From 2312455d7a4fc7a12ca1ab18f271c0744210db00 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Tue, 20 Feb 2024 20:25:51 -0600
Subject: [PATCH] [FR] Skip eql optimizations on parsing query for unique
 fields (#3443)

(cherry picked from commit 542053719b4f0de6868d800c1f87891d232167ba)
---
 detection_rules/rule.py            | 4 ++--
 detection_rules/rule_validators.py | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/detection_rules/rule.py b/detection_rules/rule.py
index 9a8916a0a..1a16e524c 100644
--- a/detection_rules/rule.py
+++ b/detection_rules/rule.py
@@ -1358,8 +1358,8 @@ def get_unique_query_fields(rule: TOMLRule) -> List[str]:
     if language in ('kuery', 'eql'):
         # TODO: remove once py-eql supports ipv6 for cidrmatch
 
-        config = set_eql_config(rule.contents.metadata.get('min_stack_version'))
-        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, config:
+        cfg = set_eql_config(rule.contents.metadata.get('min_stack_version'))
+        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, eql.parser.skip_optimizations, cfg:
             parsed = kql.parse(query) if language == 'kuery' else eql.parse_query(query)
 
         return sorted(set(str(f) for f in parsed if isinstance(f, (eql.ast.Field, kql.ast.Field))))
diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
index dbaf62361..33069e6b6 100644
--- a/detection_rules/rule_validators.py
+++ b/detection_rules/rule_validators.py
@@ -207,8 +207,8 @@ class EQLValidator(QueryValidator):
     @cached_property
     def ast(self) -> eql.ast.Expression:
         latest_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
-        config = set_eql_config(str(latest_version))
-        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, config:
+        cfg = set_eql_config(str(latest_version))
+        with eql.parser.elasticsearch_syntax, eql.parser.ignore_missing_functions, eql.parser.skip_optimizations, cfg:
             return eql.parse_query(self.query)
 
     def text_fields(self, eql_schema: Union[ecs.KqlSchema2Eql, endgame.EndgameSchema]) -> List[str]: