[Bug] panw fields unknown

[y0no]

Describe the Bug

Hello,
I don't know if this is the right way to report this issue. But I use detection-rules to export my rules from the elastic stack. Unfortunately, a high numbers of our rules rely on Palo Alto integrations and are not validated by detection-rules with a lot of unknown fields. Is there a way to import theses fields that seems to be known by elastic ? (https://www.elastic.co/docs/reference/integrations/panw#ecs-field-reference)

To Reproduce

Try to import a rule with a query like :

panw.panos.threat_category : "dns"

Expected Behavior

No response

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

No response

[eric-forte-elastic]

👋 Hi @y0no, yes this is the correct way to report this! Thanks for opening an issue! We do support validating the fields in the panw integration and our network rules use this as well.

In your rules, are you specifying the integration and/or index?

E.g.

[metadata]
creation_date = "2023/05/17"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2025/02/28"

[rule]
author = ["Elastic"]
description = """
Info
"""
from = "now-9m"
index = ["logs-network_traffic.*", "logs-panw.panos*"]

You can use the view-rule command to test that this validation.

Example