From fda1e7ef94b9ca90b23b6f5e9a36cc3e08848b41 Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Thu, 29 Oct 2020 20:02:29 +0100
Subject: [PATCH] Bump zoom rule to production (#427)

---
 etc/non-ecs-schema.json                                    | 7 +++++++
 .../initial_access_zoom_meeting_with_no_passcode.toml      | 7 +++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/etc/non-ecs-schema.json b/etc/non-ecs-schema.json
index 736363dbd..ce139364c 100644
--- a/etc/non-ecs-schema.json
+++ b/etc/non-ecs-schema.json
@@ -9,5 +9,12 @@
   },
   "winlogbeat-*": {
     "winlog.event_data.OriginalFileName": "keyword"
+  },
+  "filebeat-*": {
+    "zoom": {
+      "meeting": {
+        "password": "keyword"
+      }
+    }
   }
 }
diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
index af0b5739b..d86867afd 100644
--- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
+++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
@@ -1,8 +1,7 @@
 [metadata]
 creation_date = "2020/09/14"
 ecs_version = ["1.6.0"]
-maturity = "development"
-query_schema_validation = false
+maturity = "production"
 updated_date = "2020/10/26"
 
 [rule]
@@ -38,8 +37,8 @@ tags = [
 type = "query"
 
 query = '''
-event.type:creation and event.module:zoom and event.dataset:zoom.webhook
- and event.action:meeting.created and not zoom.meeting.password:*
+event.type:creation and event.module:zoom and event.dataset:zoom.webhook and
+  event.action:meeting.created and not zoom.meeting.password:*
 '''