Revert Rule Tunings and optimise test case

shashank-elastic · shashank-elastic · commit 10a735b94c49 · 2025-09-10T14:59:41.000+05:30
diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
@@ -2,7 +2,9 @@
 creation_date = "2024/11/04"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/10"
+min_stack_comments = "New fields added: actor.entity.id and target.entity.id"
+min_stack_version = "8.16.5"
+updated_date = "2025/09/08"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml b/rules/integrations/aws/privilege_escalation_iam_update_assume_role_policy.toml
@@ -2,7 +2,9 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/10/10"
+min_stack_comments = "New fields added: actor.entity.id and target.entity.id"
+min_stack_version = "8.16.5"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -2,7 +2,9 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/10/10"
+min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above."
+min_stack_version = "8.17.0"
+updated_date = "2025/07/16"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml
@@ -2,7 +2,9 @@
 creation_date = "2021/01/04"
 integration = ["system", "windows"]
 maturity = "development"
-updated_date = "2025/10/10"
+updated_date = "2025/04/23"
+min_stack_version = "8.14.0"
+min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
 [rule]
 author = ["Skoetting"]
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
@@ -1049,21 +1049,16 @@ def test_min_stack_version_supported(self):
             stack_map = yaml.safe_load(f)
 
         # Get the minimum supported stack version (as string)
-        supported_versions = [v for v in stack_map if not v.startswith("#") and isinstance(v, str)]
-
-        def version_tuple(v):
-            return tuple(map(int, v.split(".")))
-
-        min_supported = min(supported_versions, key=version_tuple)
+        min_supported = min([v for v in stack_map if not v.startswith("#") and isinstance(v, str)])
         # Load all production rules
         for rule in self.all_rules:
             min_stack_version = rule.contents.metadata.get("min_stack_version")
             if not min_stack_version:
                 continue  # skip rules without min_stack_version
-            # Compare versions as tuples of ints
-            if version_tuple(min_stack_version) < version_tuple(min_supported):
+            # Compare versions using semantic versioning
+            if Version.parse(min_stack_version) < Version.parse(min_supported):
                 failures.append(
-                    f"{self.rule_str(rule)}min_stack_version={min_stack_version} < supported={min_supported}"
+                    f"{self.rule_str(rule)} min_stack_version={min_stack_version} < supported={min_supported}"
                 )
 
         if failures:
