security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/detection_rules/etc/api_schemas/8.3/8.3.eql.json
T
Terrance DeJesus 35b1a69ff5 Prep for Creation of 8.4 Branch (#2001) 
* prepping for 8.4 branch

* adjusted schemas init file

* adjusted target matrix to only backport to 7.16, updated api schemas

* adjusted the lock-versions workflow to account for 7.16 and up support only

* Add test for version lock to schema map correlation

* decouple from static 7.13 references

* keep patch version for lock

* Update detection_rules/etc/packages.yml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
2022-06-02 14:59:18 -04:00

355 lines
7.7 KiB
JSON
Raw Blame History

{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
Reference in New Issue View Git Blame Copy Permalink