[Security Solution] Error when upgrading a rule that has an action referencing a deleted connector

[banderror]

Epics: https://github.com/elastic/security-team/issues/1974 (internal), #179907
Related to: #178221, #198845
Location: Rule Management page, Rule Updates table

Summary

If a prebuilt rule has a rule action that refers to an action connector that has been deleted, then when you try to upgrade it, the upgrade will fail with the following message:

POST /internal/detection_engine/prebuilt_rules/upgrade/_perform

{"mode":"SPECIFIC_RULES","rules":[{"rule_id":"035a6f21-4092-471d-9cda-9e379f459b1e","version":3,"revision":1}],"pick_version":"TARGET"}

{
    "summary": {
        "total": 1,
        "skipped": 0,
        "succeeded": 0,
        "failed": 1
    },
    "results": {
        "updated": [],
        "skipped": []
    },
    "errors": [
        {
            "message": "Failed to load action e3a6324b-c9a6-4716-b726-cd71b0cfdc82 (404): Saved object [action/e3a6324b-c9a6-4716-b726-cd71b0cfdc82] not found",
            "rules": [
                {
                    "rule_id": "035a6f21-4092-471d-9cda-9e379f459b1e",
                    "name": "Potential Memory Seeking Activity"
                }
            ]
        }
    ]
}

Steps to reproduce

• Create a new connector, e.g. a test webhook connector
• Edit some prebuilt rule that currently has updates to it (Rule Updates tab on the Rules page)
• Add a webhook action to it referencing the newly added connector
• Save the rule
• Try to upgrade it (Rule Updates tab on the Rules page -> Update rule)

Behavior

Current behavior:

• Upgrade fails
• No clear explanation is shown to the user why it fails
• The toast looks like the upgrade succeeded (green color, checkmark)

Expected behavior:

• Option 1:
  • Upgrade fails
  • We communicate visually that it's an error
  • We explain to the user why it failed and what actions they need to do to resolve the issue
  • Keep in mind that when upgrading multiple rules there can be a partial upgrade failure - some may succeed, some may fail
• Option 2:
  • Upgrade succeeds
  • We keep the actions that refer to deleted connectors, in the rules being upgraded (Alerting Framework might not allow to do that)
  • We show a warning that explains that user might want to remove those actions manually, otherwise they will be failing on rule execution
• Option 3:
  • Upgrade succeeds
  • We remove the actions that refer to deleted connectors, from the rules being upgraded
  • We show a warning that explains to the user what was done and what rules were affected
• Option 4:
  • We prevent this error from happening by updating rules on connector deletion on the Framework side (might not be possible or preferable to implement due to RBAC considerations)

Needs product input on how to handle it and which option to choose. Should be consistent with #178221.

Workaround

1. Select all the problematic rules on the Installed Rules page
2. Apply the Add Rule Actions bulk action to them, choosing Overwrite all selected rules actions in the flyout
3. After completing this step, all rules should become upgradeable

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)