[Enhancement] Add test for constant_keyword fields on alerts-only rules

[terrancedejesus]

Related

• [Rule Tuning] Revert Event Dataset for Security Alert Index #5994

Summary - What I changed

Added a CI unit test that fails the build if any KQL/EQL/ES|QL/threshold/new_terms/threat_match rule (a) targets only .alerts-* AND (b) references a constant_keyword ECS field. This closes the validator gap that let #5943 merge: the existing AST validators merge ECS into every target schema, so they treat data_stream.dataset as a known field and never catch this class of bug. The test catches it before runtime regardless of language.

How To Test

On the fix branch, run:

python -m unittest tests.test_all_rules.TestValidRules.test_alerts_only_rules_no_constant_keyword_fields -v

Expected: PASS.

To confirm the test actually catches the bug, open any of the patched rules (e.g. rules/cross-platform/newly_observed_elastic_detection_rule.toml) and change event.dataset back to data_stream.dataset. Re-run the command, expected: FAIL, with the rule name and offending field in the output. Revert the edit when done.

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Bug - Guidelines

These guidelines serve as a reminder set of considerations when addressing a bug in the code.

Documentation and Context

• Provide detailed documentation (description, screenshots, reproducing the bug, etc.) of the bug if not already documented in an issue.
• Include additional context or details about the problem.
• Ensure the fix includes necessary updates to the release documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the bug fix or edge cases.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and detecting the bug fix (e.g., test logs, screenshots).
• Validate that any rules affected by the bug are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the bug fix works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.