[8.9] [Security Solution] Set immutable param to true when updating prebuilt rules (#161331) (#161455)

# Backport

This will backport the following commits from `main` to `8.9`:
- [[Security Solution] Set immutable param to true when updating
prebuilt rules (#161331)](https://github.com/elastic/kibana/pull/161331)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Juan Pablo
Djeredjian","email":"jpdjeredjian@gmail.com"},"sourceCommit":{"committedDate":"2023-07-07T12:06:28Z","message":"[Security
Solution] Set immutable param to true when updating prebuilt rules
(#161331)\n\nFixes:
https://github.com/elastic/kibana/issues/161305\r\n\r\n##
Summary\r\n\r\n- Passes a new `immutable` params to the `upgradeRule`
method that is\r\nused when upgrading rules.\r\n- Looks like we had a
longstanding bug here in which rule updates of\r\nrule types that
changed the type of the rule were overwriting the\r\n`immutable` prop to
`false`. (Actually, those rules were deleted and\r\nrecreated with
`immutable: false`)\r\n- This was causing the `fetchAllInstalledRules`
method of our\r\n`ruleObjectsClient` NOT to retrieve these rules when
they were already\r\ninstalled.\r\n- Since our installation `_review`
and `_perform` endpoint depends on\r\nthis client, these rules that had
had their types updated were being\r\nincorrectly listed as available
for installation.\r\n\r\n## Testing\r\n\r\nRepeat testing steps laid out
in:\r\nhttps://github.com/elastic/kibana/issues/161305\r\n\r\nRules
shouldn't be duplicated.\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ]
This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"61fa0f543e84c8e89b0351a82652123d0895a818","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:skip","impact:critical","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.9.0","v8.10.0"],"number":161331,"url":"https://github.com/elastic/kibana/pull/161331","mergeCommit":{"message":"[Security
Solution] Set immutable param to true when updating prebuilt rules
(#161331)\n\nFixes:
https://github.com/elastic/kibana/issues/161305\r\n\r\n##
Summary\r\n\r\n- Passes a new `immutable` params to the `upgradeRule`
method that is\r\nused when upgrading rules.\r\n- Looks like we had a
longstanding bug here in which rule updates of\r\nrule types that
changed the type of the rule were overwriting the\r\n`immutable` prop to
`false`. (Actually, those rules were deleted and\r\nrecreated with
`immutable: false`)\r\n- This was causing the `fetchAllInstalledRules`
method of our\r\n`ruleObjectsClient` NOT to retrieve these rules when
they were already\r\ninstalled.\r\n- Since our installation `_review`
and `_perform` endpoint depends on\r\nthis client, these rules that had
had their types updated were being\r\nincorrectly listed as available
for installation.\r\n\r\n## Testing\r\n\r\nRepeat testing steps laid out
in:\r\nhttps://github.com/elastic/kibana/issues/161305\r\n\r\nRules
shouldn't be duplicated.\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ]
This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"61fa0f543e84c8e89b0351a82652123d0895a818"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161331","number":161331,"mergeCommit":{"message":"[Security
Solution] Set immutable param to true when updating prebuilt rules
(#161331)\n\nFixes:
https://github.com/elastic/kibana/issues/161305\r\n\r\n##
Summary\r\n\r\n- Passes a new `immutable` params to the `upgradeRule`
method that is\r\nused when upgrading rules.\r\n- Looks like we had a
longstanding bug here in which rule updates of\r\nrule types that
changed the type of the rule were overwriting the\r\n`immutable` prop to
`false`. (Actually, those rules were deleted and\r\nrecreated with
`immutable: false`)\r\n- This was causing the `fetchAllInstalledRules`
method of our\r\n`ruleObjectsClient` NOT to retrieve these rules when
they were already\r\ninstalled.\r\n- Since our installation `_review`
and `_perform` endpoint depends on\r\nthis client, these rules that had
had their types updated were being\r\nincorrectly listed as available
for installation.\r\n\r\n## Testing\r\n\r\nRepeat testing steps laid out
in:\r\nhttps://github.com/elastic/kibana/issues/161305\r\n\r\nRules
shouldn't be duplicated.\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ]
This was checked for breaking API changes and was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"61fa0f543e84c8e89b0351a82652123d0895a818"}}]}]
BACKPORT-->

