From 080cd47337e24aeb592007f1be208c1e0d1c7c63 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Thu, 26 Feb 2026 11:06:12 -0500
Subject: [PATCH] [Bug] `test_integration_tag` incorrectly flags higher-order
 rules using `.alerts-security.*` index (#5783)

Fixes #5782
---
 pyproject.toml          | 2 +-
 tests/test_all_rules.py | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index b2ada5c48..e62363e67 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.49"
+version = "1.5.50"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
index 131128266..e764bc550 100644
--- a/tests/test_all_rules.py
+++ b/tests/test_all_rules.py
@@ -870,6 +870,8 @@ class TestRuleMetadata(BaseRuleTest):
                             continue
                         if rule.contents.data.type == "threat_match":
                             continue
+                        if indices == [".alerts-security.*"]:
+                            continue
                         err_msg = f"{self.rule_str(rule)} {rule_integration} tag, index pattern missing or incorrect."
                         failures.append(err_msg)
 
@@ -891,6 +893,7 @@ class TestRuleMetadata(BaseRuleTest):
                         not rule.contents.metadata.integration
                         and rule.id not in definitions.IGNORE_IDS
                         and rule.contents.data.type not in definitions.MACHINE_LEARNING
+                        and indices != [".alerts-security.*"]
                     ):
                         err_msg = (
                             f"substrings {non_dataset_packages} found in "