diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index d8f0a4a62d2..b906ee326d0 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -83,15 +83,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -108,9 +108,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -147,22 +146,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -178,16 +166,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -203,6 +187,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -236,6 +222,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -323,13 +310,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -344,6 +331,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -357,13 +345,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -374,8 +362,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -400,14 +387,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -434,17 +417,13 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", - "name", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index c02f1f22139..c98b4fe619e 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -143,15 +147,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -174,9 +178,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -216,22 +219,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -247,16 +239,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -272,6 +260,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -305,6 +295,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -392,13 +383,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -413,6 +404,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -426,13 +418,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -443,8 +435,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -475,14 +466,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_field": { "min_compat": "8.0", @@ -507,19 +494,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index 9b65120b161..1d1fb8294e8 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -137,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -168,9 +172,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -210,22 +213,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -241,16 +233,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -266,6 +254,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -299,6 +289,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -386,13 +377,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -407,6 +398,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -420,13 +412,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -437,8 +429,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -463,14 +454,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -489,19 +476,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index 1c6f3718689..aba2ac99c1d 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "anomaly_threshold": { @@ -127,15 +131,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -165,9 +169,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -204,22 +207,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -235,16 +227,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -260,6 +248,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -293,6 +283,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -380,13 +371,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -401,6 +392,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -414,13 +406,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -431,8 +423,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -457,14 +448,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -483,9 +470,8 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ @@ -493,9 +479,6 @@ "author", "description", "machine_learning_job_id", - "name", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index 52f0ef274b9..ea0c41fc8b5 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -137,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -172,9 +176,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -197,6 +200,7 @@ "additionalProperties": false, "properties": { "field": { + "minLength": 1, "type": "string" }, "history_window_start": { @@ -204,31 +208,26 @@ "additionalProperties": false, "properties": { "field": { - "type": "string" - }, - "value": { + "minLength": 1, "type": "string" } }, - "required": [ - "field", - "value" - ], "type": "object" }, "type": "array" }, "value": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" } }, "required": [ - "field", - "history_window_start", - "value" + "history_window_start" ], "type": "object" }, @@ -253,22 +252,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -284,16 +272,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -309,6 +293,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -342,6 +328,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -429,13 +416,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -450,6 +437,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -463,13 +451,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -480,8 +468,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -506,14 +493,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -532,20 +515,16 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "new_terms", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index acc0c13ff3d..d0c06e1d714 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -137,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -172,9 +176,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -214,22 +217,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -245,16 +237,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -270,6 +258,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -303,6 +293,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -390,13 +381,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -411,6 +402,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -424,13 +416,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -441,8 +433,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -467,14 +458,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -493,19 +480,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index fa1b1435fe0..05f55aca7cb 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -35,29 +35,33 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 3, + "minItems": 1, "type": "array" }, "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -74,11 +78,6 @@ "string" ] }, - "concurrent_searches": { - "type": [ - "integer" - ] - }, "data_view_id": { "type": [ "string" @@ -142,15 +141,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -161,11 +160,6 @@ ], "type": "object" }, - "items_per_search": { - "type": [ - "integer" - ] - }, "language": { "enum": [ "eql", @@ -182,9 +176,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -224,22 +217,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -255,16 +237,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -280,6 +258,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -313,6 +293,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -400,13 +381,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -421,6 +402,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -434,13 +416,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -451,8 +433,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -520,6 +501,7 @@ "additionalProperties": false, "properties": { "field": { + "minLength": 1, "type": "string" }, "negate": { @@ -533,15 +515,10 @@ "mapping" ], "type": "string" - }, - "value": { - "type": "string" } }, "required": [ - "field", - "type", - "value" + "type" ], "type": "object" }, @@ -566,14 +543,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -592,19 +565,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "threat_index", "threat_mapping", diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index 9f1e1457506..e953c28310a 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -35,12 +35,12 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" } @@ -127,15 +127,15 @@ ] }, "interval": { - "type": [ - "string" - ] + "pattern": "^\\d+[mshd]$", + "type": "string" }, "investigation_fields": { "additionalProperties": false, "properties": { "field_names": { "items": { + "minLength": 1, "type": "string" }, "type": "array" @@ -162,9 +162,8 @@ ] }, "max_signals": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" }, "meta": { "additionalProperties": { @@ -204,22 +203,11 @@ "items": { "additionalProperties": false, "properties": { - "integration": { - "type": [ - "string" - ] - }, "package": { - "type": "string" - }, - "version": { + "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", @@ -235,16 +223,12 @@ "type": "boolean" }, "name": { - "type": "string" - }, - "type": { + "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, @@ -260,6 +244,8 @@ ] }, "risk_score": { + "maximum": 100, + "minimum": 1, "type": "integer" }, "risk_score_mapping": { @@ -293,6 +279,7 @@ ] }, "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$|^7eb54028-ca72-4eb7-8185-b6864572347db$", "type": "string" }, "rule_name_override": { @@ -380,13 +367,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -401,6 +388,7 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, "subtechnique": { @@ -414,13 +402,13 @@ "type": "string" }, "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -431,8 +419,7 @@ }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -462,12 +449,12 @@ "type": "string" }, "value": { + "minimum": 1, "type": "integer" } }, "required": [ - "field", - "value" + "field" ], "type": "object" }, @@ -477,18 +464,17 @@ }, "field": { "items": { + "minLength": 1, "type": "string" }, + "maxItems": 5, "type": "array" }, "value": { + "minimum": 1, "type": "integer" } }, - "required": [ - "field", - "value" - ], "type": "object" }, "throttle": { @@ -497,14 +483,10 @@ ] }, "timeline_id": { - "type": [ - "string" - ] + "type": "string" }, "timeline_title": { - "type": [ - "string" - ] + "type": "string" }, "timestamp_override": { "type": [ @@ -523,19 +505,15 @@ "type": "string" }, "version": { - "type": [ - "integer" - ] + "minimum": 1, + "type": "integer" } }, "required": [ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "threshold", "type" diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index d90589b1a03..b7945aff024 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -133,5 +133,5 @@ "T1547.011": "T1647", "T1574.002": "T1574.001" }, - "saved_date": "Fri Oct 17 17:21:42 2025" + "saved_date": "Tue Nov 11 12:54:18 2025" } \ No newline at end of file diff --git a/detection_rules/etc/attack-v17.1.0.json.gz b/detection_rules/etc/attack-v17.1.0.json.gz deleted file mode 100644 index f6d940050f7..00000000000 Binary files a/detection_rules/etc/attack-v17.1.0.json.gz and /dev/null differ diff --git a/detection_rules/etc/attack-v18.0.0.json.gz b/detection_rules/etc/attack-v18.0.0.json.gz new file mode 100644 index 00000000000..47ebc3ef02e Binary files /dev/null and b/detection_rules/etc/attack-v18.0.0.json.gz differ diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 29d630db7b6..f26c3a66863 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.2.0.json.gz b/detection_rules/etc/beats_schemas/v9.2.0.json.gz new file mode 100644 index 00000000000..fb1fa16e73a Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.2.0.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 92765d2f0d5..2c990bbd7de 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index 4e25c467087..d42152e791e 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index b50566923d3..dcd860b45fd 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 781496f61cb..17a508d316e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 8f806bd067c..7008703ec98 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 4b276bd0908..eb6954772c8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 72d9c3a79e6..bb62b611a48 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 870d702804e..74babad48d5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index fd37422e76d..dcbcd943d2b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 6f0e9f751e3..c190cf50b2d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index b30fce62e14..f302b1dc74f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index 2c659270453..0e1df01acd3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index d5474325907..a0adb062cdf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index 5e9c109115c..61cb52a6ba6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index 4fdf5ee0a57..46da5bc3f05 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 61e50209a55..d522e62fd7e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 1836050c858..aa36b12db5a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 1a421f21ae6..4df627c0a7e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 6ed00e2c92c..40563696157 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 99ed8301a32..01b1831439b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index a51ac507acd..7f07a87530f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index afc888a1848..bf76820eb97 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index a397f2c46de..d985ab40240 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 94297034152..1dfd0787702 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 3b041055932..64f174f2ffa 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 268c199e4d2..d959ec8c0b0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index 3ad6a884e5b..2b557e05ccb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 5402a828af3..b29aaec228d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index