Skip to content

[8.17] [Security Solution] Fixes exceptions list and actions being overwritten when using legacy prebuilt rule upgrade (#218519)#220999

Merged
dplumlee merged 3 commits intoelastic:8.17from
dplumlee:backport/8.17/pr-218519
May 20, 2025
Merged

[8.17] [Security Solution] Fixes exceptions list and actions being overwritten when using legacy prebuilt rule upgrade (#218519)#220999
dplumlee merged 3 commits intoelastic:8.17from
dplumlee:backport/8.17/pr-218519

Conversation

@dplumlee
Copy link
Contributor

@dplumlee dplumlee commented May 20, 2025

Backport

This will backport the following commits from main to 8.17:

Questions ?

Please refer to the Backport tool documentation

@dplumlee
[Security Solution] Fixes exceptions list and actions being overwritt…
1c75ec4 
…en when using legacy prebuilt rule upgrade (elastic#218519)

## Summary

Fixes elastic#218000

Fixes issues that caused the `exceptions_list` and `actions` fields to
get overwritten when the legacy prebuilt rule upgrade methods
(`api/detection_engine/rules/prepackaged`) were used.

### Testing

1. Install an outdated rules package
1. Install all rules from the package
1. Add actions and exceptions to the installed rules (actions can be
added using bulk edit)
1. Install the latest available prebuilt rules package
1. Call the legacy API to upgrade installed rules to the latest
versions: `/api/detection_engine/rules/prepackaged`
1. Observe all exceptions lists and actions are maintained through
upgrade process

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
(cherry picked from commit 0eeb5ff)

# Conflicts:
#	x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/utils.test.ts
@dplumlee dplumlee requested a review from kibanamachine as a code owner May 20, 2025 14:02
@dplumlee dplumlee added the backport This PR is a backport of another PR label May 20, 2025
@dplumlee dplumlee enabled auto-merge (squash) May 20, 2025 14:02
@dplumlee dplumlee mentioned this pull request May 20, 2025
Merged
2 tasks
@elasticmachine
Copy link
Contributor

elasticmachine commented May 20, 2025

⏳ Build in-progress, with failures

Failed CI Steps

Test Failures

  • [job] [logs] Detection Engine - Exceptions - Security Solution Cypress Tests #1 / Add exception using data views from rule details "before each" hook for "Creates an exception item and close all matching alerts" "before each" hook for "Creates an exception item and close all matching alerts"
  • [job] [logs] Detection Engine - Exceptions - Security Solution Cypress Tests #2 / Add/edit exception from rule details rule without existing exceptions Cannot create an item to add to rule but not shared list as rule has no lists attached Cannot create an item to add to rule but not shared list as rule has no lists attached
  • [job] [logs] Detection Engine - Exceptions - Security Solution Cypress Tests #1 / Close matching Alerts "before each" hook for "Should create a Rule exception item from alert actions overflow menu and close all matching alerts" "before each" hook for "Should create a Rule exception item from alert actions overflow menu and close all matching alerts"

History

@dplumlee dplumlee merged commit 39f15d3 into elastic:8.17 May 20, 2025
8 checks passed
@dplumlee dplumlee mentioned this pull request May 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marshallmain marshallmain marshallmain approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dplumlee @elasticmachine @marshallmain