feat: ESQL query validation against Elastic cluster #4955

traut · 2025-08-01T20:56:35Z

Pull Request

Issue link(s):

related to [Rule Tuning] ESQL Query Field Dynamic Field Standardization #4912

Summary - What I changed

new unit test added that validates ESQL rules
the validation function collects all mappings necessary for the query, creates a temporary index and validates the query against that index

How To Test

the unit tests expect to read cluster details either from a config file (for example .detection-rules-cfg.yml) or from the environment variables
the code here was tested against a containerized Elastic cluster running locally, with a dedicated API key

Checklist

Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
Added the meta:rapid-merge label if planning to merge within 24 hours
Secret and sensitive material has been managed correctly
Automated testing was updated or added to match the most common scenarios
Documentation and comments were added for features that require explanation

Contributor checklist

Have you signed the contributor license agreement?
Have you followed the contributor guidelines?

traut · 2025-08-01T20:57:33Z

detection_rules/rule.py

@@ -1432,15 +1432,14 @@ def get_packaged_integrations(
        # if both exist, rule tags are only used if defined in definitions for non-dataset packages
        # of machine learning analytic packages

-        rule_integrations = meta.get("integration", [])
-        if rule_integrations:
-            for integration in rule_integrations:


simple style fix, replacing if condition with a more robust default value condition via

rule_integrations = meta.get("integration") or []

traut · 2025-08-01T20:57:42Z

detection_rules/rule.py

@@ -1754,7 +1753,7 @@ def parse_datasets(datasets: list[str], package_manifest: dict[str, Any]) -> lis
        else:
            package = value

-        if package in list(package_manifest):
+        if package in package_manifest:


small style fix

detection_rules/rule_validators.py

traut · 2025-08-01T21:00:25Z

detection_rules/rule_validators.py

+
+    log(f"Got query columns: {', '.join(query_column_names)}")
+
+    # FIXME: validate the dynamic columns


The columns returned from the cluster must be validated against the input mapping, and the dynamic fields checked for validity.

traut · 2025-08-02T00:23:51Z

at the moment (before any field validation) the test marks 33 rules out of 75 as invalid.

The tests were executed against a vanilla local 9.0.1 stack from elastic-container, with a single change - a custom API key created.

The many errors are most probably because of the bugs in the code, so I expect the number of invalid rules to go down after those are fixed.

full log

$ pytest tests/test_rules_remote.py -s -vvvvv
========================================================================================================= test session starts =========================================================================================================
platform darwin -- Python 3.12.11, pytest-8.3.5, pluggy-1.5.0 -- /Users/traut/.envs/detection-rules/bin/python3.12
cachedir: .pytest_cache
rootdir: /Users/traut/Work/detection-rules
configfile: pyproject.toml
plugins: anyio-4.9.0, typeguard-3.0.2
collecting ... Loaded config file: /Users/traut/Work/detection-rules/.detection-rules-cfg.yml
collected 1 item

tests/test_rules_remote.py::TestRemoteRules::test_esql_rules ESQL rules loaded: 75

28371aa1-14ed-46cf-ab5b-2fc7d1942278: Validating against 9.0.1 stack
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Extracted indices from query: logs-endpoint.alerts-*
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Collected mappigns: 28
28371aa1-14ed-46cf-ab5b-2fc7d1942278: No integrations found in the rule
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Integration mappings prepared: 0
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Index `rule-test-index-1754093978903` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093978903'}
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Executing a query against `rule-test-index-1754093978903`
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'hosts', 'type': 'long'}, {'name': 'rule.name', 'type': 'keyword'}, {'name': 'event.code', 'type': 'keyword'}], 'values': []}
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Test index `rule-test-index-1754093978903` deleted: {'acknowledged': True}
28371aa1-14ed-46cf-ab5b-2fc7d1942278: Got query columns: hosts, rule.name, event.code

f0cc239b-67fa-46fc-89d4-f861753a40f5: Validating against 9.0.1 stack
f0cc239b-67fa-46fc-89d4-f861753a40f5: Extracted indices from query: logs-*, .alerts-security.*
f0cc239b-67fa-46fc-89d4-f861753a40f5: Collected mappigns: 0
f0cc239b-67fa-46fc-89d4-f861753a40f5: Working with rule integrations: azure, o365
f0cc239b-67fa-46fc-89d4-f861753a40f5: Integration mappings prepared: 53
f0cc239b-67fa-46fc-89d4-f861753a40f5: Index `rule-test-index-1754093978998` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093978998'}
f0cc239b-67fa-46fc-89d4-f861753a40f5: Executing a query against `rule-test-index-1754093978998`
f0cc239b-67fa-46fc-89d4-f861753a40f5: Test index `rule-test-index-1754093978998` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 5:98: Unknown column [kibana.alert.rule.name]')

393ef120-63d1-11ef-8e38-f661ea17fbce: Validating against 9.0.1 stack
393ef120-63d1-11ef-8e38-f661ea17fbce: Extracted indices from query: logs-aws.cloudtrail-*
393ef120-63d1-11ef-8e38-f661ea17fbce: Collected mappigns: 2
393ef120-63d1-11ef-8e38-f661ea17fbce: Working with rule integrations: aws
393ef120-63d1-11ef-8e38-f661ea17fbce: Integration mappings prepared: 53
393ef120-63d1-11ef-8e38-f661ea17fbce: Index `rule-test-index-1754093979084` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979084'}
393ef120-63d1-11ef-8e38-f661ea17fbce: Executing a query against `rule-test-index-1754093979084`
393ef120-63d1-11ef-8e38-f661ea17fbce: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'region_count', 'type': 'long'}, {'name': 'window_count', 'type': 'long'}, {'name': 'target_time_window', 'type': 'date'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}], 'values': []}
393ef120-63d1-11ef-8e38-f661ea17fbce: Test index `rule-test-index-1754093979084` deleted: {'acknowledged': True}
393ef120-63d1-11ef-8e38-f661ea17fbce: Got query columns: region_count, window_count, target_time_window, aws.cloudtrail.user_identity.arn

74f45152-9aee-11ef-b0a5-f661ea17fbcd: Validating against 9.0.1 stack
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Extracted indices from query: logs-aws.cloudtrail*
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Collected mappigns: 0
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Working with rule integrations: aws
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Integration mappings prepared: 53
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Index `rule-test-index-1754093979181` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979181'}
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Executing a query against `rule-test-index-1754093979181`
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'unique_api_count', 'type': 'long'}, {'name': 'time_window', 'type': 'date'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}], 'values': []}
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Test index `rule-test-index-1754093979181` deleted: {'acknowledged': True}
74f45152-9aee-11ef-b0a5-f661ea17fbcd: Got query columns: unique_api_count, time_window, aws.cloudtrail.user_identity.arn

19be0164-63d2-11ef-8e38-f661ea17fbce: Validating against 9.0.1 stack
19be0164-63d2-11ef-8e38-f661ea17fbce: Extracted indices from query: logs-aws.cloudtrail-*
19be0164-63d2-11ef-8e38-f661ea17fbce: Collected mappigns: 2
19be0164-63d2-11ef-8e38-f661ea17fbce: No integrations found in the rule
19be0164-63d2-11ef-8e38-f661ea17fbce: Integration mappings prepared: 0
19be0164-63d2-11ef-8e38-f661ea17fbce: Index `rule-test-index-1754093979270` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979270'}
19be0164-63d2-11ef-8e38-f661ea17fbce: Executing a query against `rule-test-index-1754093979270`
19be0164-63d2-11ef-8e38-f661ea17fbce: Test index `rule-test-index-1754093979270` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 3 problems\nline 4:9: Unknown column [event.dataset]\nline 4:47: Unknown column [event.provider]\nline 4:99: Unknown column [event.action]')

4182e486-fc61-11ee-a05d-f661ea17fbce: Validating against 9.0.1 stack
4182e486-fc61-11ee-a05d-f661ea17fbce: Extracted indices from query: logs-aws.cloudtrail-*
4182e486-fc61-11ee-a05d-f661ea17fbce: Collected mappigns: 2
4182e486-fc61-11ee-a05d-f661ea17fbce: Working with rule integrations: aws
4182e486-fc61-11ee-a05d-f661ea17fbce: Integration mappings prepared: 53
4182e486-fc61-11ee-a05d-f661ea17fbce: Index `rule-test-index-1754093979345` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979345'}
4182e486-fc61-11ee-a05d-f661ea17fbce: Executing a query against `rule-test-index-1754093979345`
4182e486-fc61-11ee-a05d-f661ea17fbce: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'cloud.account.id', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'snapshotId', 'type': 'keyword'}, {'name': 'attributeType', 'type': 'keyword'}, {'name': 'operationType', 'type': 'keyword'}, {'name': 'userId', 'type': 'keyword'}, {'name': 'source.address', 'type': 'keyword'}], 'values': []}
4182e486-fc61-11ee-a05d-f661ea17fbce: Test index `rule-test-index-1754093979345` deleted: {'acknowledged': True}
4182e486-fc61-11ee-a05d-f661ea17fbce: Got query columns: @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address

5f0234fd-7f21-42af-8391-511d5fd11d5c: Validating against 9.0.1 stack
5f0234fd-7f21-42af-8391-511d5fd11d5c: Extracted indices from query: logs-aws.cloudtrail*
5f0234fd-7f21-42af-8391-511d5fd11d5c: Collected mappigns: 0
5f0234fd-7f21-42af-8391-511d5fd11d5c: No integrations found in the rule
5f0234fd-7f21-42af-8391-511d5fd11d5c: Integration mappings prepared: 0
5f0234fd-7f21-42af-8391-511d5fd11d5c: ERROR: no mappings found for the rule
FAILURE: No mappings found

713e0f5f-caf7-4dc2-88a7-3561f61f262a: Validating against 9.0.1 stack
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Extracted indices from query: logs-aws.cloudtrail-*
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Collected mappigns: 2
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Working with rule integrations: aws
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Integration mappings prepared: 53
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Index `rule-test-index-1754093979460` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979460'}
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Executing a query against `rule-test-index-1754093979460`
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'cloud.account.id', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'snapshotId', 'type': 'keyword'}, {'name': 'attributeType', 'type': 'keyword'}, {'name': 'operationType', 'type': 'keyword'}, {'name': 'userId', 'type': 'keyword'}, {'name': 'source.address', 'type': 'keyword'}], 'values': []}
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Test index `rule-test-index-1754093979460` deleted: {'acknowledged': True}
713e0f5f-caf7-4dc2-88a7-3561f61f262a: Got query columns: @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId, source.address

