diff --git a/detection_rules/etc/custom-consolidated-rules.ndjson b/detection_rules/etc/custom-consolidated-rules.ndjson
index 2efcb255f..98b20377c 100644
--- a/detection_rules/etc/custom-consolidated-rules.ndjson
+++ b/detection_rules/etc/custom-consolidated-rules.ndjson
@@ -2,7 +2,7 @@
 {"id":"c7c868c0-cfe1-4139-a873-4c8ce7b181c1","updated_at":"2025-08-18T03:41:10.096Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.310Z","created_by":"841510929","name":"test_kql_with_alert_supprestion_and_investigation_fileds","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":0,"severity":"low","note":"This a a test sample investigation Guide\nThis a a test sample investigation Guide\nThis a a test sample investigation Guide\n\n!{osquery{\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\",\"label\":\"test-osquery\"}}\n\n!{investigate{\"label\":\"test-investigation-query\",\"description\":\"test-investigation-query\",\"providers\":[[{\"field\":\"host.name\",\"excluded\":false,\"queryType\":\"phrase\",\"value\":\"test-host\",\"valueType\":\"string\"}]]}}","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"742feb36-ac4c-45e0-b8a5-3b3cfa66b6d2","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"$state":{"store":"appState"},"meta":{"disabled":false,"key":"event.action","negate":false,"type":"phrase","params":{"query":"Process Create (rule: ProcessCreate)"}},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
 {"id":"e9430a4c-5fce-41b7-9d55-7645360e11d9","updated_at":"2025-08-18T03:40:30.081Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.326Z","created_by":"841510929","name":"test_kql_with_alert_suppression","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"2c6c5352-11cb-40a5-9294-e61ef5f1954f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"meta":{"type":"phrase","key":"event.action","params":{"query":"Process Create (rule: ProcessCreate)"},"disabled":false,"negate":false},"$state":{"store":"appState"},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
 {"id":"45241dcf-1bb2-41eb-8e91-89741af275c0","updated_at":"2025-08-18T03:43:41.240Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.317Z","created_by":"841510929","name":"test_eql_rule","tags":["EQL","Windows","rundll32.exe"],"interval":"5m","enabled":true,"revision":1,"description":"Unusual rundll32.exe network connection","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2cc8f325-e1b1-4201-8b8d-88a51c94992b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.args_count","type":"long","ecs":true},{"name":"process.entity_id","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.pe.original_file_name","type":"keyword","ecs":true}],"setup":"None","type":"eql","language":"eql","index":["logs-*"],"query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]\n","filters":[],"actions":[]}
-{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from auditbeat-* METADATA _id, _version, _index | KEEP process.parent.name | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
+{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from logs-* METADATA _id, _version, _index | KEEP process.parent.name, _id, _version, _index | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
 {"id":"72abd101-fe39-43f0-a6d1-e9a373684cab","updated_at":"2025-08-18T03:46:00.515Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.334Z","created_by":"841510929","name":"test_new_terms_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Detects a user associated with a new IP address","risk_score":0,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2390c9dd-ad90-4af6-97a4-1d607ba0f092","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"user.id","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"new_terms","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","new_terms_fields":["user.id","source.ip"],"history_window_start":"now-30d","index":["auditbeat*"],"filters":[],"language":"kuery","actions":[]}
 {"id":"a1605087-5c6f-4363-9686-ecd47e9c44b6","rule_id":"4c589d81-2622-4036-8cc7-372ea8f0e038","name":"test_indicator_match_rule_with_email_actions","immutable":false,"rule_source":{"type":"internal"},"version":1,"revision":1,"updated_at":"2025-10-29T17:02:23.823Z","updated_by":"3610252053","created_at":"2025-10-29T17:01:09.848Z","created_by":"3610252053","enabled":true,"interval":"5m","from":"now-6m","to":"now","description":"Checks for bad IP addresses listed in the ip-threat-list index","tags":[],"author":["841510929"],"license":"","threat":[],"related_integrations":[],"required_fields":[{"name":"destination.ip","type":"ip","ecs":true},{"name":"destination.port","type":"long","ecs":true},{"name":"host.ip","type":"ip","ecs":true}],"setup":"None","note":"None","false_positives":[],"references":[],"risk_score":0,"risk_score_mapping":[],"severity":"medium","severity_mapping":[],"output_index":"","max_signals":100,"exceptions_list":[],"actions":[{"id":"1b8d347f-2542-4390-85de-2653518311e2","params":{"message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts","to":["tradebot-elastic@elastic.com"],"subject":"Test Actions"},"action_type_id":".email","uuid":"98de9d3f-87e9-468a-b656-26f8c2f64c00","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}],"meta":{"kibana_siem_app_url":""},"type":"threat_match","language":"kuery","index":["packetbeat-*"],"query":"destination.ip:* or host.ip:*\n","filters":[],"threat_filters":[],"threat_query":"*:*","threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_language":"kuery","threat_index":["ip-threat-list"],"threat_indicator_path":"threat.indicator"}
 {"id":"d46a29ca-9b5b-4cbd-b11f-35c6b59f207b","updated_at":"2025-08-18T03:44:54.407Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.331Z","created_by":"841510929","name":"test_threshold_with_rule_exception","tags":["Brute force"],"interval":"2m","enabled":true,"revision":1,"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-3m","rule_id":"d46a29ca-9b5b-4cbd-b11f-35c6b59f207b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"82395156-8ad2-46c3-be79-1f1a23c0d802","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","type":"rule_default","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"threshold","language":"kuery","index":["winlogbeat-*"],"query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","filters":[],"threshold":{"field":["source.ip"],"value":20,"cardinality":[]},"actions":[]}
diff --git a/pyproject.toml b/pyproject.toml
index e373df8a4..9ab13ce35 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.34"
+version = "1.5.35"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/tests/test_rules_remote.py b/tests/test_rules_remote.py
index be6b027f6..749275a8a 100644
--- a/tests/test_rules_remote.py
+++ b/tests/test_rules_remote.py
@@ -177,7 +177,7 @@ class TestRemoteRules(BaseRuleTest):
         original_production_rule = load_rule_contents(file_path)
         production_rule = deepcopy(original_production_rule)[0]
         production_rule["rule"]["query"] = """
-        from logs-endpoint.alerts-*
+        from logs-endpoint.alerts-* METADATA _id, _version, _index
         | where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
         | keep host.id, rule.name, event.code, _id, _version, _index
         | stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code
@@ -207,7 +207,7 @@ class TestRemoteRules(BaseRuleTest):
         production_rule = deepcopy(original_production_rule)[0]
         production_rule["metadata"]["integration"] = []
         production_rule["rule"]["query"] = """
-        from logs-endpoint.alerts-*
+        from logs-endpoint.alerts-* METADATA _id, _version, _index
         | where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null and file.Ext.entry_modified > 0
         | keep host.id, rule.name, event.code, file.Ext.entry_modified, _id, _version, _index
         | stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code, file.Ext.entry_modified