Justin Ibarra
38 lines
1.2 KiB
Python
38 lines
1.2 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
"""Definitions for rule metadata and schemas."""
|
|
|
|
import jsl
|
|
from .v7_9 import ApiSchema79
|
|
|
|
|
|
# rule types
|
|
EQL = "eql"
|
|
|
|
|
|
class ApiSchema710(ApiSchema79):
|
|
"""Schema for siem rule in API format."""
|
|
|
|
STACK_VERSION = "7.10"
|
|
RULE_TYPES = ApiSchema79.RULE_TYPES + [EQL]
|
|
|
|
type = jsl.StringField(enum=RULE_TYPES, required=True)
|
|
|
|
# there might be a bug in jsl that requires us to redefine these here
|
|
query_scope = ApiSchema79.query_scope
|
|
saved_id_scope = ApiSchema79.saved_id_scope
|
|
ml_scope = ApiSchema79.ml_scope
|
|
threshold_scope = ApiSchema79.threshold_scope
|
|
|
|
with jsl.Scope(EQL) as eql_scope:
|
|
eql_scope.index = jsl.ArrayField(jsl.StringField(), required=False)
|
|
eql_scope.query = jsl.StringField(required=True)
|
|
eql_scope.language = jsl.StringField(enum=[EQL], required=True, default=EQL)
|
|
eql_scope.type = jsl.StringField(enum=[EQL], required=True)
|
|
|
|
with jsl.Scope(jsl.DEFAULT_ROLE) as default_scope:
|
|
default_scope.type = type
|