{ "$schema": "http://json-schema.org/draft-04/schema#", "additionalProperties": false, "properties": { "actions": { "type": "array" }, "description": { "type": "string" }, "enabled": { "default": false, "type": "boolean" }, "false_positives": { "items": { "type": "string" }, "type": "array" }, "filters": { "items": { "additionalProperties": false, "properties": { "$state": { "additionalProperties": false, "properties": { "store": { "type": "string" } }, "type": "object" }, "exists": { "additionalProperties": false, "properties": { "field": { "type": "string" } }, "type": "object" }, "meta": { "additionalProperties": false, "properties": { "alias": { "type": "string" }, "disabled": { "type": "boolean" }, "indexRefName": { "type": "string" }, "key": { "type": "string" }, "negate": { "type": "boolean" }, "params": { "properties": { "query": { "type": "string" } }, "type": "object" }, "type": { "type": "string" }, "value": { "type": "string" } }, "type": "object" }, "query": { "type": "object" } }, "type": "object" }, "type": "array" }, "from": { "default": "now-6m", "type": "string" }, "index": { "items": { "type": "string" }, "type": "array" }, "interval": { "default": "5m", "pattern": "\\d+[mshd]", "type": "string" }, "language": { "default": "kuery", "enum": [ "kuery", "lucene" ], "type": "string" }, "max_signals": { "default": 100, "minimum": 1, "type": "integer" }, "meta": { "type": "object" }, "name": { "type": "string" }, "note": { "format": "markdown", "type": "string" }, "query": { "type": "string" }, "references": { "items": { "type": "string" }, "type": "array" }, "risk_score": { "default": 21, "maximum": 100, "minimum": 0, "type": "integer" }, "rule_id": { "pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}", "type": "string" }, "severity": { "default": "low", "enum": [ "low", "medium", "high", "critical" ], "type": "string" }, "tags": { "items": { "type": "string" }, "type": "array" }, "threat": { "items": { "additionalProperties": false, "properties": { "framework": { "default": "MITRE ATT&CK", "type": "string" }, "tactic": { "additionalProperties": false, "properties": { "id": { "enum": [ "TA0009", "TA0011", "TA0006", "TA0005", "TA0007", "TA0002", "TA0010", "TA0040", "TA0001", "TA0008", "TA0003", "TA0004" ], "type": "string" }, "name": { "enum": [ "Collection", "Command and Control", "Credential Access", "Defense Evasion", "Discovery", "Execution", "Exfiltration", "Impact", "Initial Access", "Lateral Movement", "Persistence", "Privilege Escalation" ], "type": "string" }, "reference": { "pattern": "https://attack.mitre.org/tactics/TA[0-9]+/", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "technique": { "items": { "additionalProperties": false, "properties": { "id": { "enum": [ "T1001", "T1002", "T1003", "T1004", "T1005", "T1006", "T1007", "T1008", "T1009", "T1010", "T1011", "T1012", "T1013", "T1014", "T1015", "T1016", "T1017", "T1018", "T1019", "T1020", "T1021", "T1022", "T1023", "T1024", "T1025", "T1026", "T1027", "T1028", "T1029", "T1030", "T1031", "T1032", "T1033", "T1034", "T1035", "T1036", "T1037", "T1038", "T1039", "T1040", "T1041", "T1042", "T1043", "T1044", "T1045", "T1046", "T1047", "T1048", "T1049", "T1050", "T1051", "T1052", "T1053", "T1054", "T1055", "T1056", "T1057", "T1058", "T1059", "T1060", "T1061", "T1062", "T1063", "T1064", "T1065", "T1066", "T1067", "T1068", "T1069", "T1070", "T1071", "T1072", "T1073", "T1074", "T1075", "T1076", "T1077", "T1078", "T1079", "T1080", "T1081", "T1082", "T1083", "T1084", "T1085", "T1086", "T1087", "T1088", "T1089", "T1090", "T1091", "T1092", "T1093", "T1094", "T1095", "T1096", "T1097", "T1098", "T1099", "T1100", "T1101", "T1102", "T1103", "T1104", "T1105", "T1106", "T1107", "T1108", "T1109", "T1110", "T1111", "T1112", "T1113", "T1114", "T1115", "T1116", "T1117", "T1118", "T1119", "T1120", "T1121", "T1122", "T1123", "T1124", "T1125", "T1126", "T1127", "T1128", "T1129", "T1130", "T1131", "T1132", "T1133", "T1134", "T1135", "T1136", "T1137", "T1138", "T1139", "T1140", "T1141", "T1142", "T1143", "T1144", "T1145", "T1146", "T1147", "T1148", "T1149", "T1150", "T1151", "T1152", "T1153", "T1154", "T1155", "T1156", "T1157", "T1158", "T1159", "T1160", "T1161", "T1162", "T1163", "T1164", "T1165", "T1166", "T1167", "T1168", "T1169", "T1170", "T1171", "T1172", "T1173", "T1174", "T1175", "T1176", "T1177", "T1178", "T1179", "T1180", "T1181", "T1182", "T1183", "T1184", "T1185", "T1186", "T1187", "T1188", "T1189", "T1190", "T1191", "T1192", "T1193", "T1194", "T1195", "T1196", "T1197", "T1198", "T1199", "T1200", "T1201", "T1202", "T1203", "T1204", "T1205", "T1206", "T1207", "T1208", "T1209", "T1210", "T1211", "T1212", "T1213", "T1214", "T1215", "T1216", "T1217", "T1218", "T1219", "T1220", "T1221", "T1222", "T1223", "T1480", "T1482", "T1483", "T1484", "T1485", "T1486", "T1487", "T1488", "T1489", "T1490", "T1491", "T1492", "T1493", "T1494", "T1495", "T1496", "T1497", "T1498", "T1499", "T1500", "T1501", "T1502", "T1503", "T1504", "T1505", "T1506", "T1514", "T1518", "T1519", "T1522", "T1525", "T1526", "T1527", "T1528", "T1529", "T1530", "T1531", "T1534", "T1535", "T1536", "T1537", "T1538", "T1539", "T1542", "T1543", "T1546", "T1547", "T1548", "T1550", "T1552", "T1553", "T1554", "T1555", "T1556", "T1557", "T1558", "T1559", "T1560", "T1561", "T1562", "T1563", "T1564", "T1565", "T1566", "T1567", "T1568", "T1569", "T1570", "T1571", "T1572", "T1573", "T1574", "T1578" ], "type": "string" }, "name": { "type": "string" }, "reference": { "pattern": "https://attack.mitre.org/techniques/T[0-9]+/", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "type": "array" } }, "required": [ "framework", "tactic", "technique" ], "type": "object" }, "minItems": 1, "type": "array" }, "throttle": { "type": "string" }, "timeline_id": { "type": "string" }, "timeline_title": { "type": "string" }, "to": { "default": "now", "type": "string" }, "type": { "default": "query", "enum": [ "query" ], "type": "string" } }, "required": [ "rule_id", "type", "description", "name", "risk_score", "severity", "language", "query" ], "type": "object" }