Repository Feature
Core Repo (rule management, validation, testing, lib, cicd, etc.)
Problem Description
Elastic Endgame is EOL. This repo still treats it as a first-class data source: many rules list endgame-* in index, tag integrations with "Data Source: Elastic Endgame", and Python validation pulls Endgame stack schemas (detection_rules/endgame, rule.py, integrations.py, tests, version lock metadata). That no longer matches supported deployments and adds maintenance cost for no gain.
Desired Solution
Strip Endgame end-to-end in one coordinated effort:
- Rules and building blocks: remove
endgame-* from index arrays and drop Endgame from integration / related metadata wherever it appears. Re-run validation so remaining indices stay consistent.
- Library and tooling: remove or gate Endgame schema loading, stack version mappings, and any CLI or test paths that assume
endgame-*. Clean docs and pyproject.toml keywords if they still call out Endgame.
- Confirm nothing in CI, hunting queries, or NDJSON exports still references Endgame-only fields or indices.
Order of work can follow whatever minimizes breakage for open PRs (big mechanical PR vs staged batches).
Considered Alternatives
Leave rules as-is for historical installs only. Rejected for this tracker because EOL means we should not imply ongoing support in prebuilt packages.
Additional Context
Initial grep shows widespread endgame-* / Endgame integration strings across rules/, rules_building_block/, and core Python under detection_rules/. Use this issue as the umbrella; link child PRs here.
Repository Feature
Core Repo (rule management, validation, testing, lib, cicd, etc.)
Problem Description
Elastic Endgame is EOL. This repo still treats it as a first-class data source: many rules list
endgame-*inindex, tag integrations with "Data Source: Elastic Endgame", and Python validation pulls Endgame stack schemas (detection_rules/endgame,rule.py,integrations.py, tests, version lock metadata). That no longer matches supported deployments and adds maintenance cost for no gain.Desired Solution
Strip Endgame end-to-end in one coordinated effort:
endgame-*fromindexarrays and drop Endgame fromintegration/ related metadata wherever it appears. Re-run validation so remaining indices stay consistent.endgame-*. Clean docs andpyproject.tomlkeywords if they still call out Endgame.Order of work can follow whatever minimizes breakage for open PRs (big mechanical PR vs staged batches).
Considered Alternatives
Leave rules as-is for historical installs only. Rejected for this tracker because EOL means we should not imply ongoing support in prebuilt packages.
Additional Context
Initial grep shows widespread
endgame-*/ Endgame integration strings acrossrules/,rules_building_block/, and core Python underdetection_rules/. Use this issue as the umbrella; link child PRs here.