dc2b4bac14b..d24e7d4b01a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 14fb13413a2..6bed5da358c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index e65034a10bf..9c33f1a8d01 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index cd8793d25e5..bca9995980a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index c5f830cdaa1..edc8672a78c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index ad968e8be0d..3e4d8453b0a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 15479f927a7..a2451de573e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 0df5a133653..32f3e16732a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 6abbd108998..c0dacff01d3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index f99863918c6..68b04c07391 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 08b2cbf9c26..15607ae608d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index f03fc15a739..ffab6c59bb9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 0be1ec60a79..1daff702a0c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index bc5155ab919..c115b2cf636 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 97c62e94094..11821933191 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 5b5bb4792b0..87d34ca7090 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 5419c6b2721..48080d9ee51 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 562eeba5b97..ef4a82a69ed 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 3cf28371577..980275eae27 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index ccadcd464ef..cc577f135b6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 90a4ed2500c..192ddb350f1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 748ca0a654f..7ecd11e7915 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index 5f7be7369a2..c28b653d277 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index d4267ff8b80..9d421e92084 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz index 7b0b15d0170..a78b18786ad 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz index a024a6fa5a4..0f6855f55a8 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz index 0cc73448340..49ddfdfd5df 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz index af638fbc76c..46674f519f0 100644 Binary files a/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz index 6afb585f44e..5888bc7b58d 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz index a5e4b1c3d4e..343d5777be9 100644 Binary files a/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.2.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz new file mode 100644 index 00000000000..76ba018185a Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz new file mode 100644 index 00000000000..d4db229bb4e Binary files /dev/null and b/detection_rules/etc/ecs_schemas/9.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz index 06d9ab77a83..bce4528f587 100644 Binary files a/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_9.3.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 7d17cdc2897..e1291d25141 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index ee747fb530b..d07a7ef8f92 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 6513c9319a1..d61ae9fd04c 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -140,11 +140,11 @@ endgame: "8.4.0" "9.2.0": - beats: "9.1.5" - ecs: "9.2.0-rc1" + beats: "9.2.0" + ecs: "9.2.0" endgame: "8.4.0" "9.3.0": - beats: "9.1.5" - ecs: "9.2.0-rc1" + beats: "9.2.0" + ecs: "9.2.0" endgame: "8.4.0" \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index c2808a4c731..79d3df01241 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.5" +version = "1.5.6" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml index 56b37d8eb94..dceb1356b44 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_proxy_execution.toml @@ -2,7 +2,7 @@ creation_date = "2025/10/30" integration = ["endpoint"] maturity = "production" -updated_date = "2025/10/30" +updated_date = "2025/11/11" [rule] author = ["Elastic"] @@ -17,6 +17,37 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privilege Escalation via SUID/SGID Proxy Execution" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Privilege Escalation via SUID/SGID Proxy Execution + +This rule surfaces executions of well-known SUID/SGID helpers on Linux that run with root privileges while the launching user remains non‑root, signaling an attempt to proxy elevated rights. It matters because a non‑privileged process invoking pkexec can spawn /bin/sh as root via environment manipulation, turning a low-privilege foothold into full system control. + +### Possible investigation steps + +- Determine if the invocation is interactive and expected (e.g., admin using su/sudo) by correlating with a TTY/SSH session, recent successful authentication logs, and sudo/polkit policy outcomes in journald. +- For pkexec events, inspect the environment for exploit indicators (e.g., unset argv or suspicious GCONV_PATH, PATH, LD_PRELOAD, LC_* values) and look for attacker-created files in /tmp or the user's home that match gconv or loader artifacts. +- Review the child/descendant process tree of the SUID/SGID helper to see if it spawned a root shell or arbitrary interpreter, and pivot to concurrent network connections or file writes by those children. +- Validate whether the executable’s SUID/SGID file on disk has been tampered with by checking its hash, permissions, ownership, and recent mtime against package manager metadata and known-good baselines. +- If the binary is mount/umount/fusermount or newuidmap/newgidmap, correlate with container or FUSE activity to confirm a legitimate workflow and inspect mounts or namespace changes for risky options (e.g., suid, exec) or unusual target directories. + +### False positive analysis + +- An authorized pkexec or polkit-agent-helper invocation by a user to perform a permitted administrative task may run as root while the real user is non‑root, often with a single‑argument parent, and should align with an interactive prompt and expected policy. +- Normal unprivileged workflows using fusermount3 or newuidmap/newgidmap legitimately leverage SUID/SGID helpers, typically launched by a simple shell with one argument, and should correlate with expected mount or user‑namespace activity. + +### Response and remediation + +- Immediately isolate the host, kill the offending SUID/SGID child processes (e.g., pkexec spawning /bin/sh), and temporarily remove the setuid/setgid bit from the abused binary (chmod u-s /usr/bin/pkexec or chmod g-s /usr/bin/newgrp) to halt further elevation. +- Reinstall and verify integrity of abused packages and SUID helpers (e.g., polkit to replace /usr/bin/pkexec, dbus-daemon-launch-helper, fusermount3) and delete attacker artifacts such as gconv modules or