7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Validating against 9.0.1 stack
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Extracted indices from query: logs-aws.cloudtrail-*
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Collected mappigns: 2
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Working with rule integrations: aws
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Integration mappings prepared: 53
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Index `rule-test-index-1754093979566` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979566'}
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Executing a query against `rule-test-index-1754093979566`
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Got query response: {'took': 6, 'is_partial': False, 'columns': [{'name': 'note_upload_count', 'type': 'long'}, {'name': 'tls.client.server_name', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'object_name', 'type': 'keyword'}], 'values': []}
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Test index `rule-test-index-1754093979566` deleted: {'acknowledged': True}
7fda9bb2-fd28-11ee-85f9-f661ea17fbce: Got query columns: note_upload_count, tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name

ab8f074c-5565-4bc4-991c-d49770e19fc9: Validating against 9.0.1 stack
ab8f074c-5565-4bc4-991c-d49770e19fc9: Extracted indices from query: logs-aws.cloudtrail-*
ab8f074c-5565-4bc4-991c-d49770e19fc9: Collected mappigns: 2
ab8f074c-5565-4bc4-991c-d49770e19fc9: Working with rule integrations: aws
ab8f074c-5565-4bc4-991c-d49770e19fc9: Integration mappings prepared: 53
ab8f074c-5565-4bc4-991c-d49770e19fc9: Index `rule-test-index-1754093979677` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979677'}
ab8f074c-5565-4bc4-991c-d49770e19fc9: Executing a query against `rule-test-index-1754093979677`
ab8f074c-5565-4bc4-991c-d49770e19fc9: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'cloud.account.id', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'target.bucketName', 'type': 'keyword'}, {'name': 'key.account.id', 'type': 'keyword'}, {'name': 'keyId', 'type': 'keyword'}, {'name': 'target.objectName', 'type': 'keyword'}], 'values': []}
ab8f074c-5565-4bc4-991c-d49770e19fc9: Test index `rule-test-index-1754093979677` deleted: {'acknowledged': True}
ab8f074c-5565-4bc4-991c-d49770e19fc9: Got query columns: @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName

16acac42-b2f9-4802-9290-d6c30914db6e: Validating against 9.0.1 stack
16acac42-b2f9-4802-9290-d6c30914db6e: Extracted indices from query: logs-aws.cloudtrail*
16acac42-b2f9-4802-9290-d6c30914db6e: Collected mappigns: 0
16acac42-b2f9-4802-9290-d6c30914db6e: Working with rule integrations: aws
16acac42-b2f9-4802-9290-d6c30914db6e: Integration mappings prepared: 53
16acac42-b2f9-4802-9290-d6c30914db6e: Index `rule-test-index-1754093979780` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979780'}
16acac42-b2f9-4802-9290-d6c30914db6e: Executing a query against `rule-test-index-1754093979780`
16acac42-b2f9-4802-9290-d6c30914db6e: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.access_key_id', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.type', 'type': 'keyword'}, {'name': 'aws.cloudtrail.request_parameters', 'type': 'keyword'}, {'name': 'bucket.name', 'type': 'keyword'}, {'name': 'bucket.object', 'type': 'keyword'}, {'name': 'user_agent.original', 'type': 'keyword'}, {'name': 'source.ip', 'type': 'ip'}, {'name': 'event.action', 'type': 'keyword'}, {'name': '@timestamp', 'type': 'date'}], 'values': []}
16acac42-b2f9-4802-9290-d6c30914db6e: Test index `rule-test-index-1754093979780` deleted: {'acknowledged': True}
16acac42-b2f9-4802-9290-d6c30914db6e: Got query columns: aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, aws.cloudtrail.user_identity.type, aws.cloudtrail.request_parameters, bucket.name, bucket.object, user_agent.original, source.ip, event.action, @timestamp

0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Validating against 9.0.1 stack
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Extracted indices from query: logs-aws.cloudtrail*
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Collected mappigns: 0
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Working with rule integrations: aws
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Integration mappings prepared: 53
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Index `rule-test-index-1754093979932` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093979932'}
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Executing a query against `rule-test-index-1754093979932`
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'time_window', 'type': 'date'}, {'name': 'activity_type', 'type': 'keyword'}, {'name': 'fidelity_score', 'type': 'keyword'}, {'name': 'total_events', 'type': 'long'}, {'name': 'first_seen', 'type': 'date'}, {'name': 'last_seen', 'type': 'date'}, {'name': 'user_id', 'type': 'keyword'}, {'name': 'access_key_id', 'type': 'keyword'}, {'name': 'event_actions', 'type': 'keyword'}, {'name': 'event_providers', 'type': 'keyword'}, {'name': 'ip_list', 'type': 'ip'}, {'name': 'user_agent_list', 'type': 'keyword'}, {'name': 'ip_user_agent_pairs', 'type': 'keyword'}, {'name': 'cities_list', 'type': 'keyword'}, {'name': 'ip_city_pairs', 'type': 'keyword'}, {'name': 'networks_list', 'type': 'keyword'}, {'name': 'unique_ips', 'type': 'long'}, {'name': 'unique_user_agents', 'type': 'long'}, {'name': 'unique_cities', 'type': 'long'}, {'name': 'unique_networks', 'type': 'long'}], 'values': []}
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Test index `rule-test-index-1754093979932` deleted: {'acknowledged': True}
0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0: Got query columns: time_window, activity_type, fidelity_score, total_events, first_seen, last_seen, user_id, access_key_id, event_actions, event_providers, ip_list, user_agent_list, ip_user_agent_pairs, cities_list, ip_city_pairs, networks_list, unique_ips, unique_user_agents, unique_cities, unique_networks

1f45720e-5ea8-11ef-90d2-f661ea17fbce: Validating against 9.0.1 stack
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Extracted indices from query: logs-aws.cloudtrail-*
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Collected mappigns: 2
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Working with rule integrations: aws
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Integration mappings prepared: 53
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Index `rule-test-index-1754093980040` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980040'}
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Executing a query against `rule-test-index-1754093980040`
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'aws.cloudtrail.event_type', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.type', 'type': 'keyword'}], 'values': []}
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Test index `rule-test-index-1754093980040` deleted: {'acknowledged': True}
1f45720e-5ea8-11ef-90d2-f661ea17fbce: Got query columns: @timestamp, event.action, aws.cloudtrail.event_type, aws.cloudtrail.user_identity.type

c04be7e0-b0fc-11ef-a826-f661ea17fbce: Validating against 9.0.1 stack
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Extracted indices from query: logs-aws.cloudtrail*
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Collected mappigns: 0
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Working with rule integrations: aws
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Integration mappings prepared: 53
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Index `rule-test-index-1754093980134` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980134'}
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Executing a query against `rule-test-index-1754093980134`
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'aws.cloudtrail.request_parameters', 'type': 'keyword'}, {'name': 'aws.cloudtrail.response_elements', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.type', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.access_key_id', 'type': 'keyword'}, {'name': 'cloud.account.id', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'source.address', 'type': 'keyword'}], 'values': []}
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Test index `rule-test-index-1754093980134` deleted: {'acknowledged': True}
c04be7e0-b0fc-11ef-a826-f661ea17fbce: Got query columns: @timestamp, aws.cloudtrail.request_parameters, aws.cloudtrail.response_elements, aws.cloudtrail.user_identity.type, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, cloud.account.id, event.action, source.address

696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Validating against 9.0.1 stack
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Extracted indices from query: logs-aws.cloudtrail-*
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Collected mappigns: 2
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Working with rule integrations: aws
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Integration mappings prepared: 53
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Index `rule-test-index-1754093980234` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980234'}
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Executing a query against `rule-test-index-1754093980234`
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'cloud.region', 'type': 'keyword'}, {'name': 'event.provider', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'event.outcome', 'type': 'keyword'}, {'name': 'user.name', 'type': 'keyword'}, {'name': 'source.address', 'type': 'keyword'}, {'name': 'user.target.name', 'type': 'keyword'}, {'name': 'user_agent.original', 'type': 'keyword'}, {'name': 'aws.cloudtrail.request_parameters', 'type': 'keyword'}, {'name': 'aws.cloudtrail.response_elements', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.type', 'type': 'keyword'}], 'values': []}
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Test index `rule-test-index-1754093980234` deleted: {'acknowledged': True}
696015ef-718e-40ff-ac4a-cc2ba88dbeeb: Got query columns: @timestamp, cloud.region, event.provider, event.action, event.outcome, user.name, source.address, user.target.name, user_agent.original, aws.cloudtrail.request_parameters, aws.cloudtrail.response_elements, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.type

df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Validating against 9.0.1 stack
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Extracted indices from query: logs-aws.cloudtrail-*
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Collected mappigns: 2
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Working with rule integrations: aws
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Integration mappings prepared: 53
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Index `rule-test-index-1754093980343` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980343'}
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Executing a query against `rule-test-index-1754093980343`
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'event.provider', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'event.outcome', 'type': 'keyword'}, {'name': 'policyName', 'type': 'keyword'}, {'name': 'group.name', 'type': 'keyword'}], 'values': []}
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Test index `rule-test-index-1754093980343` deleted: {'acknowledged': True}
df919b5e-a0f6-4fd8-8598-e3ce79299e3b: Got query columns: @timestamp, event.provider, event.action, event.outcome, policyName, group.name

dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Validating against 9.0.1 stack
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Extracted indices from query: logs-aws.cloudtrail-*
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Collected mappigns: 2
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Working with rule integrations: aws
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Integration mappings prepared: 53
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Index `rule-test-index-1754093980453` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980453'}
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Executing a query against `rule-test-index-1754093980453`
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'event.provider', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'event.outcome', 'type': 'keyword'}, {'name': 'policyName', 'type': 'keyword'}, {'name': 'role.name', 'type': 'keyword'}], 'values': []}
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Test index `rule-test-index-1754093980453` deleted: {'acknowledged': True}
dde13d58-bc39-4aa0-87fd-b4bdbf4591da: Got query columns: @timestamp, event.provider, event.action, event.outcome, policyName, role.name

