From 1e1f81bc94e06d22d78c51c51e33e803e4a590ff Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 23 Oct 2025 19:47:04 +0530 Subject: [PATCH 1/5] Add unit test for protected prebuilt-rules --- tests/test_all_rules.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 58af2b79841..40326df0b46 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1112,6 +1112,32 @@ def test_ml_integration_jobs_exist(self): f"The following ({len(failures)}) rules are missing a valid `machine_learning_job_id`:\n{err_msg}" ) + def test_preserve_upstream_protected_rule_id_name(self): + """ + Ensure upstream referenced rule IDs and rule names remain unchanged + """ + protected_rules = {"9a1a2dae-0b5f-4c3d-8305-a268d404c306": "Endpoint Security (Elastic Defend)"} + + # map current rules by id and name for quick lookup + current_rules = {rule.contents.data.get("rule_id"): rule.contents.data.get("name") for rule in self.all_rules} + failures = [] + for rule_id, rule_name in protected_rules.items(): + if rule_id in current_rules: + if rule_name != current_rules.get(rule_id): + failures.append( + f"Protected rule_id {rule_id} name modified from '{rule_name}' to '{current_rules.get(rule_id)}' - review upstream impact" + ) + else: + failures.append( + f"Protected rule: {rule_name} rule_id: {rule_id} missing/modified - review upstream impact" + ) + + if failures: + fail_msg = """ + The following protected prebuilt rules have missing/modified rule IDs or names \n + """ + self.fail(fail_msg + "\n".join(failures)) + class TestRuleTiming(BaseRuleTest): """Test rule timing and timestamps.""" From 3418f8d8a09ea1690b0d4720070bdb912bd15279 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 23 Oct 2025 19:56:13 +0530 Subject: [PATCH 2/5] Update Patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ab6e492a644..c1636f4242b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.2" +version = "1.5.3" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From 43afef828659658926e7ce0712f89a7898f2689b Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Thu, 23 Oct 2025 20:05:29 +0530 Subject: [PATCH 3/5] Apply suggestion from @eric-forte-elastic Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> --- tests/test_all_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 40326df0b46..7a1df1d7dca 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1120,7 +1120,7 @@ def test_preserve_upstream_protected_rule_id_name(self): # map current rules by id and name for quick lookup current_rules = {rule.contents.data.get("rule_id"): rule.contents.data.get("name") for rule in self.all_rules} - failures = [] + failures: list[str] = [] for rule_id, rule_name in protected_rules.items(): if rule_id in current_rules: if rule_name != current_rules.get(rule_id): From edff56d68260289f39c5ed59574fb7d642e4ae78 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Thu, 23 Oct 2025 22:24:19 +0530 Subject: [PATCH 4/5] Update Patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index c1636f4242b..ccc7f40f54c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.3" +version = "1.5.4" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From 3f1350eac671c376039b1ffd657ae7a1dd886ef8 Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Fri, 24 Oct 2025 18:44:51 +0530 Subject: [PATCH 5/5] Update mapping logic to use id_map --- tests/test_all_rules.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 7a1df1d7dca..3996cdaa086 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -1118,16 +1118,14 @@ def test_preserve_upstream_protected_rule_id_name(self): """ protected_rules = {"9a1a2dae-0b5f-4c3d-8305-a268d404c306": "Endpoint Security (Elastic Defend)"} - # map current rules by id and name for quick lookup - current_rules = {rule.contents.data.get("rule_id"): rule.contents.data.get("name") for rule in self.all_rules} failures: list[str] = [] for rule_id, rule_name in protected_rules.items(): - if rule_id in current_rules: - if rule_name != current_rules.get(rule_id): + try: + if rule_name != self.rc.id_map[rule_id].name: failures.append( - f"Protected rule_id {rule_id} name modified from '{rule_name}' to '{current_rules.get(rule_id)}' - review upstream impact" + f"Protected rule_id {rule_id} name modified from '{rule_name}' to '{self.rc.id_map[rule_id].name}' - review upstream impact" ) - else: + except KeyError: failures.append( f"Protected rule: {rule_name} rule_id: {rule_id} missing/modified - review upstream impact" )