LD_PRELOAD payloads from /tmp, /var/tmp, and user homes. +- Undo attacker changes by restoring /etc/sudoers, /etc/passwd and /etc/shadow, and polkit rules under /usr/share/polkit-1 or /etc/polkit-1, unmount suspicious FUSE or bind mounts created by fusermount3/mount, and rotate credentials and keys. +- Escalate to incident command if you observe a SUID helper launching an interactive root shell (/bin/sh -p or bash -p), root-owned droppers in /tmp or /usr/local/bin, or similar events on more than one host or account. +- Permanently reduce the SUID/SGID attack surface by auditing and removing setuid bits from rarely used binaries (e.g., chfn, chsh, newgrp, ssh-keysign), restricting pkexec via polkit rules to specific callers, and mounting /tmp, /var/tmp, and home directories with nosuid,nodev,noexec. +- Strengthen monitoring and policy by enabling AppArmor/SELinux confinement for pkexec and mount helpers, adding auditd rules for exec of setuid binaries and writes to /tmp by root, and enforcing least-privilege sudoers by removing broad NOPASSWD entries and requiring MFA for privileged tasks. +""" references = [ "https://dfir.ch/posts/today_i_learned_binfmt_misc/", "https://gtfobins.github.io/#+suid", @@ -58,6 +89,7 @@ tags = [ "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml index 906e6cd1566..c728a7ba058 100644 --- a/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml +++ b/rules/windows/execution_delayed_via_ping_lolbas_unsigned.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/11/11" [rule] author = ["Elastic"] @@ -15,6 +15,41 @@ index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Delayed Execution via Ping" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Delayed Execution via Ping + +Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes. + +### Possible investigation steps + +- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe. +- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior. +- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused. +- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious. +- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed. +- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity. + +### False positive analysis + +- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe. +- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures. +- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list. +- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths. +- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise. + +### Response and remediation + +- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement. +- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities. +- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. +- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems. +- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question. +- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" risk_score = 21 rule_id = "e00b8d49-632f-4dc6-94a5-76153a481915" severity = "low" @@ -64,41 +99,6 @@ sequence by process.parent.entity_id with maxspan=1m "?:\\Users\\*\\AppData\\Local\\Temp\\QBTools\\")) ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Delayed Execution via Ping - -Ping, a network utility, can be misused by attackers to delay execution of malicious commands, aiding in evasion. Adversaries may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. The detection rule identifies suspicious ping usage followed by execution of known malicious utilities, flagging potential threats by monitoring specific command patterns and excluding benign processes. - -### Possible investigation steps - -- Review the process tree to understand the sequence of events, focusing on the parent-child relationship between cmd.exe, ping.exe, and any subsequent suspicious processes like rundll32.exe or powershell.exe. -- Examine the command line arguments used with ping.exe to determine the delay introduced and assess if it aligns with typical malicious behavior. -- Investigate the user account associated with the process execution, especially if the user.id is not S-1-5-18, to determine if the account has been compromised or is being misused. -- Check the file path and code signature of any executables launched from the user's AppData directory to verify if they are trusted or potentially malicious. -- Analyze the command line arguments and working directory of any suspicious processes to identify any known malicious patterns or scripts being executed. -- Correlate the alert with any other recent alerts or logs from the same host or user to identify potential patterns or ongoing malicious activity. - -### False positive analysis - -- Legitimate administrative scripts or maintenance tasks may use ping to introduce delays, especially in batch files executed by system administrators. To handle this, identify and exclude specific scripts or command lines that are known to be safe. -- Software installations or updates might use ping for timing purposes. Review the command lines and parent processes involved, and create exceptions for trusted software paths or signatures. -- Automated testing environments may use ping to simulate network latency or wait for services to start. Exclude these processes by identifying the testing framework or environment and adding it to the exception list. -- Some legitimate applications might use ping as part of their normal operation. Monitor these applications and, if verified as safe, exclude their specific command patterns or executable paths. -- Regularly review and update the exception list to ensure it reflects the current environment and any new legitimate use cases that arise. - -### Response and remediation - -- Isolate the affected system from the network immediately to prevent further malicious activity and lateral movement. -- Terminate any suspicious processes identified in the alert, such as those involving ping.exe followed by the execution of known malicious utilities. -- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malware or unauthorized software. -- Review and analyze the command history and logs of the affected system to understand the scope of the attack and identify any additional compromised systems. -- Restore the system from a known good backup if malware removal is not feasible or if the system's integrity is in question. -- Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the alert. -- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.""" [[rule.threat]] @@ -176,7 +176,7 @@ name = "Virtualization/Sandbox Evasion" reference = "https://attack.mitre.org/techniques/T1497/" [[rule.threat.technique.subtechnique]] id = "T1497.003" -name = "Time Based Evasion" +name = "Time Based Checks" reference = "https://attack.mitre.org/techniques/T1497/003/"