9aa4be8d-5828-417d-9f54-7cd304571b24: Validating against 9.0.1 stack
9aa4be8d-5828-417d-9f54-7cd304571b24: Extracted indices from query: logs-aws.cloudtrail-*
9aa4be8d-5828-417d-9f54-7cd304571b24: Collected mappigns: 2
9aa4be8d-5828-417d-9f54-7cd304571b24: Working with rule integrations: aws
9aa4be8d-5828-417d-9f54-7cd304571b24: Integration mappings prepared: 53
9aa4be8d-5828-417d-9f54-7cd304571b24: Index `rule-test-index-1754093980582` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980582'}
9aa4be8d-5828-417d-9f54-7cd304571b24: Executing a query against `rule-test-index-1754093980582`
9aa4be8d-5828-417d-9f54-7cd304571b24: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': '@timestamp', 'type': 'date'}, {'name': 'cloud.region', 'type': 'keyword'}, {'name': 'event.provider', 'type': 'keyword'}, {'name': 'event.action', 'type': 'keyword'}, {'name': 'event.outcome', 'type': 'keyword'}, {'name': 'policyName', 'type': 'keyword'}, {'name': 'target.userName', 'type': 'keyword'}, {'name': 'aws.cloudtrail.request_parameters', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'related.user', 'type': 'keyword'}, {'name': 'user_agent.original', 'type': 'keyword'}, {'name': 'user.name', 'type': 'keyword'}, {'name': 'source.address', 'type': 'keyword'}], 'values': []}
9aa4be8d-5828-417d-9f54-7cd304571b24: Test index `rule-test-index-1754093980582` deleted: {'acknowledged': True}
9aa4be8d-5828-417d-9f54-7cd304571b24: Got query columns: @timestamp, cloud.region, event.provider, event.action, event.outcome, policyName, target.userName, aws.cloudtrail.request_parameters, aws.cloudtrail.user_identity.arn, related.user, user_agent.original, user.name, source.address

ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Validating against 9.0.1 stack
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Extracted indices from query: logs-aws.cloudtrail-*
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Collected mappigns: 2
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Working with rule integrations: aws
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Integration mappings prepared: 53
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Index `rule-test-index-1754093980687` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980687'}
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Executing a query against `rule-test-index-1754093980687`
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'aws.cloudtrail.user_identity.arn', 'type': 'keyword'}, {'name': 'cloud.region', 'type': 'keyword'}, {'name': 'aws.cloudtrail.resources.account_id', 'type': 'keyword'}, {'name': 'aws.cloudtrail.recipient_account_id', 'type': 'keyword'}, {'name': 'aws.cloudtrail.user_identity.access_key_id', 'type': 'keyword'}], 'values': []}
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Test index `rule-test-index-1754093980687` deleted: {'acknowledged': True}
ba5a0b0c-b477-4729-a3dc-0147c2049cf1: Got query columns: aws.cloudtrail.user_identity.arn, cloud.region, aws.cloudtrail.resources.account_id, aws.cloudtrail.recipient_account_id, aws.cloudtrail.user_identity.access_key_id

f2c653b7-7daf-4774-86f2-34cdbd1fc528: Validating against 9.0.1 stack
f2c653b7-7daf-4774-86f2-34cdbd1fc528: Extracted indices from query: logs-aws_bedrock.invocation-*
f2c653b7-7daf-4774-86f2-34cdbd1fc528: Collected mappigns: 2
f2c653b7-7daf-4774-86f2-34cdbd1fc528: No integrations found in the rule
f2c653b7-7daf-4774-86f2-34cdbd1fc528: Integration mappings prepared: 0
f2c653b7-7daf-4774-86f2-34cdbd1fc528: Index `rule-test-index-1754093980780` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980780'}
f2c653b7-7daf-4774-86f2-34cdbd1fc528: Executing a query against `rule-test-index-1754093980780`
f2c653b7-7daf-4774-86f2-34cdbd1fc528: Test index `rule-test-index-1754093980780` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 4:9: Unknown column [gen_ai.guardrail_id]')

0cd2f3e6-41da-40e6-b28b-466f688f00a6: Validating against 9.0.1 stack
0cd2f3e6-41da-40e6-b28b-466f688f00a6: Extracted indices from query: logs-aws_bedrock.invocation-*
0cd2f3e6-41da-40e6-b28b-466f688f00a6: Collected mappigns: 2
0cd2f3e6-41da-40e6-b28b-466f688f00a6: No integrations found in the rule
0cd2f3e6-41da-40e6-b28b-466f688f00a6: Integration mappings prepared: 0
0cd2f3e6-41da-40e6-b28b-466f688f00a6: Index `rule-test-index-1754093980841` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980841'}
0cd2f3e6-41da-40e6-b28b-466f688f00a6: Executing a query against `rule-test-index-1754093980841`
0cd2f3e6-41da-40e6-b28b-466f688f00a6: Test index `rule-test-index-1754093980841` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:9: Unknown column [gen_ai.compliance.violation_detected]')

f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Validating against 9.0.1 stack
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Extracted indices from query: logs-aws_bedrock.invocation-*
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Collected mappigns: 2
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: No integrations found in the rule
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Integration mappings prepared: 0
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Index `rule-test-index-1754093980900` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980900'}
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Executing a query against `rule-test-index-1754093980900`
f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c: Test index `rule-test-index-1754093980900` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:9: Unknown column [gen_ai.policy.action]')

4f855297-c8e0-4097-9d97-d653f7e471c4: Validating against 9.0.1 stack
4f855297-c8e0-4097-9d97-d653f7e471c4: Extracted indices from query: logs-aws_bedrock.invocation-*
4f855297-c8e0-4097-9d97-d653f7e471c4: Collected mappigns: 2
4f855297-c8e0-4097-9d97-d653f7e471c4: No integrations found in the rule
4f855297-c8e0-4097-9d97-d653f7e471c4: Integration mappings prepared: 0
4f855297-c8e0-4097-9d97-d653f7e471c4: Index `rule-test-index-1754093980959` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093980959'}
4f855297-c8e0-4097-9d97-d653f7e471c4: Executing a query against `rule-test-index-1754093980959`
4f855297-c8e0-4097-9d97-d653f7e471c4: Test index `rule-test-index-1754093980959` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:13: Unknown column [gen_ai.compliance.violation_code]')

b1773d05-f349-45fb-9850-287b8f92f02d: Validating against 9.0.1 stack
b1773d05-f349-45fb-9850-287b8f92f02d: Extracted indices from query: logs-aws_bedrock.invocation-*
b1773d05-f349-45fb-9850-287b8f92f02d: Collected mappigns: 2
b1773d05-f349-45fb-9850-287b8f92f02d: No integrations found in the rule
b1773d05-f349-45fb-9850-287b8f92f02d: Integration mappings prepared: 0
b1773d05-f349-45fb-9850-287b8f92f02d: Index `rule-test-index-1754093981018` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981018'}
b1773d05-f349-45fb-9850-287b8f92f02d: Executing a query against `rule-test-index-1754093981018`
b1773d05-f349-45fb-9850-287b8f92f02d: Test index `rule-test-index-1754093981018` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 3 problems\nline 2:8: Unknown column [user.id]\nline 2:17: Unknown column [gen_ai.usage.prompt_tokens]\nline 2:45: Unknown column [gen_ai.usage.completion_tokens]')

17261da3-a6d0-463c-aac8-ea1718afcd20: Validating against 9.0.1 stack
17261da3-a6d0-463c-aac8-ea1718afcd20: Extracted indices from query: logs-aws_bedrock.invocation-*
17261da3-a6d0-463c-aac8-ea1718afcd20: Collected mappigns: 2
17261da3-a6d0-463c-aac8-ea1718afcd20: No integrations found in the rule
17261da3-a6d0-463c-aac8-ea1718afcd20: Integration mappings prepared: 0
17261da3-a6d0-463c-aac8-ea1718afcd20: Index `rule-test-index-1754093981077` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981077'}
17261da3-a6d0-463c-aac8-ea1718afcd20: Executing a query against `rule-test-index-1754093981077`
17261da3-a6d0-463c-aac8-ea1718afcd20: Test index `rule-test-index-1754093981077` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:9: Unknown column [gen_ai.response.error_code]')

0e1af929-42ed-4262-a846-55a7c54e7c84: Validating against 9.0.1 stack
0e1af929-42ed-4262-a846-55a7c54e7c84: Extracted indices from query: logs-aws_bedrock.invocation-*
0e1af929-42ed-4262-a846-55a7c54e7c84: Collected mappigns: 2
0e1af929-42ed-4262-a846-55a7c54e7c84: No integrations found in the rule
0e1af929-42ed-4262-a846-55a7c54e7c84: Integration mappings prepared: 0
0e1af929-42ed-4262-a846-55a7c54e7c84: Index `rule-test-index-1754093981135` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981135'}
0e1af929-42ed-4262-a846-55a7c54e7c84: Executing a query against `rule-test-index-1754093981135`
0e1af929-42ed-4262-a846-55a7c54e7c84: Test index `rule-test-index-1754093981135` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:13: Unknown column [gen_ai.policy.name]')

266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Validating against 9.0.1 stack
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Extracted indices from query: logs-aws_bedrock.invocation-*
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Collected mappigns: 2
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: No integrations found in the rule
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Integration mappings prepared: 0
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Index `rule-test-index-1754093981195` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981195'}
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Executing a query against `rule-test-index-1754093981195`
266bbea8-fcf9-4b0e-ba7b-fc00f6b1dc73: Test index `rule-test-index-1754093981195` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:13: Unknown column [gen_ai.policy.name]')

725a048a-88c5-4fc7-8677-a44fc0031822: Validating against 9.0.1 stack
725a048a-88c5-4fc7-8677-a44fc0031822: Extracted indices from query: logs-aws_bedrock.invocation-*
725a048a-88c5-4fc7-8677-a44fc0031822: Collected mappigns: 2
725a048a-88c5-4fc7-8677-a44fc0031822: Working with rule integrations: aws_bedrock
725a048a-88c5-4fc7-8677-a44fc0031822: Integration mappings prepared: 11
725a048a-88c5-4fc7-8677-a44fc0031822: Index `rule-test-index-1754093981267` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981267'}
725a048a-88c5-4fc7-8677-a44fc0031822: Executing a query against `rule-test-index-1754093981267`
725a048a-88c5-4fc7-8677-a44fc0031822: Test index `rule-test-index-1754093981267` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 5:8: Unknown column [user.id]')

