Skip internal fields on validation

eric-forte-elastic · eric-forte-elastic · commit a38b195c0f61 · 2025-09-08T10:47:50.000-04:00
diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
@@ -683,8 +683,12 @@ def validate_columns_index_mapping(
 
         for column in query_columns:
             column_name = column["name"]
+            # Skip Dynamic fields
             if column_name.startswith(("Esql.", "Esql_priv.")):
                 continue
+            # Skip internal fields
+            if column_name in ("_id", "_index", "_type"):
+                continue
             column_type = column["type"]
 
             # Check if the column exists in combined_mappings or a valid field generated from a function or operator
