{ "$schema": "http://json-schema.org/draft-04/schema#", "additionalProperties": false, "properties": { "actions": { "items": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "array" }, "anomaly_threshold": { "format": "integer", "type": "number" }, "author": { "items": { "type": "string" }, "type": "array" }, "building_block_type": { "type": "string" }, "description": { "type": "string" }, "enabled": { "type": "boolean" }, "exceptions_list": { "items": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "array" }, "false_positives": { "items": { "type": "string" }, "type": "array" }, "filters": { "items": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "object" }, "type": "array" }, "from": { "type": "string" }, "interval": { "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, "license": { "type": "string" }, "machine_learning_job_id": { "anyOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "max_signals": { "description": "MaxSignals", "format": "integer", "minimum": 1, "type": "number" }, "meta": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "object" }, "name": { "description": "RuleName", "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", "type": "string" }, "note": { "description": "MarkdownField", "type": "string" }, "references": { "items": { "type": "string" }, "type": "array" }, "risk_score": { "description": "MaxSignals", "format": "integer", "maximum": 100, "minimum": 1, "type": "number" }, "risk_score_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": "string" }, "value": { "type": "string" } }, "required": [ "field" ], "type": "object" }, "type": "array" }, "rule_id": { "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { "type": "string" }, "severity": { "enum": [ "low", "medium", "high", "critical" ], "enumNames": [], "type": "string" }, "severity_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": "string" }, "severity": { "type": "string" }, "value": { "type": "string" } }, "required": [ "field" ], "type": "object" }, "type": "array" }, "tags": { "items": { "type": "string" }, "type": "array" }, "threat": { "items": { "additionalProperties": false, "properties": { "framework": { "enum": [ "MITRE ATT&CK" ], "type": "string" }, "tactic": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "technique": { "items": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { "items": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "type": "array" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "type": "array" } }, "required": [ "framework", "tactic" ], "type": "object" }, "type": "array" }, "throttle": { "type": "string" }, "timeline_id": { "description": "TimelineTemplateId", "enum": [ "db366523-f1c6-4c1f-8731-6ce5ed9e5717", "91832785-286d-4ebe-b884-1a208d111a70", "76e52245-7519-4251-91ab-262fb1a1728c", "495ad7a7-316e-4544-8a0f-9c098daee76e" ], "enumNames": [], "type": "string" }, "timeline_title": { "description": "TimelineTemplateTitle", "enum": [ "Generic Endpoint Timeline", "Generic Network Timeline", "Generic Process Timeline", "Generic Threat Match Timeline" ], "enumNames": [], "type": "string" }, "timestamp_override": { "type": "string" }, "to": { "type": "string" }, "type": { "enum": [ "machine_learning" ], "type": "string" } }, "required": [ "anomaly_threshold", "author", "description", "machine_learning_job_id", "name", "risk_score", "rule_id", "severity", "type" ], "type": "object" }