From f74c04d11a24a2d2952a92bd933f5c0c84fa2d3b Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Wed, 11 Feb 2026 15:02:23 -0500 Subject: [PATCH] [Bug] ESQL validation keep Clause Reported Missing Metadata Fields (#5717) * Update Keep Field to Handle Comments * Update for handling inline comments Co-authored-by: Mika Ayenson, PhD --------- Co-authored-by: Mika Ayenson, PhD Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- detection_rules/rule.py | 3 ++- pyproject.toml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 2239c9031..02713b5f8 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1000,7 +1000,8 @@ class ESQLRuleData(QueryRuleData): # Ensure that keep clause includes metadata fields on non-aggregate queries aggregate_pattern = re.compile(r"\|\s*stats\b(?:\s+([^\|]+?))?(?:\s+by\s+([^\|]+))?", re.IGNORECASE | re.DOTALL) if not aggregate_pattern.search(query_lower): - keep_fields = [field.strip() for field in keep_match.group(1).split(",")] + raw_keep = re.sub(r"//.*", "", keep_match.group(1)) + keep_fields = [field.strip() for field in raw_keep.split(",") if field.strip()] if "*" not in keep_fields: required_metadata = {"_id", "_version", "_index"} if not required_metadata.issubset(set(map(str.strip, keep_fields))): diff --git a/pyproject.toml b/pyproject.toml index f04756285..b23c79650 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.42" +version = "1.5.43" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"