{ "$schema": "http://json-schema.org/draft-04/schema#", "additionalProperties": false, "properties": { "actions": { "items": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "array" }, "author": { "items": { "type": "string" }, "type": "array" }, "building_block_type": { "type": "string" }, "description": { "type": "string" }, "enabled": { "type": "boolean" }, "exceptions_list": { "items": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "array" }, "false_positives": { "items": { "type": "string" }, "type": "array" }, "filters": { "items": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "object" }, "type": "array" }, "from": { "type": "string" }, "index": { "items": { "type": "string" }, "type": "array" }, "interval": { "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, "language": { "enum": [ "kuery", "lucene" ], "enumNames": [], "type": "string" }, "license": { "type": "string" }, "max_signals": { "description": "MaxSignals", "format": "integer", "minimum": 1, "type": "number" }, "meta": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "object" }, "name": { "description": "RuleName", "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", "type": "string" }, "note": { "description": "MarkdownField", "type": "string" }, "query": { "type": "string" }, "references": { "items": { "type": "string" }, "type": "array" }, "related_integrations": { "items": { "type": "string" }, "min_compat": "8.3", "type": "array" }, "required_fields": { "items": { "additionalProperties": false, "properties": { "ecs": { "type": "boolean" }, "name": { "description": "NonEmptyStr", "minLength": 1, "type": "string" }, "type": { "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ "ecs", "name", "type" ], "type": "object" }, "min_compat": "8.3", "type": "array" }, "risk_score": { "description": "MaxSignals", "format": "integer", "maximum": 100, "minimum": 1, "type": "number" }, "risk_score_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": "string" }, "value": { "type": "string" } }, "required": [ "field" ], "type": "object" }, "type": "array" }, "rule_id": { "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { "type": "string" }, "setup": { "min_compat": "8.3", "type": "string" }, "severity": { "enum": [ "low", "medium", "high", "critical" ], "enumNames": [], "type": "string" }, "severity_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": "string" }, "severity": { "type": "string" }, "value": { "type": "string" } }, "required": [ "field" ], "type": "object" }, "type": "array" }, "tags": { "items": { "type": "string" }, "type": "array" }, "threat": { "items": { "additionalProperties": false, "properties": { "framework": { "enum": [ "MITRE ATT&CK" ], "type": "string" }, "tactic": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "technique": { "items": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { "items": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "type": "array" } }, "required": [ "id", "name", "reference" ], "type": "object" }, "type": "array" } }, "required": [ "framework", "tactic" ], "type": "object" }, "type": "array" }, "throttle": { "type": "string" }, "timeline_id": { "description": "TimelineTemplateId", "enum": [ "db366523-f1c6-4c1f-8731-6ce5ed9e5717", "91832785-286d-4ebe-b884-1a208d111a70", "76e52245-7519-4251-91ab-262fb1a1728c", "495ad7a7-316e-4544-8a0f-9c098daee76e", "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "e70679c2-6cde-4510-9764-4823df18f7db", "300afc76-072d-4261-864d-4149714bf3f1", "3e47ef71-ebfc-4520-975c-cb27fc090799" ], "enumNames": [], "type": "string" }, "timeline_title": { "description": "TimelineTemplateTitle", "enum": [ "Generic Endpoint Timeline", "Generic Network Timeline", "Generic Process Timeline", "Generic Threat Match Timeline", "Comprehensive File Timeline", "Comprehensive Process Timeline", "Comprehensive Network Timeline", "Comprehensive Registry Timeline" ], "enumNames": [], "type": "string" }, "timestamp_override": { "type": "string" }, "to": { "type": "string" }, "type": { "enum": [ "query" ], "type": "string" } }, "required": [ "author", "description", "language", "name", "query", "risk_score", "rule_id", "severity", "type" ], "type": "object" }