{ "$schema": "http://json-schema.org/draft-04/schema#", "additionalProperties": false, "properties": { "actions": { "type": "array" }, "author": { "items": { "default": "Elastic", "type": "string" }, "minItems": 1, "type": "array" }, "building_block_type": { "type": "string" }, "description": { "type": "string" }, "enabled": { "default": false, "type": "boolean" }, "exceptions_list": { "type": "array" }, "false_positives": { "items": { "type": "string" }, "type": "array" }, "filters": { "items": { "additionalProperties": false, "properties": { "$state": { "additionalProperties": false, "properties": { "store": { "type": "string" } }, "type": "object" }, "exists": { "additionalProperties": false, "properties": { "field": { "type": "string" } }, "type": "object" }, "meta": { "additionalProperties": false, "properties": { "alias": { "type": "string" }, "disabled": { "type": "boolean" }, "indexRefName": { "type": "string" }, "key": { "type": "string" }, "negate": { "type": "boolean" }, "params": { "properties": { "query": { "type": "string" } }, "type": "object" }, "type": { "type": "string" }, "value": { "type": "string" } }, "type": "object" }, "query": { "type": "object" } }, "type": "object" }, "type": "array" }, "from": { "default": "now-6m", "type": "string" }, "index": { "items": { "type": "string" }, "type": "array" }, "interval": { "default": "5m", "pattern": "\\d+[mshd]", "type": "string" }, "language": { "default": "kuery", "enum": [ "kuery", "lucene" ], "type": "string" }, "license": { "default": "Elastic License v2", "type": "string" }, "max_signals": { "default": 100, "minimum": 1, "type": "integer" }, "meta": { "type": "object" }, "name": { "type": "string" }, "note": { "format": "markdown", "type": "string" }, "query": { "type": "string" }, "references": { "items": { "type": "string" }, "type": "array" }, "risk_score": { "default": 21, "maximum": 100, "minimum": 0, "type": "integer" }, "risk_score_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": "string" }, "value": { "type": "string" } }, "required": [ "field" ], "type": "object" }, "minItems": 1, "type": "array" }, "rule_id": { "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", "type": "string" }, "rule_name_override": { "type": "string" }, "severity": { "default": "low", "enum": [ "low", "medium", "high", "critical" ], "type": "string" }, "severity_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": "string" }, "severity": { "type": "string" }, "value": { "type": "string" } }, "required": [ "field" ], "type": "object" }, "minItems": 1, "type": "array" }, "tags": { "items": { "type": "string" }, "type": "array" }, "threat": { "items": { "additionalProperties": false, "properties": { "framework": { "default": "MITRE ATT&CK", "type": "string" }, "tactic": { "additionalProperties": false, "properties": { "id": { "enum": [ "TA0009", "TA0011", "TA0006", "TA0005", "TA0007", "TA0002", "TA0010", "TA0040", "TA0001", "TA0008", "TA0003", "TA0004" ], "type": "string" }, "name": { "enum": [ "Collection", "Command and Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation" ], "type": "string" }, "reference": { "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "technique": { "items": { "additionalProperties": false, "properties": { "id": { "enum": [ "T1001", "T1002", "T1003", "T1004", "T1005", "T1006", "T1007", "T1008", "T1009", "T1010", "T1011", "T1012", "T1013", "T1014", "T1015", "T1016", "T1017", "T1018", "T1019", "T1020", "T1021", "T1022", "T1023", "T1024", "T1025", "T1026", "T1027", "T1028", "T1029", "T1030", "T1031", "T1032", "T1033", "T1034", "T1035", "T1036", "T1037", "T1038", "T1039", "T1040", "T1041", "T1042", "T1043", "T1044", "T1045", "T1046", "T1047", "T1048", "T1049", "T1050", "T1051", "T1052", "T1053", "T1054", "T1055", "T1056", "T1057", "T1058", "T1059", "T1060", "T1061", "T1062", "T1063", "T1064", "T1065", "T1066", "T1067", "T1068", "T1069", "T1070", "T1071", "T1072", "T1073", "T1074", "T1075", "T1076", "T1077", "T1078", "T1079", "T1080", "T1081", "T1082", "T1083", "T1084", "T1085", "T1086", "T1087", "T1088", "T1089", "T1090", "T1091", "T1092", "T1093", "T1094", "T1095", "T1096", "T1097", "T1098", "T1099", "T1100", "T1101", "T1102", "T1103", "T1104", "T1105", "T1106", "T1107", "T1108", "T1109", "T1110", "T1111", "T1112", "T1113", "T1114", "T1115", "T1116", "T1117", "T1118", "T1119", "T1120", "T1121", "T1122", "T1123", "T1124", "T1125", "T1126", "T1127", "T1128", "T1129", "T1130", "T1131", "T1132", "T1133", "T1134", "T1135", "T1136", "T1137", "T1138", "T1139", "T1140", "T1141", "T1142", "T1143", "T1144", "T1145", "T1146", "T1147", "T1148", "T1149", "T1150", "T1151", "T1152", "T1153", "T1154", "T1155", "T1156", "T1157", "T1158", "T1159", "T1160", "T1161", "T1162", "T1163", "T1164", "T1165", "T1166", "T1167", "T1168", "T1169", "T1170", "T1171", "T1172", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1179", "T1180", "T1181", "T1182", "T1183", "T1184", "T1185", "T1186", "T1187", "T1188", "T1189", "T1190", "T1191", "T1192", "T1193", "T1194", "T1195", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1202", "T1203", "T1204", "T1205", "T1206", "T1207", "T1208", "T1209", "T1210", "T1211", "T1212", "T1213", "T1214", "T1215", "T1216", "T1217", "T1218", "T1219", "T1220", "T1221", "T1222", "T1223", "T1480", "T1482", "T1483", "T1484", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1493", "T1494", "T1495", "T1496", "T1497", "T1498", "T1499", "T1500", "T1501", "T1502", "T1503", "T1504", "T1505", "T1506", "T1514", "T1518", "T1519", "T1522", "T1525", "T1526", "T1527", "T1528", "T1529", "T1530", "T1531", "T1534", "T1535", "T1536", "T1537", "T1538", "T1539", "T1542", "T1543", "T1546", "T1547", "T1548", "T1550", "T1552", "T1553", "T1554", "T1555", "T1556", "T1557", "T1558", "T1559", "T1560", "T1561", "T1562", "T1563", "T1564", "T1565", "T1566", "T1567", "T1568", "T1569", "T1570", "T1571", "T1572", "T1573", "T1574", "T1578" ], "type": "string" }, "name": { "type": "string" }, "reference": { "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", "type": "string" }, "subtechnique": { "items": { "additionalProperties": false, "properties": { "id": { "enum": [ "T1001.001", "T1001.002", "T1001.003", "T1003.001", "T1003.002", "T1003.003", "T1003.004", "T1003.005", "T1003.006", "T1003.007", "T1003.008", "T1011.001", "T1021.001", "T1021.002", "T1021.003", "T1021.004", "T1021.005", "T1021.006", "T1027.001", "T1027.002", "T1027.003", "T1027.004", "T1027.005", "T1036.001", "T1036.002", "T1036.003", "T1036.004", "T1036.005", "T1036.006", "T1037.001", "T1037.002", "T1037.003", "T1037.004", "T1037.005", "T1048.001", "T1048.002", "T1048.003", "T1052.001", "T1053.001", "T1053.002", "T1053.003", "T1053.004", "T1053.005", "T1055.001", "T1055.002", "T1055.003", "T1055.004", "T1055.005", "T1055.008", "T1055.009", "T1055.011", "T1055.012", "T1055.013", "T1055.014", "T1056.001", "T1056.002", "T1056.003", "T1056.004", "T1059.001", "T1059.002", "T1059.003", "T1059.004", "T1059.005", "T1059.006", "T1059