From 5adc118f92da7de0be415a4e2415206334a80985 Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Fri, 20 Feb 2026 15:29:51 -0500 Subject: [PATCH] [Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value (#5747) * Add reverse lookup check against Kibana value --------- Co-authored-by: Mika Ayenson, PhD --- detection_rules/rule_validators.py | 2 ++ pyproject.toml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py index 48dd178eb..8ebe4017e 100644 --- a/detection_rules/rule_validators.py +++ b/detection_rules/rule_validators.py @@ -818,6 +818,8 @@ class ESQLValidator(QueryValidator): reverse_col_type = kql.parser.elasticsearch_type_family(column_type) if column_type else None if reverse_col_type is not None and schema_type is not None and reverse_col_type == schema_type: continue + if reverse_col_type is not None and reverse_col_type == column_type: + continue mismatched_columns.append( f"Dynamic field `{column_name}` is not correctly mapped. " f"If not dynamic: expected from schema: `{schema_type}`, got from Kibana: `{column_type}`." diff --git a/pyproject.toml b/pyproject.toml index 4195c3fa1..50ad1643e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.46" +version = "1.5.47" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"