elastic · maximpn · Jul 3, 2025 · May 30, 2025
@@ -11,7 +11,6 @@ disabled:
   - x-pack/test/osquery_cypress/serverless_cli_config.ts
   - x-pack/test/security_solution_cypress/serverless_config.ts
 
-
   # Playwright
   - x-pack/test/security_solution_playwright/serverless_config.ts
 
@@ -67,22 +66,15 @@ disabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_update/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_update/basic_license_essentials_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/bundled_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/large_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/update_prebuilt_rules_package/trial_license_complete_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/diffable_rule_fields/common_fields/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/diffable_rule_fields/type_specific_fields/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/serverless_essentials_tier.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_disabled/configs/serverless_essentials_tier.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/upgrade_prebuilt_rules/diffable_rule_fields/common_fields/configs/serverless.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/upgrade_prebuilt_rules/diffable_rule_fields/type_specific_fields/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/basic_license_essentials_tier/configs/serverless.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_non_customized_prebuilt_rules/feature_enabled/configs/serverless_essentials_tier.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_enabled/configs/serverless_complete_tier.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/export_prebuilt_rules/feature_enabled/configs/serverless_essentials_tier.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_management/basic_license_essentials_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_management/trial_license_complete_tier/configs/serverless.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_read/trial_license_complete_tier/configs/serverless.config.ts

@@ -55,23 +55,18 @@ enabled:
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_patch/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_update/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_update/basic_license_essentials_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/bundled_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/large_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/update_prebuilt_rules_package/trial_license_complete_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/diffable_rule_fields/common_fields/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_enabled/diffable_rule_fields/type_specific_fields/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/configs/ess_basic_license.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_disabled/configs/ess_basic_license.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/upgrade_prebuilt_rules/diffable_rule_fields/common_fields/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/upgrade_prebuilt_rules/diffable_rule_fields/type_specific_fields/configs/ess.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/prebuilt_rules_package/air_gapped/configs/ess_air_gapped_large_package.config.ts
+  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/customization_enabled/prebuilt_rules_package/air_gapped/configs/ess_air_gapped.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_bulk_actions/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_delete/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/basic_license_essentials_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_management/basic_license_essentials_tier/configs/ess.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_non_customized_prebuilt_rules/feature_enabled/configs/ess_basic_license.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/import_customized_prebuilt_rules/feature_enabled/configs/ess_enterprise_license.config.ts
-  - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_import_export/export_prebuilt_rules/feature_enabled/configs/ess_basic_license.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_management/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_read/trial_license_complete_tier/configs/ess.config.ts
   - x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/rule_read/basic_license_essentials_tier/configs/ess.config.ts

@@ -33,6 +33,7 @@ export const getPrebuiltRuleMock = (rewrites?: Partial<PrebuiltRuleAsset>): Preb
     version: 1,
     author: [],
     license: 'Elastic License v2',
+    index: ['index-1', 'index-2'],
     ...rewrites,
   });
 };

@@ -9,15 +9,15 @@ import { FtrConfigProviderContext } from '@kbn/test';
 
 export default async function ({ readConfigFile }: FtrConfigProviderContext) {
   const functionalConfig = await readConfigFile(
-    require.resolve('../../../../../../../config/ess/config.base.trial')
+    require.resolve('../../../../../../config/ess/config.base.basic')
   );
 
   const testConfig = {
     ...functionalConfig.getAll(),
     testFiles: [require.resolve('..')],
     junit: {
       reportName:
-        'Rules Management - Prebuilt Rule Export Integration Tests - Customization enabled - ESS Env',
+        'Rules Management - Prebuilt Rules (Customization Disabled) Integration Tests - ESS Env Basic License',
     },
   };
 

@@ -5,12 +5,12 @@
  * 2.0.
  */
 
-import { createTestConfig } from '../../../../../../../config/serverless/config.base.essentials';
+import { createTestConfig } from '../../../../../../config/serverless/config.base.essentials';
 
 export default createTestConfig({
   testFiles: [require.resolve('..')],
   junit: {
     reportName:
-      'Rules Management - Prebuilt Rule Export Integration Tests - Customization enabled - Serverless Env',
+      'Rules Management - Prebuilt Rules (Customization Disabled) Integration Tests - Serverless Env Essentials Tier',
   },
 });
@@ -29,7 +29,7 @@ export default ({ getService }: FtrProviderContext) => {
     rule_id: 'test-rule-id',
   });
 
-  describe('@ess @serverless @skipInServerlessMKI is_customized calculation with disabled customization', () => {
+  describe('@ess @serverless @skipInServerlessMKI Calculate "is_customized"', () => {
     beforeEach(async () => {
       await deleteAllRules(supertest, log);
       await deleteAllPrebuiltRuleAssets(es, log);