.007", "T1069.001", "T1069.002", "T1069.003", "T1070.001", "T1070.002", "T1070.003", "T1070.004", "T1070.005", "T1070.006", "T1071.001", "T1071.002", "T1071.003", "T1071.004", "T1074.001", "T1074.002", "T1078.001", "T1078.002", "T1078.003", "T1078.004", "T1087.001", "T1087.002", "T1087.003", "T1087.004", "T1090.001", "T1090.002", "T1090.003", "T1090.004", "T1098.001", "T1098.002", "T1098.003", "T1098.004", "T1102.001", "T1102.002", "T1102.003", "T1110.001", "T1110.002", "T1110.003", "T1110.004", "T1114.001", "T1114.002", "T1114.003", "T1127.001", "T1132.001", "T1132.002", "T1134.001", "T1134.002", "T1134.003", "T1134.004", "T1134.005", "T1136.001", "T1136.002", "T1136.003", "T1137.001", "T1137.002", "T1137.003", "T1137.004", "T1137.005", "T1137.006", "T1195.001", "T1195.002", "T1195.003", "T1204.001", "T1204.002", "T1205.001", "T1213.001", "T1213.002", "T1216.001", "T1218.001", "T1218.002", "T1218.003", "T1218.004", "T1218.005", "T1218.007", "T1218.008", "T1218.009", "T1218.010", "T1218.011", "T1222.001", "T1222.002", "T1480.001", "T1491.001", "T1491.002", "T1497.001", "T1497.002", "T1497.003", "T1498.001", "T1498.002", "T1499.001", "T1499.002", "T1499.003", "T1499.004", "T1505.001", "T1505.002", "T1505.003", "T1518.001", "T1542.001", "T1542.002", "T1542.003", "T1543.001", "T1543.002", "T1543.003", "T1543.004", "T1546.001", "T1546.002", "T1546.003", "T1546.004", "T1546.005", "T1546.006", "T1546.007", "T1546.008", "T1546.009", "T1546.010", "T1546.011", "T1546.012", "T1546.013", "T1546.014", "T1546.015", "T1547.001", "T1547.002", "T1547.003", "T1547.004", "T1547.005", "T1547.006", "T1547.007", "T1547.008", "T1547.009", "T1547.010", "T1547.011", "T1548.001", "T1548.002", "T1548.003", "T1548.004", "T1550.001", "T1550.002", "T1550.003", "T1550.004", "T1552.001", "T1552.002", "T1552.003", "T1552.004", "T1552.005", "T1552.006", "T1553.001", "T1553.002", "T1553.003", "T1553.004", "T1555.001", "T1555.002", "T1555.003", "T1556.001", "T1556.002", "T1556.003", "T1557.001", "T1558.001", "T1558.002", "T1558.003", "T1559.001", "T1559.002", "T1560.001", "T1560.002", "T1560.003", "T1561.001", "T1561.002", "T1562.001", "T1562.002", "T1562.003", "T1562.004", "T1562.006", "T1562.007", "T1563.001", "T1563.002", "T1564.001", "T1564.002", "T1564.003", "T1564.004", "T1564.005", "T1564.006", "T1565.001", "T1565.002", "T1565.003", "T1566.001", "T1566.002", "T1566.003", "T1567.001", "T1567.002", "T1568.001", "T1568.002", "T1568.003", "T1569.001", "T1569.002", "T1573.001", "T1573.002", "T1574.001", "T1574.002", "T1574.004", "T1574.005", "T1574.006", "T1574.007", "T1574.008", "T1574.009", "T1574.010", "T1574.011", "T1574.012", "T1578.001", "T1578.002", "T1578.003", "T1578.004" ], "type": "string" }, "name": { "type": "string" }, "reference": { "pattern": "https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/", "type": "string" } }, "required": [ "id", "name" ], "type": "object" }, "type": "array" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "type": "array" } }, "required": [ "framework", "tactic" ], "type": "object" }, "type": "array" }, "throttle": { "type": "string" }, "timeline_id": { "type": "string" }, "timeline_title": { "type": "string" }, "timestamp_override": { "type": "string" }, "to": { "default": "now", "type": "string" }, "type": { "default": "query", "enum": [ "query" ], "type": "string" } }, "required": [ "rule_id", "type", "description", "name", "risk_score", "severity", "language", "query", "author", "license" ], "type": "object" }