[FR] Add new unit test for process fields in non process events#6011
Merged
Conversation
Contributor
Enhancement - GuidelinesThese guidelines serve as a reminder set of considerations when addressing adding a feature to the code. Documentation and Context
Code Standards and Practices
Testing
Additional Checks
|
047941e to
54f26c8
Compare
Per @eric-forte-elastic's suggestion, extend the Sequence-only check to also unwrap eql.ast.Join. Join.queries shares the same SubqueryBy shape as Sequence.queries, so the same .query iteration applies. No production EQL rule uses join today, but treating join symmetrically prevents a silent gap if one is added in the future — matching the test's intent of catching no-op predicates in non-process clauses.
…m/elastic/detection-rules into add_unit_test_process_field_usage
w0rk3r
approved these changes
May 5, 2026
eric-forte-elastic
approved these changes
May 5, 2026
eric-forte-elastic
left a comment
Contributor
There was a problem hiding this comment.
Update looks good, comment addressed .
Reviewed scope and implementation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
This PR adds a new unit test that uncovers a previously-silent bug class affecting EQL rules on
logs-endpoint.events.*indices. Targets EQL only since KQL queries are scoped byindexand authors naturally filter on category-applicable fields. ES|QL'sFROMclause + Kibana field discovery makes the bug hard to write accidentally. Cursory scan didn't find any offenders either.Important
This PR cannot land until the four currently-failing rules are fixed first. See the "Blocking PRs" list below.
Summary - What I changed
Adds a new unit test
TestEQLEventFieldUsage::test_process_fields_present_in_endpoint_schemawhich fails CI when an EQL rule references aprocess.*field inside a non-process clause (file where,network where,registry where,library where,dns where) onlogs-endpoint.events.*indices and that field is not mapped for the targeted dataset in the endpoint integration schema.Elastic Defend doesn't populate every `process.*` field on every event category.
For example,
process.command_line,process.args,process.working_directory,process.parent.name, andprocess.pe.*are only present onprocessevents; they're mapping-absent onfile,network,registry,library, anddnsevents. EQL's<event_type> where ...syntax happily lets authors mix category prefixes with field references that don't belong to that category, so predicates referencing those fields never match — silent no-ops. There is no rule-load-time error; the rule just quietly under-fires.Blocking PRs — must merge before this one
The test currently catches several production-maturity rules with this bug, grouped here by domain so they can be tuned in batched PRs:
c0136397-f82a-45e5-9b9f-a3651d77e21a— GenAI Process Accessing Sensitive Files (EQL) —process.command_lineinsidefile where9050506c-df6d-4bdf-bc82-fcad0ef1e8c1— GenAI Process Connection to Unusual Domain (KQL) — bundled into the same tuning because it shares the same root cause (process.command_linenot populated outside of process events); not caught by this test because the test is EQL-only0e79980b-4250-4a50-a509-69294c14e84b— MsBuild Making Network Connections —process.pe.original_file_nameinsidenetwork where7f3e8b9a-2c4d-5e6f-8a1b-9c2d3e4f5a6b— Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation —process.parent.nameinsidefile where00546494-5bb0-49d6-9220-5f3b4c12f26a— Uncommon Destination Port Connection by Web Server —process.working_directoryinsidenetwork whereDesign notes:
CUSTOM_RULES_DIRcarve-out. Unliketest_preserve_upstream_protected_rule_id_nameandtest_elastic_license_only_v2, this test does not skip whenCUSTOM_RULES_DIRis set, because the bug class is a property of the Elastic Defend integration schema (universal to anyone running Defend), not a property of the Elastic-shipped corpus. DaC users with the same bug benefit from catching it. DaC users with legitimate custom endpoint fields can register them viaRULES_CONFIG.stack_schema_map(custom non-ECS schema YAML).BaseRuleTest.setUpClassrule loading, which is@lru_cache'd and amortized across every test class.How To Test
Bash Output