elastic · eric-forte-elastic · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025
@@ -66,8 +66,11 @@ def validator_wrapper(value: Any) -> Any:
 NAME_PATTERN = re.compile(r"^[a-zA-Z0-9].+?[a-zA-Z0-9\[\]()]$")
 PR_PATTERN = re.compile(r"^$|\d+$")
 SHA256_PATTERN = re.compile(r"^[a-fA-F0-9]{64}$")
-UUID_PATTERN = re.compile(r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$")
-
+# NOTE this additional bad UUID pattern is a stop gap until the rule has been deprecated
+UUID_PATTERN = re.compile(
+    r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"  # UUID pattern
+    r"|^7eb54028-ca72-4eb7-8185-b6864572347db$"  # Additional pattern of known bad UUID
+)
 _version = r"\d+\.\d+(\.\d+[\w-]*)*"
 CONDITION_VERSION_PATTERN = re.compile(rf"^\^{_version}$")
 VERSION_PATTERN = f"^{_version}$"
@@ -108,7 +111,7 @@ def validator_wrapper(value: Any) -> Any:
 QUERY_FIELD_OP_EXCEPTIONS = ["powershell.file.script_block_text"]
 
 # we had a bad rule ID make it in before tightening up the pattern, and so we have to let it bypass
-KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5"]
+KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5", "7eb54028-ca72-4eb7-8185-b6864572347db"]
 KNOWN_BAD_DEPRECATED_DATES = Literal["2021-03-03"]
 # Known Null values that cannot be handled in TOML due to lack of Null value support via compound dicts
 KNOWN_NULL_ENTRIES = [{"rule.actions": "frequency.throttle"}]

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.4.4"
+version = "1.4.5"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
@@ -25,7 +25,7 @@ dependencies = [
   "jsl==0.2.4",
   "jsonschema>=4.21.1",
   "marko==2.0.3",
-  "marshmallow-dataclass[union]==8.6.1",
+  "marshmallow-dataclass==8.7.1",
   "marshmallow-jsonschema~=0.13.0",
   "marshmallow-union~=0.1.15",
   "marshmallow~=3.26.1",