From bde33859f3f131556d408c4f8b32845036453fd8 Mon Sep 17 00:00:00 2001
From: brokensound77 <brokensound77@users.noreply.github.com>
Date: Mon, 7 Dec 2020 01:35:00 -0900
Subject: [PATCH 1/2] add threat_match rule type to schemaa

---
 detection_rules/schemas/v7_10.py | 30 ++++++++++++++++++++++++++++++
 detection_rules/schemas/v7_8.py  |  6 ++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/detection_rules/schemas/v7_10.py b/detection_rules/schemas/v7_10.py
index c2bc2c1372f..1483c230cea 100644
--- a/detection_rules/schemas/v7_10.py
+++ b/detection_rules/schemas/v7_10.py
@@ -10,11 +10,24 @@
 
 # rule types
 EQL = "eql"
+THREAT_MATCH = "threat_match"
 
 
 class ApiSchema710(ApiSchema79):
     """Schema for siem rule in API format."""
 
+    class ThreatEntries(jsl.Document):
+        """Threat match rule entries."""
+
+        class ThreatEntry(jsl.Document):
+            """Threat match rule mapping entry."""
+
+            field = jsl.StringField(required=True)
+            type = jsl.StringField(default='mapping', enum='mapping', required=True)
+            value = jsl.StringField(required=True)
+
+        entries = jsl.ArrayField(jsl.DocumentField(ThreatEntry, required=True), min_items=1)
+
     STACK_VERSION = "7.10"
     RULE_TYPES = ApiSchema79.RULE_TYPES + [EQL]
 
@@ -32,5 +45,22 @@ class ApiSchema710(ApiSchema79):
         eql_scope.language = jsl.StringField(enum=[EQL], required=True, default=EQL)
         eql_scope.type = jsl.StringField(enum=[EQL], required=True)
 
+    with jsl.Scope(THREAT_MATCH) as tm_scope:
+        tm_scope.type = jsl.StringField(enum=THREAT_MATCH, required=True)
+        tm_scope.language = jsl.StringField(enum=['kuery', 'lucene'], required=True, default=EQL)
+        tm_scope.index = jsl.ArrayField(jsl.StringField(), required=False)
+        tm_scope.query = jsl.StringField(required=True)
+        tm_scope.threat_query = jsl.StringField(default='*:*', required=True)
+        tm_scope.threat_mapping = jsl.ArrayField(jsl.DocumentField(ThreatEntries, required=True), min_items=1)
+        tm_scope.threat_language = jsl.StringField(enum=['kuery', 'lucene'], required=True, default=EQL)
+        tm_scope.threat_index = jsl.ArrayField(jsl.StringField(required=True), min_items=1)
+
+        # API items not defined here
+        #   filters: filtersOrUndefined,
+        #   savedId: savedIdOrUndefined,
+        #   threatFilters: filtersOrUndefined,
+        #   concurrentSearches: concurrentSearchesOrUndefined,
+        #   itemsPerSearch: itemsPerSearchOrUndefined,
+
     with jsl.Scope(jsl.DEFAULT_ROLE) as default_scope:
         default_scope.type = type
diff --git a/detection_rules/schemas/v7_8.py b/detection_rules/schemas/v7_8.py
index d467d9a127c..490940eb7ea 100644
--- a/detection_rules/schemas/v7_8.py
+++ b/detection_rules/schemas/v7_8.py
@@ -14,8 +14,10 @@
 MITRE_URL_PATTERN = r'https://attack.mitre.org/{type}/T[A-Z0-9]+/'
 
 
-# kibana/.../siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts
-#                           /detection_engine/routes/schemas/schemas.ts
+# kibana/.../security_solution/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.ts
+#                                        /detection_engine/routes/schemas/schemas.ts
+#                                        /detection_engine/schemas/rule_schemas.ts
+
 # rule_id is required here
 # output_index is not allowed (and instead the space index must be used)
 # immutable defaults to true instead of to false and if it is there can only be true

From b947db2e24a786f5df7265456fe5f501ebec6bba Mon Sep 17 00:00:00 2001
From: brokensound77 <brokensound77@users.noreply.github.com>
Date: Mon, 7 Dec 2020 01:55:52 -0900
Subject: [PATCH 2/2] update threat match schema class names

---
 detection_rules/schemas/v7_10.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/detection_rules/schemas/v7_10.py b/detection_rules/schemas/v7_10.py
index 1483c230cea..64ef20ce788 100644
--- a/detection_rules/schemas/v7_10.py
+++ b/detection_rules/schemas/v7_10.py
@@ -16,17 +16,17 @@
 class ApiSchema710(ApiSchema79):
     """Schema for siem rule in API format."""
 
-    class ThreatEntries(jsl.Document):
+    class ThreatMatchEntries(jsl.Document):
         """Threat match rule entries."""
 
-        class ThreatEntry(jsl.Document):
+        class ThreatMatchEntry(jsl.Document):
             """Threat match rule mapping entry."""
 
             field = jsl.StringField(required=True)
             type = jsl.StringField(default='mapping', enum='mapping', required=True)
             value = jsl.StringField(required=True)
 
-        entries = jsl.ArrayField(jsl.DocumentField(ThreatEntry, required=True), min_items=1)
+        entries = jsl.ArrayField(jsl.DocumentField(ThreatMatchEntry, required=True), min_items=1)
 
     STACK_VERSION = "7.10"
     RULE_TYPES = ApiSchema79.RULE_TYPES + [EQL]
@@ -51,7 +51,7 @@ class ThreatEntry(jsl.Document):
         tm_scope.index = jsl.ArrayField(jsl.StringField(), required=False)
         tm_scope.query = jsl.StringField(required=True)
         tm_scope.threat_query = jsl.StringField(default='*:*', required=True)
-        tm_scope.threat_mapping = jsl.ArrayField(jsl.DocumentField(ThreatEntries, required=True), min_items=1)
+        tm_scope.threat_mapping = jsl.ArrayField(jsl.DocumentField(ThreatMatchEntries, required=True), min_items=1)
         tm_scope.threat_language = jsl.StringField(enum=['kuery', 'lucene'], required=True, default=EQL)
         tm_scope.threat_index = jsl.ArrayField(jsl.StringField(required=True), min_items=1)