[Security Solution] Remove the customization check when importing rules (#214577)

2025-04-24 09:48:58 -04:00 · 2025-03-14 20:14:32 +01:00 · 2025-03-14 20:14:32 +01:00 · 67d6707715
commit 67d6707715
parent 424d8eea26
4 changed files with 7 additions and 99 deletions
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/import_rules.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/methods/import_rules.ts
@ -39,8 +39,6 @@ export const importRules = async ({
  rules: RuleToImport[];
  savedObjectsClient: SavedObjectsClientContract;
 }): Promise<Array<RuleResponse | RuleImportErrorObject>> => {
-  const ruleCustomizationStatus = detectionRulesClient.getRuleCustomizationStatus();
-
  const existingLists = await getReferencedExceptionLists({
    rules,
    savedObjectsClient,
@ -70,29 +68,13 @@ export const importRules = async ({
          });
        }

-        const { immutable, ruleSource } = ruleSourceImporter.calculateRuleSource(rule);
-        const isCustomized = (ruleSource.type === 'external' && ruleSource.is_customized) ?? false;
-
-        if (isCustomized && !ruleCustomizationStatus.isRulesCustomizationEnabled) {
-          return createRuleImportErrorObject({
-            message: i18n.translate(
-              'xpack.securitySolution.detectionEngine.rules.licenseInsufficientToImportCustomizedPrebuiltRule',
-              {
-                defaultMessage:
-                  'Importing prebuilt rules is not supported if the they were modified. Upgrade your license to import modified prebuilt rules [rule_id: {ruleId}].',
-                values: { ruleId: rule.rule_id },
-              }
-            ),
-            ruleId: rule.rule_id,
-          });
-        }
-
        const [exceptionErrors, exceptions] = checkRuleExceptionReferences({
          rule,
          existingLists,
        });
        errors.push(...exceptionErrors);

+        const { immutable, ruleSource } = ruleSourceImporter.calculateRuleSource(rule);
        const importedRule = await detectionRulesClient.importRule({
          ruleToImport: {
            ...rule,
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/index.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/index.ts
@ -12,7 +12,6 @@ export default ({ loadTestFile }: FtrProviderContext): void => {
    this.tags('skipFIPS');
    loadTestFile(require.resolve('./is_customized_calculation'));
    loadTestFile(require.resolve('./upgrade_perform_prebuilt_rules'));
-    loadTestFile(require.resolve('./rules_import/not_allowed_importing_customized_prebuilt_rules'));
    loadTestFile(require.resolve('./rules_export/export_prebuilt_rules'));
  });
 };
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/is_customized_calculation.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/is_customized_calculation.ts
@ -61,30 +61,23 @@ export default ({ getService }: FtrProviderContext) => {
      );

      const { body } = await securitySolutionApi
-        .importRules({ query: {} })
+        .importRules({ query: { overwrite: true } })
        .attach('file', ruleBuffer, 'rules.ndjson')
        .expect('Content-Type', 'application/json; charset=utf-8')
        .expect(200);

      expect(body).toMatchObject({
        rules_count: 1,
-        success: false,
-        success_count: 0,
-        errors: [
-          {
-            error: {
-              message: expect.stringContaining('Importing prebuilt rules is not supported'),
-            },
-            rule_id: 'test-rule-id',
-          },
-        ],
+        success: true,
+        success_count: 1,
+        errors: [],
      });

-      // Check that the rule has not been customized
+      // Check that the imported rule is customized
      const { body: importedRule } = await securitySolutionApi.readRule({
        query: { rule_id: prebuiltRule.rule_id },
      });
-      expect(importedRule.rule_source.is_customized).toEqual(false);
+      expect(importedRule.rule_source.is_customized).toEqual(true);
    });

    it('should not allow rule customization on bulk edit', async () => {
--- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/rules_import/not_allowed_importing_customized_prebuilt_rules.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/prebuilt_rule_customization/customization_disabled/rules_import/not_allowed_importing_customized_prebuilt_rules.ts
@ -1,66 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import expect from 'expect';
-import { FtrProviderContext } from '../../../../../../../ftr_provider_context';
-import { deleteAllPrebuiltRuleAssets, getCustomQueryRuleParams } from '../../../../../utils';
-import { deleteAllRules } from '../../../../../../../../common/utils/security_solution';
-import { combineToNdJson } from '../../../../../utils/combine_to_ndjson';
-import {
-  createPrebuiltRuleAssetSavedObjects,
-  createRuleAssetSavedObject,
-} from '../../../../../utils';
-
-export default ({ getService }: FtrProviderContext): void => {
-  const es = getService('es');
-  const securitySolutionApi = getService('securitySolutionApi');
-  const supertest = getService('supertest');
-  const log = getService('log');
-
-  describe('@ess @serverless @skipInServerlessMKI Prebuilt rule import', function () {
-    this.tags(['skipFIPS']);
-    beforeEach(async () => {
-      await deleteAllRules(supertest, log);
-      await deleteAllPrebuiltRuleAssets(es, log);
-    });
-
-    it(`does NOT import customized prebuilt rules`, async () => {
-      const ruleId = 'prebuilt-rule-to-be-customized';
-      const ruleParams = getCustomQueryRuleParams({
-        rule_id: ruleId,
-        // @ts-expect-error the API supports this param, but we only need it in {@link RuleToImport}
-        immutable: true,
-        rule_source: { type: 'external', is_customized: false },
-        version: 1,
-      });
-      const ruleAsset = createRuleAssetSavedObject(ruleParams);
-
-      await createPrebuiltRuleAssetSavedObjects(es, [ruleAsset]);
-
-      // Customizing the rule before importing
-      const ndjson = combineToNdJson({ ...ruleParams, name: 'My customized rule' });
-
-      const { body } = await securitySolutionApi
-        .importRules({ query: {} })
-        .attach('file', Buffer.from(ndjson), 'rules.ndjson')
-        .expect(200);
-
-      expect(body).toMatchObject({
-        success: false,
-        errors: [
-          {
-            rule_id: 'prebuilt-rule-to-be-customized',
-            error: {
-              status_code: 400,
-              message: expect.stringContaining('rule_id: prebuilt-rule-to-be-customized]'),
-            },
-          },
-        ],
-      });
-    });
-  });
-};