[8.x] [Security Solution] Fix inconsistent rule's modified status after applying bulk actions (#214115) (#214152)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Fix inconsistent rule's modified status after
applying bulk actions
(#214115)](https://github.com/elastic/kibana/pull/214115)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2025-03-12T13:10:38Z","message":"[Security
Solution] Fix inconsistent rule's modified status after applying bulk
actions (#214115)\n\n## Summary\n\nFixes a problem [`Bulk adding tags to
rules marks some rules as customized and doesn't mark other rules as
customized. It looks like it depends on the existence of the base
version.`](https://github.com/elastic/kibana/pull/212761#pullrequestreview-2675994950)
discovered while smoke testing after enabling Prebuilt Rules
Customization FF.\n\n## Details\n\nThe problems manifests as some rules
have `Modified` badge missing after modifying tags via bulk
actions.\n\nThe root cause is that current bulk actions implementation
expects unmodified rule's data in `paramsModifier()` callback. But
Alerting Framework's Rules Client invokes `paramsModifier()` providing
already modified rule. Alerting Framework managed fields like
`rule.tags` have modified values.\n\nThe fix makes sure rule
customizartion state is calculated by using unmodified rule data.\n\n##
Screenshots\n\nBefore:\n\nd18d8765-4f40-4513-95a1-2cd84ac2a0a9","sha":"6b87869dc07a531f62523d1e3c1c81bf269d25ae","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security
Solution] Fix inconsistent rule's modified status after applying bulk
actions","number":214115,"url":"https://github.com/elastic/kibana/pull/214115","mergeCommit":{"message":"[Security
Solution] Fix inconsistent rule's modified status after applying bulk
actions (#214115)\n\n## Summary\n\nFixes a problem [`Bulk adding tags to
rules marks some rules as customized and doesn't mark other rules as
customized. It looks like it depends on the existence of the base
version.`](https://github.com/elastic/kibana/pull/212761#pullrequestreview-2675994950)
discovered while smoke testing after enabling Prebuilt Rules
Customization FF.\n\n## Details\n\nThe problems manifests as some rules
have `Modified` badge missing after modifying tags via bulk
actions.\n\nThe root cause is that current bulk actions implementation
expects unmodified rule's data in `paramsModifier()` callback. But
Alerting Framework's Rules Client invokes `paramsModifier()` providing
already modified rule. Alerting Framework managed fields like
`rule.tags` have modified values.\n\nThe fix makes sure rule
customizartion state is calculated by using unmodified rule data.\n\n##
Screenshots\n\nBefore:\n\nd18d8765-4f40-4513-95a1-2cd84ac2a0a9","sha":"6b87869dc07a531f62523d1e3c1c81bf269d25ae"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/214115","number":214115,"mergeCommit":{"message":"[Security
Solution] Fix inconsistent rule's modified status after applying bulk
actions (#214115)\n\n## Summary\n\nFixes a problem [`Bulk adding tags to
rules marks some rules as customized and doesn't mark other rules as
customized. It looks like it depends on the existence of the base
version.`](https://github.com/elastic/kibana/pull/212761#pullrequestreview-2675994950)
discovered while smoke testing after enabling Prebuilt Rules
Customization FF.\n\n## Details\n\nThe problems manifests as some rules
have `Modified` badge missing after modifying tags via bulk
actions.\n\nThe root cause is that current bulk actions implementation
expects unmodified rule's data in `paramsModifier()` callback. But
Alerting Framework's Rules Client invokes `paramsModifier()` providing
already modified rule. Alerting Framework managed fields like
`rule.tags` have modified values.\n\nThe fix makes sure rule
customizartion state is calculated by using unmodified rule data.\n\n##
Screenshots\n\nBefore:\n\nd18d8765-4f40-4513-95a1-2cd84ac2a0a9","sha":"6b87869dc07a531f62523d1e3c1c81bf269d25ae"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>

x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_management_ui/components/rules_table/use_columns.tsx

@@ -229,7 +229,7 @@ const INTEGRATIONS_COLUMN: TableColumn = {
 
     return <IntegrationsPopover relatedIntegrations={integrations} />;
   },
-  width: '143px',
+  width: '70px',
   truncateText: true,
 };
 
@@ -258,7 +258,7 @@ const MODIFIED_COLUMN: TableColumn = {
       </EuiToolTip>
     );
   },
-  width: '70px',
+  width: '90px',
   truncateText: true,
 };
 

x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/logic/bulk_actions/bulk_edit_rules.ts

@@ -22,6 +22,7 @@ import { ruleParamsModifier } from './rule_params_modifier';
 import { splitBulkEditActions } from './split_bulk_edit_actions';
 import { validateBulkEditRule } from './validations';
 import type { PrebuiltRulesCustomizationStatus } from '../../../../../../common/detection_engine/prebuilt_rules/prebuilt_rule_customization_status';
+import { invariant } from '../../../../../../common/utils/invariant';
 
 export interface BulkEditRulesArguments {
   actionsClient: ActionsClient;
@@ -66,12 +67,15 @@ export const bulkEditRules = async ({
   const baseVersionsMap = new Map(
     baseVersions.map((baseVersion) => [baseVersion.rule_id, baseVersion])
   );
+  const currentRulesMap = new Map(rules.map((rule) => [rule.id, rule]));
 
   const result = await rulesClient.bulkEdit<RuleParams>({
-    ids: rules.map((rule) => rule.id),
+    ids: Array.from(currentRulesMap.keys()),
     operations,
-    paramsModifier: async (currentRule) => {
-      const ruleParams = currentRule.params;
+    // Rules Client applies operations to rules client aware fields like tags
+    // the rule before passing it to paramsModifier().
+    paramsModifier: async (partiallyModifiedRule) => {
+      const ruleParams = partiallyModifiedRule.params;
 
       await validateBulkEditRule({
         mlAuthz,
@@ -80,13 +84,18 @@ export const bulkEditRules = async ({
         immutable: ruleParams.immutable,
         ruleCustomizationStatus,
       });
+
+      const currentRule = currentRulesMap.get(partiallyModifiedRule.id);
+
+      invariant(currentRule, "Unable to extract rule's current data in paramsModifier");
+
       const { modifiedParams, isParamsUpdateSkipped } = ruleParamsModifier(
         ruleParams,
         paramsActions
       );
 
       const nextRule = convertAlertingRuleToRuleResponse({
-        ...currentRule,
+        ...partiallyModifiedRule,
         params: modifiedParams,
       });