3216949c-9300-4c53-b57a-221e364c6457: Validating against 9.0.1 stack
3216949c-9300-4c53-b57a-221e364c6457: Extracted indices from query: logs-aws_bedrock.invocation-*
3216949c-9300-4c53-b57a-221e364c6457: Collected mappigns: 2
3216949c-9300-4c53-b57a-221e364c6457: No integrations found in the rule
3216949c-9300-4c53-b57a-221e364c6457: Integration mappings prepared: 0
3216949c-9300-4c53-b57a-221e364c6457: Index `rule-test-index-1754093981330` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981330'}
3216949c-9300-4c53-b57a-221e364c6457: Executing a query against `rule-test-index-1754093981330`
3216949c-9300-4c53-b57a-221e364c6457: Test index `rule-test-index-1754093981330` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 2:13: Unknown column [gen_ai.policy.name]')

e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Validating against 9.0.1 stack
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Extracted indices from query: logs-azure.signinlogs*
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Collected mappigns: 0
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Working with rule integrations: azure
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Integration mappings prepared: 51
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Index `rule-test-index-1754093981410` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981410'}
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Executing a query against `rule-test-index-1754093981410`
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'total', 'type': 'long'}, {'name': 'device_code_count', 'type': 'long'}, {'name': 'vsc', 'type': 'long'}, {'name': 'other_count', 'type': 'long'}, {'name': 'src_ip', 'type': 'long'}, {'name': 'ips', 'type': 'ip'}, {'name': 'clients', 'type': 'keyword'}, {'name': 'resources', 'type': 'keyword'}, {'name': 'auth_requirement', 'type': 'keyword'}, {'name': 'azure.signinlogs.identity', 'type': 'keyword'}], 'values': []}
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Test index `rule-test-index-1754093981410` deleted: {'acknowledged': True}
e3bd85e9-7aff-46eb-b60e-20dfc9020d98: Got query columns: total, device_code_count, vsc, other_count, src_ip, ips, clients, resources, auth_requirement, azure.signinlogs.identity

3fac01b2-b811-11ef-b25b-f661ea17fbce: Validating against 9.0.1 stack
3fac01b2-b811-11ef-b25b-f661ea17fbce: Extracted indices from query: logs-azure.signinlogs*
3fac01b2-b811-11ef-b25b-f661ea17fbce: Collected mappigns: 0
3fac01b2-b811-11ef-b25b-f661ea17fbce: Working with rule integrations: azure
3fac01b2-b811-11ef-b25b-f661ea17fbce: Integration mappings prepared: 51
3fac01b2-b811-11ef-b25b-f661ea17fbce: Index `rule-test-index-1754093981497` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981497'}
3fac01b2-b811-11ef-b25b-f661ea17fbce: Executing a query against `rule-test-index-1754093981497`
3fac01b2-b811-11ef-b25b-f661ea17fbce: Test index `rule-test-index-1754093981497` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 9:9: Unknown column [azure.signinlogs.properties.mfa_detail.auth_method], did you mean any of [azure.signinlogs.properties.conditional_access_status, azure.signinlogs.properties.authentication_requirement, azure.signinlogs.operation_name, azure.signinlogs.result_description]?')

c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Validating against 9.0.1 stack
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Extracted indices from query: logs-azure.platformlogs-*
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Collected mappigns: 2
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Working with rule integrations: azure
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Integration mappings prepared: 51
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Index `rule-test-index-1754093981577` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981577'}
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Executing a query against `rule-test-index-1754093981577`
c07f7898-5dc3-11f0-9f27-f661ea17fbcd: Test index `rule-test-index-1754093981577` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 3 problems\nline 57:33: Unknown column [azure.platformlogs.identity.claim.upn], did you mean [azure.platformlogs.result_type]?\nline 35:66: Unknown column [azure.platformlogs.identity.claim.appid], did you mean [azure.platformlogs.result_type]?\nline 36:69: Unknown column [azure.platformlogs.identity.claim.objectid], did you mean [azure.platformlogs.result_type]?')

cca64114-fb8b-11ef-86e2-f661ea17fbce: Validating against 9.0.1 stack
cca64114-fb8b-11ef-86e2-f661ea17fbce: Extracted indices from query: logs-azure.signinlogs*
cca64114-fb8b-11ef-86e2-f661ea17fbce: Collected mappigns: 0
cca64114-fb8b-11ef-86e2-f661ea17fbce: Working with rule integrations: azure
cca64114-fb8b-11ef-86e2-f661ea17fbce: Integration mappings prepared: 51
cca64114-fb8b-11ef-86e2-f661ea17fbce: Index `rule-test-index-1754093981664` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981664'}
cca64114-fb8b-11ef-86e2-f661ea17fbce: Executing a query against `rule-test-index-1754093981664`
cca64114-fb8b-11ef-86e2-f661ea17fbce: Test index `rule-test-index-1754093981664` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 53:25: Unknown column [azure.signinlogs.properties.session_id], did you mean any of [azure.signinlogs.properties.resource_id, azure.signinlogs.properties.user_id, azure.signinlogs.properties.app_id, azure.signinlogs.properties.risk_state, azure.signinlogs.properties.status.error_code, azure.signinlogs.properties.app_display_name, azure.signinlogs.properties.incoming_token_type, azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.resource_display_name, azure.signinlogs.properties.device_detail.device_id, azure.signinlogs.properties.device_detail.browser, azure.signinlogs.properties.authentication_requirement, azure.signinlogs.result_description, azure.signinlogs.properties.conditional_access_status, azure.signinlogs.properties.device_detail.operating_system, azure.signinlogs.result_signature, azure.signinlogs.category, azure.signinlogs.result_type]?')

2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Validating against 9.0.1 stack
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Extracted indices from query: logs-azure.signinlogs*
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Collected mappigns: 0
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Working with rule integrations: azure
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Integration mappings prepared: 51
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Index `rule-test-index-1754093981774` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981774'}
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Executing a query against `rule-test-index-1754093981774`
2d6f5332-42ea-11f0-b09a-f661ea17fbcd: Test index `rule-test-index-1754093981774` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 37:25: Unknown column [azure.signinlogs.properties.session_id], did you mean any of [azure.signinlogs.properties.resource_id, azure.signinlogs.properties.user_id, azure.signinlogs.properties.app_id, azure.signinlogs.properties.risk_state, azure.signinlogs.properties.status.error_code, azure.signinlogs.properties.app_display_name, azure.signinlogs.properties.incoming_token_type, azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.resource_display_name, azure.signinlogs.properties.device_detail.device_id, azure.signinlogs.properties.device_detail.browser, azure.signinlogs.properties.authentication_requirement, azure.signinlogs.result_description, azure.signinlogs.properties.conditional_access_status, azure.signinlogs.properties.device_detail.operating_system, azure.signinlogs.result_signature, azure.signinlogs.category, azure.signinlogs.result_type]?')

35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Validating against 9.0.1 stack
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Extracted indices from query: logs-azure.signinlogs*
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Collected mappigns: 0
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Working with rule integrations: azure
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Integration mappings prepared: 51
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Index `rule-test-index-1754093981863` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981863'}
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Executing a query against `rule-test-index-1754093981863`
35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc: Test index `rule-test-index-1754093981863` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 59:25: Unknown column [azure.signinlogs.properties.session_id], did you mean any of [azure.signinlogs.properties.resource_id, azure.signinlogs.properties.user_id, azure.signinlogs.properties.app_id, azure.signinlogs.properties.risk_state, azure.signinlogs.properties.status.error_code, azure.signinlogs.properties.app_display_name, azure.signinlogs.properties.incoming_token_type, azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.resource_display_name, azure.signinlogs.properties.device_detail.device_id, azure.signinlogs.properties.device_detail.browser, azure.signinlogs.properties.authentication_requirement, azure.signinlogs.result_description, azure.signinlogs.properties.conditional_access_status, azure.signinlogs.properties.device_detail.operating_system, azure.signinlogs.result_signature, azure.signinlogs.category, azure.signinlogs.result_type]?')

c6655282-6c79-11ef-bbb5-f661ea17fbcc: Validating against 9.0.1 stack
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Extracted indices from query: logs-azure.signinlogs*
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Collected mappigns: 0
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Working with rule integrations: azure
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Integration mappings prepared: 51
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Index `rule-test-index-1754093981951` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093981951'}
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Executing a query against `rule-test-index-1754093981951`
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'target_count', 'type': 'long'}, {'name': 'source.ip', 'type': 'ip'}], 'values': []}
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Test index `rule-test-index-1754093981951` deleted: {'acknowledged': True}
c6655282-6c79-11ef-bbb5-f661ea17fbcc: Got query columns: target_count, source.ip

0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Validating against 9.0.1 stack
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Extracted indices from query: logs-azure.*
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Collected mappigns: 0
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Working with rule integrations: azure
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Integration mappings prepared: 51
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Index `rule-test-index-1754093982045` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982045'}
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Executing a query against `rule-test-index-1754093982045`
0d3d2254-2b4a-11f0-a019-f661ea17fbcc: Test index `rule-test-index-1754093982045` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 3:113: Unknown column [azure.signinlogs.properties.session_id], did you mean any of [azure.signinlogs.properties.user_id, azure.signinlogs.properties.app_id, azure.graphactivitylogs.properties.app_id, azure.graphactivitylogs.properties.c_sid]?')

