Add alignment checking for subqueries

eric-forte-elastic · eric-forte-elastic · commit 7dfe05622ea0 · 2025-10-28T10:53:10.000-04:00
diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
@@ -929,11 +929,17 @@ def remote_validate_rule(  # noqa: PLR0913
         return response
 
 
-def extract_error_field(source: str, exc: eql.EqlParseError | kql.KqlParseError) -> str | None:
+def extract_error_field(source: str, exc: eql.EqlParseError | kql.KqlParseError, max_attempts: int = 10) -> str | None:
     """Extract the field name from an EQL or KQL parse error."""
     lines = source.splitlines()
     mod = -1 if exc.line == len(lines) else 0  # type: ignore[reportUnknownMemberType]
     line = lines[exc.line + mod]  # type: ignore[reportUnknownMemberType]
-    start = exc.column  # type: ignore[reportUnknownMemberType]
+    start: int = exc.column  # type: ignore[reportUnknownMemberType]
+    # Handle cases where subqueries cause column alignment to be off
+    for _ in range(max_attempts):
+        if line[start - 1] != " ":
+            start -= 1
+        else:
+            break
     stop = start + len(exc.caret.strip())  # type: ignore[reportUnknownVariableType]
     return re.sub(r"^\W+|\W+$", "", line[start:stop])  # type: ignore[reportUnknownArgumentType]
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.5"
+version = "1.5.6"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