@@ -0,0 +1,165 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from 'expect';
+import {
+  BulkActionTypeEnum,
+  BulkActionEditTypeEnum,
+  BulkActionEditPayload,
+} from '@kbn/security-solution-plugin/common/api/detection_engine/rule_management';
+import { installMockPrebuiltRules } from '../../../../utils';
+import { FtrProviderContext } from '../../../../../../ftr_provider_context';
+
+export default ({ getService }: FtrProviderContext): void => {
+  const supertest = getService('supertest');
+  const es = getService('es');
+  const securitySolutionApi = getService('securitySolutionApi');
+
+  const fetchPrebuiltRule = async () => {
+    const {
+      body: {
+        data: [prebuiltRule],
+      },
+    } = await securitySolutionApi.findRules({
+      query: {
+        filter: 'alert.attributes.params.immutable: true',
+        per_page: 1,
+      },
+    });
+
+    return prebuiltRule;
+  };
+
+  describe('@ess @serverless @skipInServerless Customize via bulk editing', () => {
+    const bulkEditingCases = [
+      {
+        type: BulkActionEditTypeEnum.add_tags,
+        value: ['new-tag'],
+      },
+      {
+        type: BulkActionEditTypeEnum.set_tags,
+        value: ['new-tag'],
+      },
+      {
+        type: BulkActionEditTypeEnum.delete_tags,
+        value: ['new-tag'],
+      },
+      {
+        type: BulkActionEditTypeEnum.add_index_patterns,
+        value: ['test-*'],
+      },
+      {
+        type: BulkActionEditTypeEnum.set_index_patterns,
+        value: ['test-*'],
+      },
+      {
+        type: BulkActionEditTypeEnum.delete_index_patterns,
+        // We have to make sure rule has non empty index patterns after this action
+        // otherwise API returns 500 error
+        value: ['unknown-*'],
+      },
+      {
+        type: BulkActionEditTypeEnum.set_timeline,
+        value: { timeline_id: 'mock-id', timeline_title: 'mock-title' },
+      },
+      {
+        type: BulkActionEditTypeEnum.set_schedule,
+        value: { interval: '1m', lookback: '1m' },
+      },
+    ];
+
+    bulkEditingCases.forEach(({ type, value }) => {
+      it(`returns an error after applying "${type}" bulk edit action to prebuilt rules`, async () => {
+        await installMockPrebuiltRules(supertest, es);
+
+        const prebuiltRule = await fetchPrebuiltRule();
+
+        await securitySolutionApi
+          .performRulesBulkAction({
+            query: {},
+            body: {
+              ids: [prebuiltRule.id],
+              action: BulkActionTypeEnum.edit,
+              [BulkActionTypeEnum.edit]: [
+                {
+                  type,
+                  value,
+                } as BulkActionEditPayload,
+              ],
+            },
+          })
+          .expect(500);
+      });
+    });
+
+    // if rule action is applied together with another edit action, that can't be applied to prebuilt rule (for example: tags action)
+    // bulk edit request should return error
+    it(`returns an error if one of edit action is not eligible for prebuilt rule`, async () => {
+      const webHookAction = {
+        // Higher license level is required for creating connectors
+        // Using the pre-configured connector for testing
+        id: 'my-test-email',
+        group: 'default',
+        params: {
+          body: '{"test":"action to be saved in a rule"}',
+        },
+      };
+
+      await installMockPrebuiltRules(supertest, es);
+      const prebuiltRule = await fetchPrebuiltRule();
+
+      const { body } = await securitySolutionApi
+        .performRulesBulkAction({
+          query: {},
+          body: {
+            ids: [prebuiltRule.id],
+            action: BulkActionTypeEnum.edit,
+            [BulkActionTypeEnum.edit]: [
+              {
+                type: BulkActionEditTypeEnum.set_rule_actions,
+                value: {
+                  throttle: '1h',
+                  actions: [webHookAction],
+                },
+              },
+              {
+                type: BulkActionEditTypeEnum.set_tags,
+                value: ['tag-1'],
+              },
+            ],
+          },
+        })
+        .expect(500);
+
+      expect(body.attributes.summary).toEqual({
+        failed: 1,
+        skipped: 0,
+        succeeded: 0,
+        total: 1,
+      });
+      expect(body.attributes.errors[0]).toEqual({
+        message: "Elastic rule can't be edited",
+        status_code: 500,
+        rules: [
+          {
+            id: prebuiltRule.id,
+            name: prebuiltRule.name,
+          },
+        ],
+      });
+
+      // Check that the updates were not made
+      const { body: readRule } = await securitySolutionApi
+        .readRule({ query: { rule_id: prebuiltRule.rule_id } })
+        .expect(200);
+
+      expect(readRule.actions).toEqual(prebuiltRule.actions);
+      expect(readRule.tags).toEqual(prebuiltRule.tags);
+      expect(readRule.version).toBe(prebuiltRule.version);
+    });
+  });
+};
@@ -8,7 +8,6 @@
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
 
 export default ({ loadTestFile }: FtrProviderContext): void => {
-  describe('Rules Management - Prebuilt Rules - Update Prebuilt Rules Package', function () {
-    loadTestFile(require.resolve('./update_prebuilt_rules_package'));
-  });
+  loadTestFile(require.resolve('./calculate_is_customized'));
+  loadTestFile(require.resolve('./customize_via_bulk_editing'));
 };