{ "$schema": "http://json-schema.org/draft-07/schema#", "title": "x-signal", "description": "Object that indicates the primary evidence of a signal that is accepted for investigation by McAfee XDR", "type": "object", "properties": { "type": { "title": "type", "type": "string", "enum": [ "x-signal" ] }, "x_severity": { "type": "string", "description": "Severity of the signal that is being passed for investigation." }, "x_score": { "type": "integer", "description": "Score of the signal." }, "x_tactic": { "type": "array", "description": "The list of tactic IDs", "items": { "type": "string" } }, "x_technique": { "type": "array", "description": "The list of techniques", "items": { "type": "string" } }, "x_ruleid": { "type": "string", "description": "The rule id for the signal" }, "x_datasource": { "type": "string", "description": "The source identifier that identifies the source of the signal which is needed for successful processing of the request. This is a finite set of following values [EDR, ENS, INSIGHTS, WEBSAAS, OTHERS]", "enum": [ "EDR", "ENS", "INSIGHTS", "WEBSAAS", "OTHERS" ] }, "x_custom_properties": { "type": "object", "description": "The holder for all other properties that the source would like to share. As part of specific sources [EDR,ENS,INSIGHTS,WEBSAAS] there are certain properties that are mandatory", "if": { "properties": { "x_datasource": { "const": "EDR" } } }, "then": { "patternProperties": { "^x_event_type": { "type": "string" }, "^x_hash_id$": { "type": "string" }, "^x_detection_tags$": { "type": "array", "items": { "type": "string" } }, "^x_related_detections$": { "type": "array", "items": { "type": "string" } }, "^x_threat_event_id$": { "type": "string" }, "^x_threat_action_taken$": { "type": "string" }, "^x_threat_category$": { "type": "string" }, "^x_category$": { "type": "string" }, "^x_reputation$": { "type": "string" }, "^x_block_reason$": { "type": "string" }, "^x_result$": { "type": "string", "enum": [ "DENIED", "OBSERVED" ] } }, "required": [ "x_hash_id" ] }, "if": { "properties": { "x_datasource": { "const": "ENS" } } }, "then": { "patternProperties": { "^x_event_type": { "type": "string" }, "^x_hash_id$": { "type": "string" }, "^x_detection_tags$": { "type": "array", "items": { "type": "string" } }, "^x_related_detections$": { "type": "array", "items": { "type": "string" } }, "^x_threat_event_id$": { "type": "string" }, "^x_threat_action_taken$": { "type": "string" }, "^x_threat_category$": { "type": "string" }, "^x_category$": { "type": "string" }, "^x_reputation$": { "type": "string" }, "^x_block_reason$": { "type": "string" }, "^x_result$": { "type": "string", "enum": [ "DENIED", "OBSERVED" ] } }, "required": [ "x_threat_event_id", "x_threat_action_taken", "x_threat_category" ] }, "if": { "properties": { "x_datasource": { "const": "WEBSAAS" } } }, "then": { "patternProperties": { "^x_event_type": { "type": "string" }, "^x_hash_id$": { "type": "string" }, "^x_detection_tags$": { "type": "array", "items": { "type": "string" } }, "^x_related_detections$": { "type": "array", "items": { "type": "string" } }, "^x_threat_event_id$": { "type": "string" }, "^x_threat_action_taken$": { "type": "string" }, "^x_threat_category$": { "type": "string" }, "^x_category$": { "type": "string" }, "^x_reputation$": { "type": "string" }, "^x_block_reason$": { "type": "string" }, "^x_result$": { "type": "string", "enum": [ "DENIED", "OBSERVED" ] } }, "required": [ "x_category", "x_reputation", "x_block_reason", "x_result" ] }, "if": { "properties": { "x_datasource": { "const": "INSIGHTS" } } }, "then": { "patternProperties": { "^x_event_type": { "type": "string" }, "^x_hash_id$": { "type": "string" }, "^x_detection_tags$": { "type": "array", "items": { "type": "string" } }, "^x_related_detections$": { "type": "array", "items": { "type": "string" } }, "^x_threat_event_id$": { "type": "string" }, "^x_threat_action_taken$": { "type": "string" }, "^x_threat_category$": { "type": "string" }, "^x_category$": { "type": "string" }, "^x_reputation$": { "type": "string" }, "^x_block_reason$": { "type": "string" }, "^x_result$": { "type": "string", "enum": [ "DENIED", "OBSERVED" ] } } }, "if": { "properties": { "x_datasource": { "const": "OTHERS" } } }, "then": { "patternProperties": { "^x_event_type": { "type": "string" }, "^x_hash_id$": { "type": "string" }, "^x_detection_tags$": { "type": "array", "items": { "type": "string" } }, "^x_related_detections$": { "type": "array", "items": { "type": "string" } }, "^x_threat_event_id$": { "type": "string" }, "^x_threat_action_taken$": { "type": "string" }, "^x_threat_category$": { "type": "string" }, "^x_category$": { "type": "string" }, "^x_reputation$": { "type": "string" }, "^x_block_reason$": { "type": "string" }, "^x_result$": { "type": "string", "enum": [ "DENIED", "OBSERVED" ] } } } } }, "required": [ "x_datasource", "type", "id", "spec_version" ] }