{ "$schema": "http://json-schema.org/draft-04/schema#", "additionalProperties": false, "properties": { "actions": { "items": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "object" }, "type": [ "array" ] }, "alert_suppression": { "additionalProperties": false, "properties": { "duration": { "additionalProperties": false, "properties": { "unit": { "enum": [ "s", "m", "h" ], "enumNames": [], "type": "string" }, "value": { "minimum": 1, "type": "integer" } }, "required": [ "unit" ], "type": "object" } }, "required": [ "duration" ], "type": "object" }, "author": { "items": { "type": "string" }, "type": "array" }, "building_block_type": { "enum": [ "default" ], "type": [ "string" ] }, "data_view_id": { "type": [ "string" ] }, "description": { "type": "string" }, "enabled": { "type": [ "boolean" ] }, "exceptions_list": { "items": { "additionalProperties": { "type": "string" }, "type": "object" }, "type": [ "array" ] }, "false_positives": { "items": { "type": "string" }, "type": [ "array" ] }, "filters": { "items": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": "object" }, "type": [ "array" ] }, "from": { "type": [ "string" ] }, "index": { "items": { "type": "string" }, "type": [ "array" ] }, "interval": { "pattern": "^\\d+[mshd]$", "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { "minLength": 1, "type": "string" }, "type": "array" } }, "required": [ "field_names" ], "type": "object" }, "language": { "enum": [ "eql", "esql", "kuery", "lucene" ], "enumNames": [], "type": "string" }, "license": { "type": [ "string" ] }, "max_signals": { "minimum": 1, "type": "integer" }, "meta": { "additionalProperties": { "type": [ "string", "number", "object", "array", "boolean" ] }, "type": [ "object" ] }, "name": { "type": "string" }, "note": { "description": "Markdown", "type": [ "string" ] }, "query": { "type": "string" }, "references": { "items": { "type": "string" }, "type": [ "array" ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { "package": { "minLength": 1, "type": "string" } }, "type": "object" }, "min_compat": "8.3", "type": [ "array" ] }, "required_fields": { "items": { "additionalProperties": false, "properties": { "ecs": { "type": "boolean" }, "name": { "minLength": 1, "type": "string" } }, "required": [ "ecs" ], "type": "object" }, "min_compat": "8.3", "type": [ "array" ] }, "revision": { "min_compat": "8.8", "type": [ "integer" ] }, "risk_score": { "maximum": 100, "minimum": 0, "type": "integer" }, "risk_score_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": [ "string" ] }, "value": { "type": [ "string" ] } }, "required": [ "field" ], "type": "object" }, "type": [ "array" ] }, "rule_id": { "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { "type": [ "string" ] }, "setup": { "description": "Markdown", "min_compat": "8.3", "type": [ "string" ] }, "severity": { "enum": [ "low", "medium", "high", "critical" ], "enumNames": [], "type": "string" }, "severity_mapping": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "operator": { "enum": [ "equals" ], "type": [ "string" ] }, "severity": { "type": [ "string" ] }, "value": { "type": [ "string" ] } }, "required": [ "field" ], "type": "object" }, "type": [ "array" ] }, "tags": { "items": { "type": "string" }, "type": [ "array" ] }, "threat": { "items": { "additionalProperties": false, "properties": { "framework": { "enum": [ "MITRE ATT&CK", "MITRE ATLAS" ], "enumNames": [], "type": "string" }, "tactic": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "pattern": "^(https://attack.mitre.org/tactics/TA[0-9]+/|https://atlas.mitre.org/tactics/AML\\.TA[0-9]+/)$", "type": "string" } }, "required": [ "id", "name" ], "type": "object" }, "technique": { "items": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+/)$", "type": "string" }, "subtechnique": { "items": { "additionalProperties": false, "properties": { "id": { "type": "string" }, "name": { "type": "string" }, "reference": { "pattern": "^(https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/|https://atlas.mitre.org/techniques/AML\\.T[0-9]+\\.[0-9]+/)$", "type": "string" } }, "required": [ "id", "name" ], "type": "object" }, "type": [ "array" ] } }, "required": [ "id", "name" ], "type": "object" }, "type": [ "array" ] } }, "required": [ "framework", "tactic" ], "type": "object" }, "type": [ "array" ] }, "threshold": { "additionalProperties": false, "properties": { "cardinality": { "items": { "additionalProperties": false, "properties": { "field": { "type": "string" }, "value": { "minimum": 1, "type": "integer" } }, "required": [ "field" ], "type": "object" }, "type": [ "array" ] }, "field": { "items": { "minLength": 1, "type": "string" }, "maxItems": 5, "type": "array" }, "value": { "minimum": 1, "type": "integer" } }, "type": "object" }, "throttle": { "type": [ "string" ] }, "timeline_id": { "type": "string" }, "timeline_title": { "type": "string" }, "timestamp_override": { "type": [ "string" ] }, "to": { "type": [ "string" ] }, "type": { "enum": [ "threshold" ], "type": "string" }, "version": { "minimum": 1, "type": "integer" } }, "required": [ "author", "description", "language", "query", "severity", "threshold", "type" ], "type": "object" }