375132c6-25d5-11f0-8745-f661ea17fbcd: Validating against 9.0.1 stack
375132c6-25d5-11f0-8745-f661ea17fbcd: Extracted indices from query: logs-azure.signinlogs*
375132c6-25d5-11f0-8745-f661ea17fbcd: Collected mappigns: 0
375132c6-25d5-11f0-8745-f661ea17fbcd: Working with rule integrations: azure
375132c6-25d5-11f0-8745-f661ea17fbcd: Integration mappings prepared: 51
375132c6-25d5-11f0-8745-f661ea17fbcd: Index `rule-test-index-1754093982140` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982140'}
375132c6-25d5-11f0-8745-f661ea17fbcd: Executing a query against `rule-test-index-1754093982140`
375132c6-25d5-11f0-8745-f661ea17fbcd: Test index `rule-test-index-1754093982140` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 20:18: Unknown column [azure.signinlogs.properties.session_id], did you mean any of [azure.signinlogs.properties.resource_id, azure.signinlogs.properties.app_id, azure.signinlogs.properties.user_type, azure.signinlogs.properties.risk_state, azure.signinlogs.properties.is_interactive, azure.signinlogs.properties.user_display_name, azure.signinlogs.properties.app_display_name, azure.signinlogs.properties.incoming_token_type, azure.signinlogs.properties.user_principal_name, azure.signinlogs.properties.resource_display_name, azure.signinlogs.properties.unique_token_identifier, azure.signinlogs.properties.authentication_protocol, azure.signinlogs.properties.device_detail.browser, azure.signinlogs.properties.risk_level_aggregated, azure.signinlogs.properties.authentication_requirement, azure.signinlogs.properties.conditional_access_status, azure.signinlogs.properties.device_detail.operating_system, azure.signinlogs.identity]?')

498e4094-60e7-11f0-8847-f661ea17fbcd: Validating against 9.0.1 stack
498e4094-60e7-11f0-8847-f661ea17fbcd: Extracted indices from query: logs-azure.auditlogs-*
498e4094-60e7-11f0-8847-f661ea17fbcd: Collected mappigns: 2
498e4094-60e7-11f0-8847-f661ea17fbcd: Working with rule integrations: azure
498e4094-60e7-11f0-8847-f661ea17fbcd: Integration mappings prepared: 51
498e4094-60e7-11f0-8847-f661ea17fbcd: Index `rule-test-index-1754093982229` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982229'}
498e4094-60e7-11f0-8847-f661ea17fbcd: Executing a query against `rule-test-index-1754093982229`
498e4094-60e7-11f0-8847-f661ea17fbcd: Test index `rule-test-index-1754093982229` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 3:105: Unknown column [azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value]')

b0450411-46e5-46d2-9b35-8b5dd9ba763e: Validating against 9.0.1 stack
b0450411-46e5-46d2-9b35-8b5dd9ba763e: Extracted indices from query: logs-azure_openai.logs-*
b0450411-46e5-46d2-9b35-8b5dd9ba763e: Collected mappigns: 2
b0450411-46e5-46d2-9b35-8b5dd9ba763e: No integrations found in the rule
b0450411-46e5-46d2-9b35-8b5dd9ba763e: Integration mappings prepared: 0
b0450411-46e5-46d2-9b35-8b5dd9ba763e: Index `rule-test-index-1754093982304` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982304'}
b0450411-46e5-46d2-9b35-8b5dd9ba763e: Executing a query against `rule-test-index-1754093982304`
b0450411-46e5-46d2-9b35-8b5dd9ba763e: Test index `rule-test-index-1754093982304` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 4:9: Unknown column [azure.open_ai.operation_name]')

fb16f9ef-cb03-4234-adc2-44641f3b71ee: Validating against 9.0.1 stack
fb16f9ef-cb03-4234-adc2-44641f3b71ee: Extracted indices from query: logs-azure_openai.logs-*
fb16f9ef-cb03-4234-adc2-44641f3b71ee: Collected mappigns: 2
fb16f9ef-cb03-4234-adc2-44641f3b71ee: No integrations found in the rule
fb16f9ef-cb03-4234-adc2-44641f3b71ee: Integration mappings prepared: 0
fb16f9ef-cb03-4234-adc2-44641f3b71ee: Index `rule-test-index-1754093982365` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982365'}
fb16f9ef-cb03-4234-adc2-44641f3b71ee: Executing a query against `rule-test-index-1754093982365`
fb16f9ef-cb03-4234-adc2-44641f3b71ee: Test index `rule-test-index-1754093982365` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 3 problems\nline 2:9: Unknown column [azure.open_ai.properties.response_length]\nline 2:59: Unknown column [azure.open_ai.result_signature]\nline 2:103: Unknown column [azure.open_ai.operation_name]')

4021e78d-5293-48d3-adee-a70fa4c18fab: Validating against 9.0.1 stack
4021e78d-5293-48d3-adee-a70fa4c18fab: Extracted indices from query: logs-azure_openai.logs-*
4021e78d-5293-48d3-adee-a70fa4c18fab: Collected mappigns: 2
4021e78d-5293-48d3-adee-a70fa4c18fab: No integrations found in the rule
4021e78d-5293-48d3-adee-a70fa4c18fab: Integration mappings prepared: 0
4021e78d-5293-48d3-adee-a70fa4c18fab: Index `rule-test-index-1754093982426` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982426'}
4021e78d-5293-48d3-adee-a70fa4c18fab: Executing a query against `rule-test-index-1754093982426`
4021e78d-5293-48d3-adee-a70fa4c18fab: Test index `rule-test-index-1754093982426` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 2 problems\nline 2:9: Unknown column [azure.open_ai.operation_name]\nline 2:55: Unknown column [azure.open_ai.category]')

0e524fa6-eed3-11ef-82b4-f661ea17fbce: Validating against 9.0.1 stack
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Extracted indices from query: logs-o365.audit-*
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Collected mappigns: 2
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Working with rule integrations: o365
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Integration mappings prepared: 50
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Index `rule-test-index-1754093982486` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982486'}
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Executing a query against `rule-test-index-1754093982486`
0e524fa6-eed3-11ef-82b4-f661ea17fbce: Test index `rule-test-index-1754093982486` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 11:5: Unknown column [o365.audit.AuthenticationType]')

de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Validating against 9.0.1 stack
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Extracted indices from query: logs-o365.audit-*
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Collected mappigns: 2
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Working with rule integrations: o365
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Integration mappings prepared: 50
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Index `rule-test-index-1754093982563` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982563'}
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Executing a query against `rule-test-index-1754093982563`
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'time_window', 'type': 'date'}, {'name': 'unique_users', 'type': 'long'}, {'name': 'user_id_list', 'type': 'keyword'}, {'name': 'ip_list', 'type': 'ip'}, {'name': 'unique_ips', 'type': 'long'}, {'name': 'source_orgs', 'type': 'keyword'}, {'name': 'countries', 'type': 'keyword'}, {'name': 'unique_country_count', 'type': 'long'}, {'name': 'unique_asn_orgs', 'type': 'long'}, {'name': 'request_types', 'type': 'keyword'}, {'name': 'first_seen', 'type': 'date'}, {'name': 'last_seen', 'type': 'date'}, {'name': 'total_lockout_responses', 'type': 'long'}, {'name': 'duration_seconds', 'type': 'integer'}], 'values': []}
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Test index `rule-test-index-1754093982563` deleted: {'acknowledged': True}
de67f85e-2d43-11f0-b8c9-f661ea17fbcc: Got query columns: time_window, unique_users, user_id_list, ip_list, unique_ips, source_orgs, countries, unique_country_count, unique_asn_orgs, request_types, first_seen, last_seen, total_lockout_responses, duration_seconds

26f68dba-ce29-497b-8e13-b4fde1db5a2d: Validating against 9.0.1 stack
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Extracted indices from query: logs-o365.audit-*
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Collected mappigns: 2
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Working with rule integrations: o365
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Integration mappings prepared: 50
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Index `rule-test-index-1754093982643` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982643'}
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Executing a query against `rule-test-index-1754093982643`
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Got query response: {'took': 5, 'is_partial': False, 'columns': [{'name': 'time_window', 'type': 'date'}, {'name': 'unique_users', 'type': 'long'}, {'name': 'user_id_list', 'type': 'keyword'}, {'name': 'login_errors', 'type': 'keyword'}, {'name': 'unique_login_errors', 'type': 'long'}, {'name': 'request_types', 'type': 'keyword'}, {'name': 'ip_list', 'type': 'ip'}, {'name': 'unique_ips', 'type': 'long'}, {'name': 'source_orgs', 'type': 'keyword'}, {'name': 'countries', 'type': 'keyword'}, {'name': 'unique_country_count', 'type': 'long'}, {'name': 'unique_asn_orgs', 'type': 'long'}, {'name': 'first_seen', 'type': 'date'}, {'name': 'last_seen', 'type': 'date'}, {'name': 'duration_seconds', 'type': 'integer'}, {'name': 'total_attempts', 'type': 'long'}, {'name': 'bf_type', 'type': 'keyword'}], 'values': []}
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Test index `rule-test-index-1754093982643` deleted: {'acknowledged': True}
26f68dba-ce29-497b-8e13-b4fde1db5a2d: Got query columns: time_window, unique_users, user_id_list, login_errors, unique_login_errors, request_types, ip_list, unique_ips, source_orgs, countries, unique_country_count, unique_asn_orgs, first_seen, last_seen, duration_seconds, total_attempts, bf_type

36188365-f88f-4f70-8c1d-0b9554186b9c: Validating against 9.0.1 stack
36188365-f88f-4f70-8c1d-0b9554186b9c: Extracted indices from query: logs-o365.audit-*
36188365-f88f-4f70-8c1d-0b9554186b9c: Collected mappigns: 2
36188365-f88f-4f70-8c1d-0b9554186b9c: Working with rule integrations: o365
36188365-f88f-4f70-8c1d-0b9554186b9c: Integration mappings prepared: 50
36188365-f88f-4f70-8c1d-0b9554186b9c: Index `rule-test-index-1754093982729` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982729'}
36188365-f88f-4f70-8c1d-0b9554186b9c: Executing a query against `rule-test-index-1754093982729`
36188365-f88f-4f70-8c1d-0b9554186b9c: Test index `rule-test-index-1754093982729` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 17:169: Unknown column [o365.audit.ExtendedProperties.ResultStatusDetail], did you mean [o365.audit.ExtendedProperties.RequestType]?')

cc382a2e-7e52-11ee-9aac-f661ea17fbcd: Validating against 9.0.1 stack
cc382a2e-7e52-11ee-9aac-f661ea17fbcd: Extracted indices from query: logs-okta*
cc382a2e-7e52-11ee-9aac-f661ea17fbcd: Collected mappigns: 0
cc382a2e-7e52-11ee-9aac-f661ea17fbcd: Working with rule integrations: okta
cc382a2e-7e52-11ee-9aac-f661ea17fbcd: Integration mappings prepared: 47
FAILURE: BadRequestError(400, 'mapper_parsing_exception', 'Failed to parse mapping: Encountered a multi-field [behaviors] which itself contains a multi-field. Defining chained multi-fields is not supported.')