Co-authored-by: Juan Pablo Djeredjian <jpdjeredjian@gmail.com>

x-pack/plugins/security_solution/cypress/e2e/detection_rules/export_rule.cy.ts

@@ -27,18 +27,32 @@ import {
 import { createExceptionList, deleteExceptionList } from '../../tasks/api_calls/exceptions';
 import { getExceptionList } from '../../objects/exception';
 import { createRule } from '../../tasks/api_calls/rules';
-import { cleanKibana, resetRulesTableState, deleteAlertsAndRules } from '../../tasks/common';
+import {
+  cleanKibana,
+  resetRulesTableState,
+  deleteAlertsAndRules,
+  reload,
+} from '../../tasks/common';
 import { login, visitWithoutDateRange } from '../../tasks/login';
 
 import { DETECTIONS_RULE_MANAGEMENT_URL } from '../../urls/navigation';
 import {
-  excessivelyInstallAllPrebuiltRules,
+  createAndInstallMockedPrebuiltRules,
   getAvailablePrebuiltRulesCount,
+  preventPrebuiltRulesPackageInstallation,
 } from '../../tasks/api_calls/prebuilt_rules';
+import { createRuleAssetSavedObject } from '../../helpers/rules';
 
 const EXPORTED_RULES_FILENAME = 'rules_export.ndjson';
 const exceptionList = getExceptionList();
 
+const prebuiltRules = Array.from(Array(7)).map((_, i) => {
+  return createRuleAssetSavedObject({
+    name: `Test rule ${i + 1}`,
+    rule_id: `rule_${i + 1}`,
+  });
+});
+
 describe('Export rules', () => {
   const downloadsFolder = Cypress.config('downloadsFolder');
 
@@ -53,6 +67,8 @@ describe('Export rules', () => {
     deleteAlertsAndRules();
     // Rules get exported via _bulk_action endpoint
     cy.intercept('POST', '/api/detection_engine/rules/_bulk_action').as('bulk_action');
+    // Prevent installation of whole prebuilt rules package, use mock prebuilt rules instead
+    preventPrebuiltRulesPackageInstallation();
     visitWithoutDateRange(DETECTIONS_RULE_MANAGEMENT_URL);
     createRule(getNewRule({ name: 'Rule to export' })).as('ruleResponse');
   });
@@ -83,23 +99,21 @@ describe('Export rules', () => {
   });
 
   it('shows a modal saying that no rules can be exported if all the selected rules are prebuilt', function () {
-    const expectedElasticRulesCount = 7;
-
-    excessivelyInstallAllPrebuiltRules();
+    createAndInstallMockedPrebuiltRules({ rules: prebuiltRules });
 
     filterByElasticRules();
-    selectNumberOfRules(expectedElasticRulesCount);
+    selectNumberOfRules(prebuiltRules.length);
     bulkExportRules();
 
     cy.get(MODAL_CONFIRMATION_BODY).contains(
-      `${expectedElasticRulesCount} prebuilt Elastic rules (exporting prebuilt rules is not supported)`
+      `${prebuiltRules.length} prebuilt Elastic rules (exporting prebuilt rules is not supported)`
     );
   });
 
   it('exports only custom rules', function () {
     const expectedNumberCustomRulesToBeExported = 1;
 
-    excessivelyInstallAllPrebuiltRules();
+    createAndInstallMockedPrebuiltRules({ rules: prebuiltRules });
 
     selectAllRules();
     bulkExportRules();
@@ -151,8 +165,8 @@ describe('Export rules', () => {
       // one rule with exception, one without it
       const expectedNumberCustomRulesToBeExported = 2;
 
-      excessivelyInstallAllPrebuiltRules();
-
+      createAndInstallMockedPrebuiltRules({ rules: prebuiltRules });
+      reload();
       selectAllRules();
       bulkExportRules();
 

x-pack/plugins/security_solution/cypress/e2e/detection_rules/rules_selection.cy.ts

@@ -16,7 +16,6 @@ import {
   waitForPrebuiltDetectionRulesToBeLoaded,
 } from '../../tasks/alerts_detection_rules';
 import {
-  excessivelyInstallAllPrebuiltRules,
   getAvailablePrebuiltRulesCount,
   createAndInstallMockedPrebuiltRules,
 } from '../../tasks/api_calls/prebuilt_rules';
@@ -47,7 +46,6 @@ describe('Rules selection', () => {
   });
 
   it('should correctly update the selection label when rules are individually selected and unselected', () => {
-    excessivelyInstallAllPrebuiltRules();
     waitForPrebuiltDetectionRulesToBeLoaded();
 
     selectNumberOfRules(2);
@@ -60,7 +58,6 @@ describe('Rules selection', () => {
   });
 
   it('should correctly update the selection label when rules are bulk selected and then bulk un-selected', () => {
-    excessivelyInstallAllPrebuiltRules();
     waitForPrebuiltDetectionRulesToBeLoaded();
 
     cy.get(SELECT_ALL_RULES_BTN).click();
@@ -81,7 +78,6 @@ describe('Rules selection', () => {
   });
 
   it('should correctly update the selection label when rules are bulk selected and then unselected via the table select all checkbox', () => {
-    excessivelyInstallAllPrebuiltRules();
     waitForPrebuiltDetectionRulesToBeLoaded();
 
     cy.get(SELECT_ALL_RULES_BTN).click();

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts

@@ -71,6 +71,7 @@ const upgradeRule = async (
 
     return createRules({
       rulesClient,
+      immutable: true,
       params: {
         ...rule,
         // Force the prepackaged rule to use the enabled state from the existing rule,