Some prebuilt security rules have missing fields

YousefNein · May 3, 2026, 10:05am

As the title suggests, some prebuilt security rules are failing due to some fields not being present in the Elastic Defend telemetry.

From this example, the rule logic has process.command_line , However, the file telemetry for Elastic Defend does not have process.command_line I saw a numerous number of rules that have the same problem

My question is, should I fix it or leave it until it is fixed from your side? I also could make a pull request with a fix if that was possible.

Thank you.

leandrojmp · May 3, 2026, 1:54pm

I would suggest that you open an issue on the detection rules repository, listing the rules with problems.

In this repository: GitHub - elastic/detection-rules · GitHub

Topic		Replies	Views
Elastic SIEM. Security rules doesn't work SIEM	12	2242	December 27, 2021
Prebuilt security rule not working with fleet architecture Elastic Agent detection-rules	1	286	July 21, 2023
27 default Elastic Security rules contain definitions to non-existant indices and are broken Elastic Security	5	395	May 24, 2022
New "Elastic Defend" integration not recognized by rules (8.6.2) Endpoint Security	3	826	March 24, 2023
Error while enabling security rules Elastic Security	1	76	May 20, 2025

Some prebuilt security rules have missing fields

Related topics