94e734c0-2cda-11ef-84e1-f661ea17fbce: Validating against 9.0.1 stack
94e734c0-2cda-11ef-84e1-f661ea17fbce: Extracted indices from query: logs-okta*
94e734c0-2cda-11ef-84e1-f661ea17fbce: Collected mappigns: 0
94e734c0-2cda-11ef-84e1-f661ea17fbce: Working with rule integrations: okta
94e734c0-2cda-11ef-84e1-f661ea17fbce: Integration mappings prepared: 47
FAILURE: BadRequestError(400, 'mapper_parsing_exception', 'Failed to parse mapping: Encountered a multi-field [behaviors] which itself contains a multi-field. Defining chained multi-fields is not supported.')

95b99adc-2cda-11ef-84e1-f661ea17fbce: Validating against 9.0.1 stack
95b99adc-2cda-11ef-84e1-f661ea17fbce: Extracted indices from query: logs-okta*
95b99adc-2cda-11ef-84e1-f661ea17fbce: Collected mappigns: 0
95b99adc-2cda-11ef-84e1-f661ea17fbce: Working with rule integrations: okta
95b99adc-2cda-11ef-84e1-f661ea17fbce: Integration mappings prepared: 47
FAILURE: BadRequestError(400, 'mapper_parsing_exception', 'Failed to parse mapping: Encountered a multi-field [behaviors] which itself contains a multi-field. Defining chained multi-fields is not supported.')

23f18264-2d6d-11ef-9413-f661ea17fbce: Validating against 9.0.1 stack
23f18264-2d6d-11ef-9413-f661ea17fbce: Extracted indices from query: logs-okta*
23f18264-2d6d-11ef-9413-f661ea17fbce: Collected mappigns: 0
23f18264-2d6d-11ef-9413-f661ea17fbce: Working with rule integrations: okta
23f18264-2d6d-11ef-9413-f661ea17fbce: Integration mappings prepared: 47
FAILURE: BadRequestError(400, 'mapper_parsing_exception', 'Failed to parse mapping: Encountered a multi-field [behaviors] which itself contains a multi-field. Defining chained multi-fields is not supported.')

2e56e1bc-867a-11ee-b13e-f661ea17fbcd: Validating against 9.0.1 stack
2e56e1bc-867a-11ee-b13e-f661ea17fbcd: Extracted indices from query: logs-okta*
2e56e1bc-867a-11ee-b13e-f661ea17fbcd: Collected mappigns: 0
2e56e1bc-867a-11ee-b13e-f661ea17fbcd: Working with rule integrations: okta
2e56e1bc-867a-11ee-b13e-f661ea17fbcd: Integration mappings prepared: 47
FAILURE: BadRequestError(400, 'mapper_parsing_exception', 'Failed to parse mapping: Encountered a multi-field [behaviors] which itself contains a multi-field. Defining chained multi-fields is not supported.')

1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Validating against 9.0.1 stack
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Extracted indices from query: logs-endpoint.events.network-*
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Collected mappigns: 15
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Working with rule integrations: endpoint
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Integration mappings prepared: 70
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Index `rule-test-index-1754093982912` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093982912'}
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Executing a query against `rule-test-index-1754093982912`
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}], 'values': []}
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Test index `rule-test-index-1754093982912` deleted: {'acknowledged': True}
1fa350e0-0aa2-4055-bf8f-ab8b59233e59: Got query columns: cc, agent_count, host.name, agent.id, process.executable

c5637438-e32d-4bb3-bc13-bd7932b3289f: Validating against 9.0.1 stack
c5637438-e32d-4bb3-bc13-bd7932b3289f: Extracted indices from query: logs-endpoint.events.process-*
c5637438-e32d-4bb3-bc13-bd7932b3289f: Collected mappigns: 16
c5637438-e32d-4bb3-bc13-bd7932b3289f: Working with rule integrations: endpoint
c5637438-e32d-4bb3-bc13-bd7932b3289f: Integration mappings prepared: 70
c5637438-e32d-4bb3-bc13-bd7932b3289f: Index `rule-test-index-1754093983006` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983006'}
c5637438-e32d-4bb3-bc13-bd7932b3289f: Executing a query against `rule-test-index-1754093983006`
c5637438-e32d-4bb3-bc13-bd7932b3289f: Got query response: {'took': 5, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.name', 'type': 'keyword'}, {'name': 'process.command_line', 'type': 'keyword'}], 'values': []}
c5637438-e32d-4bb3-bc13-bd7932b3289f: Test index `rule-test-index-1754093983006` deleted: {'acknowledged': True}
c5637438-e32d-4bb3-bc13-bd7932b3289f: Got query columns: cc, agent_count, host.name, agent.id, process.name, process.command_line

6b341d03-1d63-41ac-841a-2009c86959ca: Validating against 9.0.1 stack
6b341d03-1d63-41ac-841a-2009c86959ca: Extracted indices from query: logs-endpoint.events.network-*
6b341d03-1d63-41ac-841a-2009c86959ca: Collected mappigns: 15
6b341d03-1d63-41ac-841a-2009c86959ca: Working with rule integrations: endpoint
6b341d03-1d63-41ac-841a-2009c86959ca: Integration mappings prepared: 70
6b341d03-1d63-41ac-841a-2009c86959ca: Index `rule-test-index-1754093983126` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983126'}
6b341d03-1d63-41ac-841a-2009c86959ca: Executing a query against `rule-test-index-1754093983126`
6b341d03-1d63-41ac-841a-2009c86959ca: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'port_count', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}, {'name': 'destination.ip', 'type': 'ip'}], 'values': []}
6b341d03-1d63-41ac-841a-2009c86959ca: Test index `rule-test-index-1754093983126` deleted: {'acknowledged': True}
6b341d03-1d63-41ac-841a-2009c86959ca: Got query columns: cc, port_count, agent_count, host.name, agent.id, process.executable, destination.ip

860f2a03-a1cf-48d6-a674-c6d62ae608a1: Validating against 9.0.1 stack
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Extracted indices from query: logs-endpoint.events.network-*
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Collected mappigns: 15
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Working with rule integrations: endpoint
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Integration mappings prepared: 70
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Index `rule-test-index-1754093983220` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983220'}
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Executing a query against `rule-test-index-1754093983220`
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'dest_count', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}], 'values': []}
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Test index `rule-test-index-1754093983220` deleted: {'acknowledged': True}
860f2a03-a1cf-48d6-a674-c6d62ae608a1: Got query columns: cc, dest_count, agent_count, host.name, agent.id, process.executable

8eeeda11-dca6-4c3e-910f-7089db412d1c: Validating against 9.0.1 stack
8eeeda11-dca6-4c3e-910f-7089db412d1c: Extracted indices from query: logs-endpoint.events.process-*
8eeeda11-dca6-4c3e-910f-7089db412d1c: Collected mappigns: 16
8eeeda11-dca6-4c3e-910f-7089db412d1c: Working with rule integrations: endpoint
8eeeda11-dca6-4c3e-910f-7089db412d1c: Integration mappings prepared: 70
8eeeda11-dca6-4c3e-910f-7089db412d1c: Index `rule-test-index-1754093983319` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983319'}
8eeeda11-dca6-4c3e-910f-7089db412d1c: Executing a query against `rule-test-index-1754093983319`
8eeeda11-dca6-4c3e-910f-7089db412d1c: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}, {'name': 'process.parent.executable', 'type': 'keyword'}, {'name': 'process.command_line', 'type': 'keyword'}], 'values': []}
8eeeda11-dca6-4c3e-910f-7089db412d1c: Test index `rule-test-index-1754093983319` deleted: {'acknowledged': True}
8eeeda11-dca6-4c3e-910f-7089db412d1c: Got query columns: cc, agent_count, host.name, agent.id, process.executable, process.parent.executable, process.command_line

77122db4-5876-4127-b91b-6c179eb21f88: Validating against 9.0.1 stack
77122db4-5876-4127-b91b-6c179eb21f88: Extracted indices from query: logs-endpoint.events.network-*
77122db4-5876-4127-b91b-6c179eb21f88: Collected mappigns: 15
77122db4-5876-4127-b91b-6c179eb21f88: Working with rule integrations: endpoint
77122db4-5876-4127-b91b-6c179eb21f88: Integration mappings prepared: 70
77122db4-5876-4127-b91b-6c179eb21f88: Index `rule-test-index-1754093983411` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983411'}
77122db4-5876-4127-b91b-6c179eb21f88: Executing a query against `rule-test-index-1754093983411`
77122db4-5876-4127-b91b-6c179eb21f88: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}, {'name': 'destination.port', 'type': 'long'}], 'values': []}
77122db4-5876-4127-b91b-6c179eb21f88: Test index `rule-test-index-1754093983411` deleted: {'acknowledged': True}
77122db4-5876-4127-b91b-6c179eb21f88: Got query columns: cc, agent_count, host.name, agent.id, process.executable, destination.port

976b2391-413f-4a94-acb4-7911f3803346: Validating against 9.0.1 stack
976b2391-413f-4a94-acb4-7911f3803346: Extracted indices from query: logs-endpoint.events.process-*
976b2391-413f-4a94-acb4-7911f3803346: Collected mappigns: 16
976b2391-413f-4a94-acb4-7911f3803346: Working with rule integrations: endpoint
976b2391-413f-4a94-acb4-7911f3803346: Integration mappings prepared: 70
976b2391-413f-4a94-acb4-7911f3803346: Index `rule-test-index-1754093983510` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983510'}
976b2391-413f-4a94-acb4-7911f3803346: Executing a query against `rule-test-index-1754093983510`
976b2391-413f-4a94-acb4-7911f3803346: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}, {'name': 'process.working_directory', 'type': 'keyword'}, {'name': 'process.parent.executable', 'type': 'keyword'}], 'values': []}
976b2391-413f-4a94-acb4-7911f3803346: Test index `rule-test-index-1754093983510` deleted: {'acknowledged': True}
976b2391-413f-4a94-acb4-7911f3803346: Got query columns: cc, agent_count, host.name, agent.id, process.executable, process.working_directory, process.parent.executable

