From 80c01cf665434b1e0147ade3ca21eaca18471b11 Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Wed, 17 Sep 2025 17:34:42 -0400
Subject: [PATCH] [Bug] Annotated Fields Ignored (#5125)

* Add Note for stop gap
---
 detection_rules/schemas/definitions.py | 9 ++++++---
 pyproject.toml                         | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py
index 6477a8561..ac2966e2a 100644
--- a/detection_rules/schemas/definitions.py
+++ b/detection_rules/schemas/definitions.py
@@ -66,8 +66,11 @@ OS_OPTIONS = ["windows", "linux", "macos"]
 NAME_PATTERN = re.compile(r"^[a-zA-Z0-9].+?[a-zA-Z0-9\[\]()]$")
 PR_PATTERN = re.compile(r"^$|\d+$")
 SHA256_PATTERN = re.compile(r"^[a-fA-F0-9]{64}$")
-UUID_PATTERN = re.compile(r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$")
-
+# NOTE this additional bad UUID pattern is a stop gap until the rule has been deprecated
+UUID_PATTERN = re.compile(
+    r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"  # UUID pattern
+    r"|^7eb54028-ca72-4eb7-8185-b6864572347db$"  # Additional pattern of known bad UUID
+)
 _version = r"\d+\.\d+(\.\d+[\w-]*)*"
 CONDITION_VERSION_PATTERN = re.compile(rf"^\^{_version}$")
 VERSION_PATTERN = f"^{_version}$"
@@ -108,7 +111,7 @@ QUERY = "query"
 QUERY_FIELD_OP_EXCEPTIONS = ["powershell.file.script_block_text"]
 
 # we had a bad rule ID make it in before tightening up the pattern, and so we have to let it bypass
-KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5"]
+KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5", "7eb54028-ca72-4eb7-8185-b6864572347db"]
 KNOWN_BAD_DEPRECATED_DATES = Literal["2021-03-03"]
 # Known Null values that cannot be handled in TOML due to lack of Null value support via compound dicts
 KNOWN_NULL_ENTRIES = [{"rule.actions": "frequency.throttle"}]
diff --git a/pyproject.toml b/pyproject.toml
index 034014cba..8c2979194 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.4.4"
+version = "1.4.5"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -25,7 +25,7 @@ dependencies = [
   "jsl==0.2.4",
   "jsonschema>=4.21.1",
   "marko==2.0.3",
-  "marshmallow-dataclass[union]==8.6.1",
+  "marshmallow-dataclass==8.7.1",
   "marshmallow-jsonschema~=0.13.0",
   "marshmallow-union~=0.1.15",
   "marshmallow~=3.26.1",