From 137eed9f13f9e737e8a612a930de0bee49fbef7c Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Sat, 16 Nov 2024 04:05:09 +1100 Subject: [PATCH] [8.x] [Security Solution] Fixes `required_fields` being removed after rule `PATCH` calls (#199901) (#200307) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Fixes `required_fields` being removed after rule `PATCH` calls (#199901)](https://github.com/elastic/kibana/pull/199901) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) Co-authored-by: Davis Plumlee <56367316+dplumlee@users.noreply.github.com> --- .../mergers/apply_rule_patch.test.ts | 32 +++++++++++++++++++ .../mergers/apply_rule_patch.ts | 4 ++- .../patch_rules.ts | 27 ++++++++++++++++ 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts index 49592aff28f9..abf90c3f4dfc 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts @@ -453,4 +453,36 @@ describe('applyRulePatch', () => { }) ).rejects.toThrowError('new_terms_fields: Expected array, received string'); }); + + test('should retain existing required_fields when not present in rule patch body', async () => { + const rulePatch = { + name: 'new name', + } as PatchRuleRequestBody; + const existingRule = { + ...getRulesSchemaMock(), + required_fields: [ + { + name: 'event.action', + type: 'keyword', + ecs: true, + }, + ], + }; + const patchedRule = await applyRulePatch({ + rulePatch, + existingRule, + prebuiltRuleAssetClient, + }); + expect(patchedRule).toEqual( + expect.objectContaining({ + required_fields: [ + { + name: 'event.action', + type: 'keyword', + ecs: true, + }, + ], + }) + ); + }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts index becc68f3d007..9f5b16732249 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts @@ -92,7 +92,9 @@ export const applyRulePatch = async ({ meta: rulePatch.meta ?? existingRule.meta, max_signals: rulePatch.max_signals ?? existingRule.max_signals, related_integrations: rulePatch.related_integrations ?? existingRule.related_integrations, - required_fields: addEcsToRequiredFields(rulePatch.required_fields), + required_fields: rulePatch.required_fields + ? addEcsToRequiredFields(rulePatch.required_fields) + : existingRule.required_fields, risk_score: rulePatch.risk_score ?? existingRule.risk_score, risk_score_mapping: rulePatch.risk_score_mapping ?? existingRule.risk_score_mapping, rule_name_override: rulePatch.rule_name_override ?? existingRule.rule_name_override, diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts index 41f207c90f31..378a1f7bb018 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/patch_rules.ts @@ -284,6 +284,33 @@ export default ({ getService }: FtrProviderContext) => { ); }); }); + + it('should not change required_fields when not present in patch body', async () => { + await securitySolutionApi.createRule({ + body: getCustomQueryRuleParams({ + rule_id: 'rule-1', + required_fields: [ + { + name: 'event.action', + type: 'keyword', + }, + ], + }), + }); + + // patch a simple rule's name + const { body: patchedRule } = await securitySolutionApi + .patchRule({ body: { rule_id: 'rule-1', name: 'some other name' } }) + .expect(200); + + expect(patchedRule.required_fields).toEqual([ + { + name: 'event.action', + type: 'keyword', + ecs: true, + }, + ]); + }); }); }); };