From 47f1661cf4799832760924d4d28c97b4db6e487a Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <terrance.dejesus@elastic.co>
Date: Mon, 1 Jun 2026 10:54:00 -0400
Subject: [PATCH 1/2] [Bug] ESQL Remote Validation Ignoring Rule Min-Stack

---
 detection_rules/rule_validators.py | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/detection_rules/rule_validators.py b/detection_rules/rule_validators.py
index 9b3f412c885..e21b55f242a 100644
--- a/detection_rules/rule_validators.py
+++ b/detection_rules/rule_validators.py
@@ -46,7 +46,12 @@
     parse_datasets,
 )
 from .rule import EQLRuleData, QueryRuleData, QueryValidator, RuleMeta, TOMLRuleContents, set_eql_config
-from .schemas import get_latest_stack_version, get_stack_schemas, get_stack_versions
+from .schemas import (
+    get_latest_stack_version,
+    get_min_supported_stack_version,
+    get_stack_schemas,
+    get_stack_versions,
+)
 from .schemas.definitions import ESQL_DYNAMIC_FIELD_PREFIXES, FROM_SOURCES_REGEX
 
 EQL_ERROR_TYPES = (
@@ -924,10 +929,21 @@ def remote_validate_rule(  # noqa: PLR0913
         # mismatch error, as the EsqlSchemaError and EsqlSyntaxError errors from the stack
         # will not be impacted by the difference in schema type mapping.
         mappings_lookup: dict[str, dict[str, Any]] = {stack_version: combined_mappings}
-        versions = get_stack_versions()
-        for version in versions:
+        # Only validate against stack versions the rule actually targets. A rule floored at
+        # min_stack_version is never backported below it, so building mappings for older stacks
+        # resolves integration packages that predate the rule's data sources (e.g. a new data
+        # stream) and raises spurious EsqlUnknownIndexError. Fall back to the minimum supported
+        # stack when the rule does not pin a min_stack_version.
+        min_stack = Version.parse(
+            str(metadata.min_stack_version or get_min_supported_stack_version()),
+            optional_minor_and_patch=True,
+        )
+        for version in get_stack_versions():
             if version in mappings_lookup:
                 continue
+            if Version.parse(version) < min_stack:
+                self.log(f"Skipping {version} stack: below rule min_stack_version {min_stack}")
+                continue
             _, _, combined_mappings = prepare_mappings(
                 elastic_client, indices, event_dataset_integrations, metadata, version, self.log
             )

From 40d8dc6aee234aeb4193d400a1dcf6d5829cdb70 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <terrance.dejesus@elastic.co>
Date: Mon, 1 Jun 2026 11:16:56 -0400
Subject: [PATCH 2/2] bumping patch

---
 pyproject.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyproject.toml b/pyproject.toml
index 8878af4f7e3..06640253e00 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.6.45"
+version = "1.6.46"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"