8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Validating against 9.0.1 stack
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Extracted indices from query: logs-endpoint.events.process-*
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Collected mappigns: 16
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Working with rule integrations: endpoint
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Integration mappings prepared: 70
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Index `rule-test-index-1754093983615` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983615'}
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Executing a query against `rule-test-index-1754093983615`
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.command_line', 'type': 'keyword'}, {'name': 'process.working_directory', 'type': 'keyword'}, {'name': 'process.parent.executable', 'type': 'keyword'}], 'values': []}
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Test index `rule-test-index-1754093983615` deleted: {'acknowledged': True}
8a7933b4-9d0a-4c1c-bda5-e39fb045ff1d: Got query columns: cc, agent_count, host.name, agent.id, process.command_line, process.working_directory, process.parent.executable

6756ee27-9152-479b-9b73-54b5bbda301c: Validating against 9.0.1 stack
6756ee27-9152-479b-9b73-54b5bbda301c: Extracted indices from query: logs-*
6756ee27-9152-479b-9b73-54b5bbda301c: Collected mappigns: 0
6756ee27-9152-479b-9b73-54b5bbda301c: Working with rule integrations: endpoint, system, windows, m365_defender, crowdstrike
6756ee27-9152-479b-9b73-54b5bbda301c: Integration mappings prepared: 83
6756ee27-9152-479b-9b73-54b5bbda301c: Index `rule-test-index-1754093983727` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983727'}
6756ee27-9152-479b-9b73-54b5bbda301c: Executing a query against `rule-test-index-1754093983727`
6756ee27-9152-479b-9b73-54b5bbda301c: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'total', 'type': 'long'}, {'name': 'unique_count_host', 'type': 'long'}, {'name': 'hosts', 'type': 'keyword'}, {'name': 'users', 'type': 'keyword'}, {'name': 'webdav_target', 'type': 'keyword'}], 'values': []}
6756ee27-9152-479b-9b73-54b5bbda301c: Test index `rule-test-index-1754093983727` deleted: {'acknowledged': True}
6756ee27-9152-479b-9b73-54b5bbda301c: Got query columns: total, unique_count_host, hosts, users, webdav_target

64f17c52-6c6e-479e-ba72-236f3df18f3d: Validating against 9.0.1 stack
64f17c52-6c6e-479e-ba72-236f3df18f3d: Extracted indices from query: logs-windows.powershell_operational*
64f17c52-6c6e-479e-ba72-236f3df18f3d: Collected mappigns: 0
64f17c52-6c6e-479e-ba72-236f3df18f3d: Working with rule integrations: windows
64f17c52-6c6e-479e-ba72-236f3df18f3d: Integration mappings prepared: 52
64f17c52-6c6e-479e-ba72-236f3df18f3d: Index `rule-test-index-1754093983835` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983835'}
64f17c52-6c6e-479e-ba72-236f3df18f3d: Executing a query against `rule-test-index-1754093983835`
64f17c52-6c6e-479e-ba72-236f3df18f3d: Got query response: {'took': 4, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.name', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
64f17c52-6c6e-479e-ba72-236f3df18f3d: Test index `rule-test-index-1754093983835` deleted: {'acknowledged': True}
64f17c52-6c6e-479e-ba72-236f3df18f3d: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.name, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

d43f2b43-02a1-4219-8ce9-10929a32a618: Validating against 9.0.1 stack
d43f2b43-02a1-4219-8ce9-10929a32a618: Extracted indices from query: logs-windows.powershell_operational*
d43f2b43-02a1-4219-8ce9-10929a32a618: Collected mappigns: 0
d43f2b43-02a1-4219-8ce9-10929a32a618: Working with rule integrations: windows
d43f2b43-02a1-4219-8ce9-10929a32a618: Integration mappings prepared: 52
d43f2b43-02a1-4219-8ce9-10929a32a618: Index `rule-test-index-1754093983919` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093983919'}
d43f2b43-02a1-4219-8ce9-10929a32a618: Executing a query against `rule-test-index-1754093983919`
d43f2b43-02a1-4219-8ce9-10929a32a618: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'file.name', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
d43f2b43-02a1-4219-8ce9-10929a32a618: Test index `rule-test-index-1754093983919` deleted: {'acknowledged': True}
d43f2b43-02a1-4219-8ce9-10929a32a618: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, file.name, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

85e2d45e-a3df-4acf-83d3-21805f564ff4: Validating against 9.0.1 stack
85e2d45e-a3df-4acf-83d3-21805f564ff4: Extracted indices from query: logs-windows.powershell_operational*
85e2d45e-a3df-4acf-83d3-21805f564ff4: Collected mappigns: 0
85e2d45e-a3df-4acf-83d3-21805f564ff4: Working with rule integrations: windows
85e2d45e-a3df-4acf-83d3-21805f564ff4: Integration mappings prepared: 52
85e2d45e-a3df-4acf-83d3-21805f564ff4: Index `rule-test-index-1754093984014` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984014'}
85e2d45e-a3df-4acf-83d3-21805f564ff4: Executing a query against `rule-test-index-1754093984014`
85e2d45e-a3df-4acf-83d3-21805f564ff4: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
85e2d45e-a3df-4acf-83d3-21805f564ff4: Test index `rule-test-index-1754093984014` deleted: {'acknowledged': True}
85e2d45e-a3df-4acf-83d3-21805f564ff4: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

083383af-b9a4-42b7-a463-29c40efe7797: Validating against 9.0.1 stack
083383af-b9a4-42b7-a463-29c40efe7797: Extracted indices from query: logs-windows.powershell_operational*
083383af-b9a4-42b7-a463-29c40efe7797: Collected mappigns: 0
083383af-b9a4-42b7-a463-29c40efe7797: Working with rule integrations: windows
083383af-b9a4-42b7-a463-29c40efe7797: Integration mappings prepared: 52
083383af-b9a4-42b7-a463-29c40efe7797: Index `rule-test-index-1754093984116` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984116'}
083383af-b9a4-42b7-a463-29c40efe7797: Executing a query against `rule-test-index-1754093984116`
083383af-b9a4-42b7-a463-29c40efe7797: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
083383af-b9a4-42b7-a463-29c40efe7797: Test index `rule-test-index-1754093984116` deleted: {'acknowledged': True}
083383af-b9a4-42b7-a463-29c40efe7797: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

f9abcddc-a05d-4345-a81d-000b79aa5525: Validating against 9.0.1 stack
f9abcddc-a05d-4345-a81d-000b79aa5525: Extracted indices from query: logs-windows.powershell_operational*
f9abcddc-a05d-4345-a81d-000b79aa5525: Collected mappigns: 0
f9abcddc-a05d-4345-a81d-000b79aa5525: Working with rule integrations: windows
f9abcddc-a05d-4345-a81d-000b79aa5525: Integration mappings prepared: 52
f9abcddc-a05d-4345-a81d-000b79aa5525: Index `rule-test-index-1754093984204` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984204'}
f9abcddc-a05d-4345-a81d-000b79aa5525: Executing a query against `rule-test-index-1754093984204`
f9abcddc-a05d-4345-a81d-000b79aa5525: Got query response: {'took': 7, 'is_partial': False, 'columns': [{'name': 'special_count', 'type': 'integer'}, {'name': 'script_len', 'type': 'integer'}, {'name': 'proportion', 'type': 'double'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
f9abcddc-a05d-4345-a81d-000b79aa5525: Test index `rule-test-index-1754093984204` deleted: {'acknowledged': True}
f9abcddc-a05d-4345-a81d-000b79aa5525: Got query columns: special_count, script_len, proportion, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

b0c98cfb-0745-4513-b6f9-08dddb033490: Validating against 9.0.1 stack
b0c98cfb-0745-4513-b6f9-08dddb033490: Extracted indices from query: logs-windows.powershell_operational*
b0c98cfb-0745-4513-b6f9-08dddb033490: Collected mappigns: 0
b0c98cfb-0745-4513-b6f9-08dddb033490: Working with rule integrations: windows
b0c98cfb-0745-4513-b6f9-08dddb033490: Integration mappings prepared: 52
b0c98cfb-0745-4513-b6f9-08dddb033490: Index `rule-test-index-1754093984303` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984303'}
b0c98cfb-0745-4513-b6f9-08dddb033490: Executing a query against `rule-test-index-1754093984303`
b0c98cfb-0745-4513-b6f9-08dddb033490: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
b0c98cfb-0745-4513-b6f9-08dddb033490: Test index `rule-test-index-1754093984303` deleted: {'acknowledged': True}
b0c98cfb-0745-4513-b6f9-08dddb033490: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

9f432a8b-9588-4550-838e-1f77285580d3: Validating against 9.0.1 stack
9f432a8b-9588-4550-838e-1f77285580d3: Extracted indices from query: logs-windows.powershell_operational*
9f432a8b-9588-4550-838e-1f77285580d3: Collected mappigns: 0
9f432a8b-9588-4550-838e-1f77285580d3: Working with rule integrations: windows
9f432a8b-9588-4550-838e-1f77285580d3: Integration mappings prepared: 52
9f432a8b-9588-4550-838e-1f77285580d3: Index `rule-test-index-1754093984383` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984383'}
9f432a8b-9588-4550-838e-1f77285580d3: Executing a query against `rule-test-index-1754093984383`
9f432a8b-9588-4550-838e-1f77285580d3: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
9f432a8b-9588-4550-838e-1f77285580d3: Test index `rule-test-index-1754093984383` deleted: {'acknowledged': True}
9f432a8b-9588-4550-838e-1f77285580d3: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

