security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/detection_rules/etc/api_schemas/7.8/7.8.saved_query.json
T
Mika Ayenson 6219fc06b9 Move etc under detection_rules (#1885) 
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2022-05-02 10:11:21 -04:00

572 lines
14 KiB
JSON
Raw Blame History

{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"type": "array"
},
"description": {
"type": "string"
},
"enabled": {
"default": false,
"type": "boolean"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": false,
"properties": {
"$state": {
"additionalProperties": false,
"properties": {
"store": {
"type": "string"
}
},
"type": "object"
},
"exists": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
}
},
"type": "object"
},
"meta": {
"additionalProperties": false,
"properties": {
"alias": {
"type": "string"
},
"disabled": {
"type": "boolean"
},
"indexRefName": {
"type": "string"
},
"key": {
"type": "string"
},
"negate": {
"type": "boolean"
},
"params": {
"properties": {
"query": {
"type": "string"
}
},
"type": "object"
},
"type": {
"type": "string"
},
"value": {
"type": "string"
}
},
"type": "object"
},
"query": {
"type": "object"
}
},
"type": "object"
},
"type": "array"
},
"from": {
"default": "now-6m",
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"default": "5m",
"pattern": "\\d+[mshd]",
"type": "string"
},
"max_signals": {
"default": 100,
"minimum": 1,
"type": "integer"
},
"meta": {
"type": "object"
},
"name": {
"type": "string"
},
"note": {
"format": "markdown",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"default": 21,
"maximum": 100,
"minimum": 0,
"type": "integer"
},
"rule_id": {
"pattern": "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}",
"type": "string"
},
"saved_id": {
"type": "string"
},
"severity": {
"default": "low",
"enum": [
"low",
"medium",
"high",
"critical"
],
"type": "string"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"default": "MITRE ATT&CK",
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"enum": [
"TA0009",
"TA0011",
"TA0006",
"TA0005",
"TA0007",
"TA0002",
"TA0010",
"TA0040",
"TA0001",
"TA0008",
"TA0003",
"TA0004"
],
"type": "string"
},
"name": {
"enum": [
"Collection",
"Command and Control",
"Credential Access",
"Defense Evasion",
"Discovery",
"Execution",
"Exfiltration",
"Impact",
"Initial Access",
"Lateral Movement",
"Persistence",
"Privilege Escalation"
],
"type": "string"
},
"reference": {
"pattern": "https://attack.mitre.org/tactics/TA[0-9]+/",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"enum": [
"T1001",
"T1002",
"T1003",
"T1004",
"T1005",
"T1006",
"T1007",
"T1008",
"T1009",
"T1010",
"T1011",
"T1012",
"T1013",
"T1014",
"T1015",
"T1016",
"T1017",
"T1018",
"T1019",
"T1020",
"T1021",
"T1022",
"T1023",
"T1024",
"T1025",
"T1026",
"T1027",
"T1028",
"T1029",
"T1030",
"T1031",
"T1032",
"T1033",
"T1034",
"T1035",
"T1036",
"T1037",
"T1038",
"T1039",
"T1040",
"T1041",
"T1042",
"T1043",
"T1044",
"T1045",
"T1046",
"T1047",
"T1048",
"T1049",
"T1050",
"T1051",
"T1052",
"T1053",
"T1054",
"T1055",
"T1056",
"T1057",
"T1058",
"T1059",
"T1060",
"T1061",
"T1062",
"T1063",
"T1064",
"T1065",
"T1066",
"T1067",
"T1068",
"T1069",
"T1070",
"T1071",
"T1072",
"T1073",
"T1074",
"T1075",
"T1076",
"T1077",
"T1078",
"T1079",
"T1080",
"T1081",
"T1082",
"T1083",
"T1084",
"T1085",
"T1086",
"T1087",
"T1088",
"T1089",
"T1090",
"T1091",
"T1092",
"T1093",
"T1094",
"T1095",
"T1096",
"T1097",
"T1098",
"T1099",
"T1100",
"T1101",
"T1102",
"T1103",
"T1104",
"T1105",
"T1106",
"T1107",
"T1108",
"T1109",
"T1110",
"T1111",
"T1112",
"T1113",
"T1114",
"T1115",
"T1116",
"T1117",
"T1118",
"T1119",
"T1120",
"T1121",
"T1122",
"T1123",
"T1124",
"T1125",
"T1126",
"T1127",
"T1128",
"T1129",
"T1130",
"T1131",
"T1132",
"T1133",
"T1134",
"T1135",
"T1136",
"T1137",
"T1138",
"T1139",
"T1140",
"T1141",
"T1142",
"T1143",
"T1144",
"T1145",
"T1146",
"T1147",
"T1148",
"T1149",
"T1150",
"T1151",
"T1152",
"T1153",
"T1154",
"T1155",
"T1156",
"T1157",
"T1158",
"T1159",
"T1160",
"T1161",
"T1162",
"T1163",
"T1164",
"T1165",
"T1166",
"T1167",
"T1168",
"T1169",
"T1170",
"T1171",
"T1172",
"T1173",
"T1174",
"T1175",
"T1176",
"T1177",
"T1178",
"T1179",
"T1180",
"T1181",
"T1182",
"T1183",
"T1184",
"T1185",
"T1186",
"T1187",
"T1188",
"T1189",
"T1190",
"T1191",
"T1192",
"T1193",
"T1194",
"T1195",
"T1196",
"T1197",
"T1198",
"T1199",
"T1200",
"T1201",
"T1202",
"T1203",
"T1204",
"T1205",
"T1206",
"T1207",
"T1208",
"T1209",
"T1210",
"T1211",
"T1212",
"T1213",
"T1214",
"T1215",
"T1216",
"T1217",
"T1218",
"T1219",
"T1220",
"T1221",
"T1222",
"T1223",
"T1480",
"T1482",
"T1483",
"T1484",
"T1485",
"T1486",
"T1487",
"T1488",
"T1489",
"T1490",
"T1491",
"T1492",
"T1493",
"T1494",
"T1495",
"T1496",
"T1497",
"T1498",
"T1499",
"T1500",
"T1501",
"T1502",
"T1503",
"T1504",
"T1505",
"T1506",
"T1514",
"T1518",
"T1519",
"T1522",
"T1525",
"T1526",
"T1527",
"T1528",
"T1529",
"T1530",
"T1531",
"T1534",
"T1535",
"T1536",
"T1537",
"T1538",
"T1539",
"T1542",
"T1543",
"T1546",
"T1547",
"T1548",
"T1550",
"T1552",
"T1553",
"T1554",
"T1555",
"T1556",
"T1557",
"T1558",
"T1559",
"T1560",
"T1561",
"T1562",
"T1563",
"T1564",
"T1565",
"T1566",
"T1567",
"T1568",
"T1569",
"T1570",
"T1571",
"T1572",
"T1573",
"T1574",
"T1578"
],
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"pattern": "https://attack.mitre.org/techniques/T[0-9]+/",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic",
"technique"
],
"type": "object"
},
"minItems": 1,
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"type": "string"
},
"timeline_title": {
"type": "string"
},
"to": {
"default": "now",
"type": "string"
},
"type": {
"default": "saved_query",
"enum": [
"saved_query"
],
"type": "string"
}
},
"required": [
"rule_id",
"type",
"description",
"name",
"risk_score",
"severity",
"saved_id"
],
"type": "object"
}
Reference in New Issue View Git Blame Copy Permalink