[8.16] [Security Solution] Fix `DataSource` payload creation during rule upgrade with `MERGED` pick_version (#197262) (#197466)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Security Solution] Fix `DataSource` payload creation
during rule upgrade with `MERGED` pick_version
(#197262)](https://github.com/elastic/kibana/pull/197262)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Juan Pablo
Djeredjian","email":"jpdjeredjian@gmail.com"},"sourceCommit":{"committedDate":"2024-10-23T14:44:13Z","message":"[Security
Solution] Fix `DataSource` payload creation during rule upgrade with
`MERGED` pick_version (#197262)\n\n## Summary\r\n\r\nThe PR
https://github.com/elastic/kibana/pull/191439 enhanced
the\r\n`/upgrade/_perform` API contract and functionality to allow the
users of\r\nthe endpoint to upgrade rules to their `MERGED`
version.\r\n\r\nHowever, a bug slipped in, where the two different types
of `DataSource`\r\n(`type: index_patterns` or `type: data_view_id`)
weren't properly\r\nhandled and would cause, in some cases, a rule
payload to be created\r\nhaving both an `index` and `data_view` field,
causing upgrade to fail.\r\n\r\nThis PR fixes the issue by handling
these two field in a specific way,\r\nchecking what the `DataSource`
diffable field's type is, and setting the\r\nother field to
`undefined`.\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are
not applicable to this PR.\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)\r\n-
[ ] This will appear in the **Release Notes** and follow
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"9656621fcc8f6f9a615b0a27d45db9722e047a10","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","v8.16.0","backport:version","v8.17.0"],"title":"[Security
Solution] Fix `DataSource` payload creation during rule upgrade with
`MERGED`
pick_version","number":197262,"url":"https://github.com/elastic/kibana/pull/197262","mergeCommit":{"message":"[Security
Solution] Fix `DataSource` payload creation during rule upgrade with
`MERGED` pick_version (#197262)\n\n## Summary\r\n\r\nThe PR
https://github.com/elastic/kibana/pull/191439 enhanced
the\r\n`/upgrade/_perform` API contract and functionality to allow the
users of\r\nthe endpoint to upgrade rules to their `MERGED`
version.\r\n\r\nHowever, a bug slipped in, where the two different types
of `DataSource`\r\n(`type: index_patterns` or `type: data_view_id`)
weren't properly\r\nhandled and would cause, in some cases, a rule
payload to be created\r\nhaving both an `index` and `data_view` field,
causing upgrade to fail.\r\n\r\nThis PR fixes the issue by handling
these two field in a specific way,\r\nchecking what the `DataSource`
diffable field's type is, and setting the\r\nother field to
`undefined`.\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are
not applicable to this PR.\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)\r\n-
[ ] This will appear in the **Release Notes** and follow
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"9656621fcc8f6f9a615b0a27d45db9722e047a10"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197262","number":197262,"mergeCommit":{"message":"[Security
Solution] Fix `DataSource` payload creation during rule upgrade with
`MERGED` pick_version (#197262)\n\n## Summary\r\n\r\nThe PR
https://github.com/elastic/kibana/pull/191439 enhanced
the\r\n`/upgrade/_perform` API contract and functionality to allow the
users of\r\nthe endpoint to upgrade rules to their `MERGED`
version.\r\n\r\nHowever, a bug slipped in, where the two different types
of `DataSource`\r\n(`type: index_patterns` or `type: data_view_id`)
weren't properly\r\nhandled and would cause, in some cases, a rule
payload to be created\r\nhaving both an `index` and `data_view` field,
causing upgrade to fail.\r\n\r\nThis PR fixes the issue by handling
these two field in a specific way,\r\nchecking what the `DataSource`
diffable field's type is, and setting the\r\nother field to
`undefined`.\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are
not applicable to this PR.\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [ ] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests changed\r\n\r\n\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels)\r\n-
[ ] This will appear in the **Release Notes** and follow
the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"9656621fcc8f6f9a615b0a27d45db9722e047a10"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Juan Pablo Djeredjian <jpdjeredjian@gmail.com>