9edd1804-83c7-4e48-b97d-c776b4c97564: Validating against 9.0.1 stack
9edd1804-83c7-4e48-b97d-c776b4c97564: Extracted indices from query: logs-windows.powershell_operational*
9edd1804-83c7-4e48-b97d-c776b4c97564: Collected mappigns: 0
9edd1804-83c7-4e48-b97d-c776b4c97564: Working with rule integrations: windows
9edd1804-83c7-4e48-b97d-c776b4c97564: Integration mappings prepared: 52
9edd1804-83c7-4e48-b97d-c776b4c97564: Index `rule-test-index-1754093984468` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984468'}
9edd1804-83c7-4e48-b97d-c776b4c97564: Executing a query against `rule-test-index-1754093984468`
9edd1804-83c7-4e48-b97d-c776b4c97564: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
9edd1804-83c7-4e48-b97d-c776b4c97564: Test index `rule-test-index-1754093984468` deleted: {'acknowledged': True}
9edd1804-83c7-4e48-b97d-c776b4c97564: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

f38633f4-3b31-4c80-b13d-e77c70ce8254: Validating against 9.0.1 stack
f38633f4-3b31-4c80-b13d-e77c70ce8254: Extracted indices from query: logs-windows.powershell_operational*
f38633f4-3b31-4c80-b13d-e77c70ce8254: Collected mappigns: 0
f38633f4-3b31-4c80-b13d-e77c70ce8254: Working with rule integrations: windows
f38633f4-3b31-4c80-b13d-e77c70ce8254: Integration mappings prepared: 52
f38633f4-3b31-4c80-b13d-e77c70ce8254: Index `rule-test-index-1754093984554` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984554'}
f38633f4-3b31-4c80-b13d-e77c70ce8254: Executing a query against `rule-test-index-1754093984554`
f38633f4-3b31-4c80-b13d-e77c70ce8254: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}], 'values': []}
f38633f4-3b31-4c80-b13d-e77c70ce8254: Test index `rule-test-index-1754093984554` deleted: {'acknowledged': True}
f38633f4-3b31-4c80-b13d-e77c70ce8254: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, agent.id

f6d8c743-0916-4483-8333-3c6f107e0caa: Validating against 9.0.1 stack
f6d8c743-0916-4483-8333-3c6f107e0caa: Extracted indices from query: logs-windows.powershell_operational*
f6d8c743-0916-4483-8333-3c6f107e0caa: Collected mappigns: 0
f6d8c743-0916-4483-8333-3c6f107e0caa: Working with rule integrations: windows
f6d8c743-0916-4483-8333-3c6f107e0caa: Integration mappings prepared: 52
f6d8c743-0916-4483-8333-3c6f107e0caa: Index `rule-test-index-1754093984642` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984642'}
f6d8c743-0916-4483-8333-3c6f107e0caa: Executing a query against `rule-test-index-1754093984642`
f6d8c743-0916-4483-8333-3c6f107e0caa: Got query response: {'took': 2, 'is_partial': False, 'columns': [{'name': 'count', 'type': 'integer'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
f6d8c743-0916-4483-8333-3c6f107e0caa: Test index `rule-test-index-1754093984642` deleted: {'acknowledged': True}
f6d8c743-0916-4483-8333-3c6f107e0caa: Got query columns: count, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Validating against 9.0.1 stack
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Extracted indices from query: logs-windows.powershell_operational*
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Collected mappigns: 0
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Working with rule integrations: windows
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Integration mappings prepared: 52
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Index `rule-test-index-1754093984730` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984730'}
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Executing a query against `rule-test-index-1754093984730`
e903ce9a-5ce6-4246-bb14-75ed3ec2edf5: Test index `rule-test-index-1754093984730` deleted: {'acknowledged': True}
FAILURE: BadRequestError(400, 'verification_exception', 'Found 1 problem\nline 23:10: Unknown column [file.name], did you mean any of [file.path, host.name]?')

6ddb6c33-00ce-4acd-832a-24b251512023: Validating against 9.0.1 stack
6ddb6c33-00ce-4acd-832a-24b251512023: Extracted indices from query: logs-windows.powershell_operational*
6ddb6c33-00ce-4acd-832a-24b251512023: Collected mappigns: 0
6ddb6c33-00ce-4acd-832a-24b251512023: Working with rule integrations: windows
6ddb6c33-00ce-4acd-832a-24b251512023: Integration mappings prepared: 52
6ddb6c33-00ce-4acd-832a-24b251512023: Index `rule-test-index-1754093984809` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984809'}
6ddb6c33-00ce-4acd-832a-24b251512023: Executing a query against `rule-test-index-1754093984809`
6ddb6c33-00ce-4acd-832a-24b251512023: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'special_count', 'type': 'integer'}, {'name': 'script_len', 'type': 'integer'}, {'name': 'proportion', 'type': 'double'}, {'name': 'dedup_space_script_block', 'type': 'keyword'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
6ddb6c33-00ce-4acd-832a-24b251512023: Test index `rule-test-index-1754093984809` deleted: {'acknowledged': True}
6ddb6c33-00ce-4acd-832a-24b251512023: Got query columns: special_count, script_len, proportion, dedup_space_script_block, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

f770ce79-05fd-4d74-9866-1c5d66c9b34b: Validating against 9.0.1 stack
f770ce79-05fd-4d74-9866-1c5d66c9b34b: Extracted indices from query: .alerts-security.*
f770ce79-05fd-4d74-9866-1c5d66c9b34b: Collected mappigns: 0
f770ce79-05fd-4d74-9866-1c5d66c9b34b: No integrations found in the rule
f770ce79-05fd-4d74-9866-1c5d66c9b34b: Integration mappings prepared: 0
f770ce79-05fd-4d74-9866-1c5d66c9b34b: ERROR: no mappings found for the rule
FAILURE: No mappings found

f9753455-8d55-4ad8-b70a-e07b6f18deea: Validating against 9.0.1 stack
f9753455-8d55-4ad8-b70a-e07b6f18deea: Extracted indices from query: logs-windows.powershell_operational*
f9753455-8d55-4ad8-b70a-e07b6f18deea: Collected mappigns: 0
f9753455-8d55-4ad8-b70a-e07b6f18deea: Working with rule integrations: windows
f9753455-8d55-4ad8-b70a-e07b6f18deea: Integration mappings prepared: 52
f9753455-8d55-4ad8-b70a-e07b6f18deea: Index `rule-test-index-1754093984896` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984896'}
f9753455-8d55-4ad8-b70a-e07b6f18deea: Executing a query against `rule-test-index-1754093984896`
f9753455-8d55-4ad8-b70a-e07b6f18deea: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'special_count', 'type': 'integer'}, {'name': 'script_len', 'type': 'integer'}, {'name': 'proportion', 'type': 'double'}, {'name': 'replaced_with_fire', 'type': 'keyword'}, {'name': 'powershell.file.script_block_text', 'type': 'text'}, {'name': 'powershell.file.script_block_id', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}, {'name': 'powershell.sequence', 'type': 'long'}, {'name': 'powershell.total', 'type': 'long'}, {'name': '_id', 'type': 'keyword'}, {'name': '_index', 'type': 'keyword'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'user.id', 'type': 'keyword'}], 'values': []}
f9753455-8d55-4ad8-b70a-e07b6f18deea: Test index `rule-test-index-1754093984896` deleted: {'acknowledged': True}
f9753455-8d55-4ad8-b70a-e07b6f18deea: Got query columns: special_count, script_len, proportion, replaced_with_fire, powershell.file.script_block_text, powershell.file.script_block_id, file.path, powershell.sequence, powershell.total, _id, _index, host.name, agent.id, user.id

894b7cc9-040b-427c-aca5-36b40d3667bf: Validating against 9.0.1 stack
894b7cc9-040b-427c-aca5-36b40d3667bf: Extracted indices from query: logs-endpoint.events.file-*
894b7cc9-040b-427c-aca5-36b40d3667bf: Collected mappigns: 15
894b7cc9-040b-427c-aca5-36b40d3667bf: Working with rule integrations: endpoint
894b7cc9-040b-427c-aca5-36b40d3667bf: Integration mappings prepared: 70
894b7cc9-040b-427c-aca5-36b40d3667bf: Index `rule-test-index-1754093984992` created: {'acknowledged': True, 'shards_acknowledged': True, 'index': 'rule-test-index-1754093984992'}
894b7cc9-040b-427c-aca5-36b40d3667bf: Executing a query against `rule-test-index-1754093984992`
894b7cc9-040b-427c-aca5-36b40d3667bf: Got query response: {'took': 3, 'is_partial': False, 'columns': [{'name': 'cc', 'type': 'long'}, {'name': 'agent_count', 'type': 'long'}, {'name': 'host.name', 'type': 'keyword'}, {'name': 'agent.id', 'type': 'keyword'}, {'name': 'process.executable', 'type': 'keyword'}, {'name': 'file.path', 'type': 'keyword'}], 'values': []}
894b7cc9-040b-427c-aca5-36b40d3667bf: Test index `rule-test-index-1754093984992` deleted: {'acknowledged': True}
894b7cc9-040b-427c-aca5-36b40d3667bf: Got query columns: cc, agent_count, host.name, agent.id, process.executable, file.path

Total rules: 75
Failed rules: 33

traut added 3 commits August 1, 2025 22:46

Style fixes

1a8f552

Typo fix

aa21e96

Initial logic

46248f7

traut commented Aug 1, 2025

View reviewed changes

detection_rules/rule_validators.py Outdated Show resolved Hide resolved

traut commented Aug 1, 2025

View reviewed changes

Comments and small fixes

08b0c15

Merge branch 'main' into esql-field-validation

03c4bd6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: ESQL query validation against Elastic cluster #4955

feat: ESQL query validation against Elastic cluster #4955

traut commented Aug 1, 2025

Uh oh!

traut Aug 1, 2025

Uh oh!

traut Aug 1, 2025

Uh oh!

Uh oh!

traut Aug 1, 2025

Uh oh!

traut commented Aug 2, 2025 •

edited

Loading

Uh oh!

Uh oh!


		log(f"Got query columns: {', '.join(query_column_names)}")

		# FIXME: validate the dynamic columns

feat: ESQL query validation against Elastic cluster #4955

Are you sure you want to change the base?

feat: ESQL query validation against Elastic cluster #4955

Conversation

traut commented Aug 1, 2025

Pull Request

Summary - What I changed

How To Test

Checklist

Contributor checklist

Uh oh!

traut Aug 1, 2025

Choose a reason for hiding this comment

Uh oh!

traut Aug 1, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

traut Aug 1, 2025

Choose a reason for hiding this comment

Uh oh!

traut commented Aug 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

traut commented Aug 2, 2025 •

edited

Loading