From 8489b95c054410e80d82674252e0bd442ce0c42f Mon Sep 17 00:00:00 2001 From: eric-forte-elastic Date: Mon, 24 Nov 2025 10:53:23 -0500 Subject: [PATCH] Updated regex pattern for multiline --- detection_rules/schemas/definitions.py | 4 +++- pyproject.toml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 762e9786b18..9a5b813abff 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -76,7 +76,9 @@ def validator_wrapper(value: Any) -> Any: CONDITION_VERSION_PATTERN = re.compile(rf"^\^{_version}$") VERSION_PATTERN = f"^{_version}$" MINOR_SEMVER = re.compile(r"^\d+\.\d+$") -FROM_SOURCES_REGEX = re.compile(r"^\s*FROM\s+(?P.+?)\s*(?:\||\bmetadata\b|//|$)", re.IGNORECASE | re.MULTILINE) +FROM_SOURCES_REGEX = re.compile( + r"^\s*FROM\s+(?P(?:.+?(?:,\s*)?\n?)+?)\s*(?:\||\bmetadata\b|//|$)", re.IGNORECASE | re.MULTILINE +) BRANCH_PATTERN = f"{VERSION_PATTERN}|^master$" ELASTICSEARCH_EQL_FEATURES = { "allow_negation": (Version.parse("8.9.0"), None), diff --git a/pyproject.toml b/pyproject.toml index b8467f2c839..c37ce537f4a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.14" +version = "1.5.15" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"