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts

@@ -7,6 +7,8 @@
 import { get } from 'lodash';
 import type {
   RuleSchedule,
+  DataSourceIndexPatterns,
+  DataSourceDataView,
   InlineKqlQuery,
   ThreeWayDiff,
   DiffableRuleTypes,
@@ -195,6 +197,10 @@ export const transformDiffableFieldValues = (
   } else if (fieldName === 'saved_id' && isInlineQuery(diffableFieldValue)) {
     // saved_id should be set only for rules with SavedKqlQuery, undefined otherwise
     return { type: 'TRANSFORMED_FIELD', value: undefined };
+  } else if (fieldName === 'data_view_id' && isDataSourceIndexPatterns(diffableFieldValue)) {
+    return { type: 'TRANSFORMED_FIELD', value: undefined };
+  } else if (fieldName === 'index' && isDataSourceDataView(diffableFieldValue)) {
+    return { type: 'TRANSFORMED_FIELD', value: undefined };
   }
 
   return { type: 'NON_TRANSFORMED_FIELD' };
@@ -209,3 +215,18 @@ function isInlineQuery(value: unknown): value is InlineKqlQuery {
     typeof value === 'object' && value !== null && 'type' in value && value.type === 'inline_query'
   );
 }
+
+function isDataSourceIndexPatterns(value: unknown): value is DataSourceIndexPatterns {
+  return (
+    typeof value === 'object' &&
+    value !== null &&
+    'type' in value &&
+    value.type === 'index_patterns'
+  );
+}
+
+function isDataSourceDataView(value: unknown): value is DataSourceDataView {
+  return (
+    typeof value === 'object' && value !== null && 'type' in value && value.type === 'data_view'
+  );
+}

x-pack/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/management/trial_license_complete_tier/upgrade_perform_prebuilt_rules.all_rules_mode.ts

@@ -17,6 +17,9 @@ import {
   ThreatMatchRule,
   FIELDS_TO_UPGRADE_TO_CURRENT_VERSION,
   ModeEnum,
+  AllFieldsDiff,
+  DataSourceIndexPatterns,
+  QueryRule,
 } from '@kbn/security-solution-plugin/common/api/detection_engine';
 import { PrebuiltRuleAsset } from '@kbn/security-solution-plugin/server/lib/detection_engine/prebuilt_rules';
 import { FtrProviderContext } from '../../../../../../ftr_provider_context';
@@ -246,6 +249,41 @@ export default ({ getService }: FtrProviderContext): void => {
           expect(installedRule.tags).toEqual(reviewRuleResponseMap.get(ruleId)?.tags);
         }
       });
+
+      it('correctly upgrades rules with DataSource diffs to their MERGED versions', async () => {
+        await createHistoricalPrebuiltRuleAssetSavedObjects(es, [queryRule]);
+        await installPrebuiltRules(es, supertest);
+
+        const targetObject = cloneDeep(queryRule);
+        targetObject['security-rule'].version += 1;
+        targetObject['security-rule'].name = TARGET_NAME;
+        targetObject['security-rule'].tags = TARGET_TAGS;
+        targetObject['security-rule'].index = ['auditbeat-*'];
+        await createHistoricalPrebuiltRuleAssetSavedObjects(es, [targetObject]);
+
+        const reviewResponse = await reviewPrebuiltRulesToUpgrade(supertest);
+        const ruleDiffFields = reviewResponse.rules[0].diff.fields as AllFieldsDiff;
+
+        const performUpgradeResponse = await performUpgradePrebuiltRules(es, supertest, {
+          mode: ModeEnum.ALL_RULES,
+          pick_version: 'MERGED',
+        });
+
+        expect(performUpgradeResponse.summary.succeeded).toEqual(1);
+
+        const installedRules = await getInstalledRules(supertest);
+        const installedRule = installedRules.data[0] as QueryRule;
+
+        expect(installedRule.name).toEqual(ruleDiffFields.name.merged_version);
+        expect(installedRule.tags).toEqual(ruleDiffFields.tags.merged_version);
+
+        // Check that the updated rules has an `index` field which equals the output of the diff algorithm
+        // for the DataSource diffable field, and that the data_view_id is correspondingly set to undefined.
+        expect(installedRule.index).toEqual(
+          (ruleDiffFields.data_source.merged_version as DataSourceIndexPatterns).index_patterns
+        );
+        expect(installedRule.data_view_id).toBe(undefined);
+      });
     });
 
     describe('edge cases and unhappy paths', () => {