074", + "T1075", + "T1076", + "T1077", + "T1078", + "T1079", + "T1080", + "T1081", + "T1082", + "T1083", + "T1084", + "T1085", + "T1086", + "T1087", + "T1088", + "T1089", + "T1090", + "T1091", + "T1092", + "T1093", + "T1094", + "T1095", + "T1096", + "T1097", + "T1098", + "T1099", + "T1100", + "T1101", + "T1102", + "T1103", + "T1104", + "T1105", + "T1106", + "T1107", + "T1108", + "T1109", + "T1110", + "T1111", + "T1112", + "T1113", + "T1114", + "T1115", + "T1116", + "T1117", + "T1118", + "T1119", + "T1120", + "T1121", + "T1122", + "T1123", + "T1124", + "T1125", + "T1126", + "T1127", + "T1128", + "T1129", + "T1130", + "T1131", + "T1132", + "T1133", + "T1134", + "T1135", + "T1136", + "T1137", + "T1138", + "T1139", + "T1140", + "T1141", + "T1142", + "T1143", + "T1144", + "T1145", + "T1146", + "T1147", + "T1148", + "T1149", + "T1150", + "T1151", + "T1152", + "T1153", + "T1154", + "T1155", + "T1156", + "T1157", + "T1158", + "T1159", + "T1160", + "T1161", + "T1162", + "T1163", + "T1164", + "T1165", + "T1166", + "T1167", + "T1168", + "T1169", + "T1170", + "T1171", + "T1172", + "T1173", + "T1174", + "T1175", + "T1176", + "T1177", + "T1178", + "T1179", + "T1180", + "T1181", + "T1182", + "T1183", + "T1184", + "T1185", + "T1186", + "T1187", + "T1188", + "T1189", + "T1190", + "T1191", + "T1192", + "T1193", + "T1194", + "T1195", + "T1196", + "T1197", + "T1198", + "T1199", + "T1200", + "T1201", + "T1202", + "T1203", + "T1204", + "T1205", + "T1206", + "T1207", + "T1208", + "T1209", + "T1210", + "T1211", + "T1212", + "T1213", + "T1214", + "T1215", + "T1216", + "T1217", + "T1218", + "T1219", + "T1220", + "T1221", + "T1222", + "T1223", + "T1480", + "T1482", + "T1483", + "T1484", + "T1485", + "T1486", + "T1487", + "T1488", + "T1489", + "T1490", + "T1491", + "T1492", + "T1493", + "T1494", + "T1495", + "T1496", + "T1497", + "T1498", + "T1499", + "T1500", + "T1501", + "T1502", + "T1503", + "T1504", + "T1505", + "T1506", + "T1514", + "T1518", + "T1519", + "T1522", + "T1525", + "T1526", + "T1527", + "T1528", + "T1529", + "T1530", + "T1531", + "T1534", + "T1535", + "T1536", + "T1537", + "T1538", + "T1539", + "T1542", + "T1543", + "T1546", + "T1547", + "T1548", + "T1550", + "T1552", + "T1553", + "T1554", + "T1555", + "T1556", + "T1557", + "T1558", + "T1559", + "T1560", + "T1561", + "T1562", + "T1563", + "T1564", + "T1565", + "T1566", + "T1567", + "T1568", + "T1569", + "T1570", + "T1571", + "T1572", + "T1573", + "T1574", + "T1578" + ], + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic", + "technique" + ], + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "field": { + "default": "", + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "default": "now", + "type": "string" + }, + "type": { + "default": "threshold", + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "rule_id", + "type", + "description", + "name", + "risk_score", + "severity", + "language", + "query", + "author", + "license", + "threshold" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/master/master.base.json b/etc/api_schemas/master/master.base.json new file mode 100644 index 000000000..7750cc1ac --- /dev/null +++ b/etc/api_schemas/master/master.base.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "threshold", + "threat_match" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/master/master.eql.json b/etc/api_schemas/master/master.eql.json new file mode 100644 index 000000000..381659f5e --- /dev/null +++ b/etc/api_schemas/master/master.eql.json @@ -0,0 +1,306 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/master/master.machine_learning.json b/etc/api_schemas/master/master.machine_learning.json new file mode 100644 index 000000000..181f305aa --- /dev/null +++ b/etc/api_schemas/master/master.machine_learning.json @@ -0,0 +1,301 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "anomaly_threshold": { + "format": "integer", + "type": "number" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/master/master.query.json b/etc/api_schemas/master/master.query.json new file mode 100644 index 000000000..9e47b2969 --- /dev/null +++ b/etc/api_schemas/master/master.query.json @@ -0,0 +1,311 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/master/master.threat_match.json b/etc/api_schemas/master/master.threat_match.json new file mode 100644 index 000000000..84a603c3d --- /dev/null +++ b/etc/api_schemas/master/master.threat_match.json @@ -0,0 +1,393 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "items_per_search": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/etc/api_schemas/master/master.threshold.json b/etc/api_schemas/master/master.threshold.json new file mode 100644 index 000000000..724d46cce --- /dev/null +++ b/etc/api_schemas/master/master.threshold.json @@ -0,0 +1,355 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": "string" + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "\\d+[mshd]", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "name": { + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "field": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index 6377888f0..64138b25a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -17,3 +17,4 @@ flake8==3.8.1 pep8-naming==0.7.0 pytest>=3.6 jsonschema==3.2.0 +marshmallow-jsonschema==0.11.1 diff --git a/tests/test_schemas.py b/tests/test_schemas.py index 757519a6e..aacf4c076 100644 --- a/tests/test_schemas.py +++ b/tests/test_schemas.py @@ -11,7 +11,7 @@ import uuid import eql from detection_rules.rule import TOMLRuleContents -from detection_rules.schemas import downgrade, CurrentSchema +from detection_rules.schemas import downgrade class TestSchemas(unittest.TestCase): @@ -107,7 +107,7 @@ class TestSchemas(unittest.TestCase): downgrade(self.v79_kql, "7.7") with self.assertRaises(ValueError): - downgrade(self.v78_kql, "7.7") + downgrade(self.v78_kql, "7.7", current_version="7.8") def test_versioned_downgrade(self): """Downgrade a KQL rule with version information""" @@ -127,8 +127,8 @@ class TestSchemas(unittest.TestCase): def test_threshold_downgrade(self): """Downgrade a threshold rule that was first introduced in 7.9.""" api_contents = self.v712_threshold_rule - self.assertDictEqual(downgrade(api_contents, CurrentSchema.STACK_VERSION), api_contents) - self.assertDictEqual(downgrade(api_contents, CurrentSchema.STACK_VERSION + '.1'), api_contents) + self.assertDictEqual(downgrade(api_contents, '7.13'), api_contents) + self.assertDictEqual(downgrade(api_contents, '7.13.1'), api_contents) exc_msg = 'Cannot downgrade a threshold rule that has multiple threshold fields defined' with self.assertRaisesRegex(ValueError, exc_msg):