[Security Solution][Detections] fixes rules bulk delete when rule has data view id (#137585) (#138380)

## Summary - fixes https://github.com/elastic/kibana/issues/136006 - in this PR, bulk delete index will only be applied to rule, if index pattern exists - small code cleanup around dataViewId and index patterns actions - adds unit/functional tests ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit b93d4fb04b) Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
2025-04-23 09:19:04 -04:00 · 2022-08-09 09:05:07 -04:00 · 2022-08-09 09:05:07 -04:00 · e614c89437
commit e614c89437
parent cf43c0ac11
3 changed files with 88 additions and 4 deletions
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/bulk_actions/rule_params_modifier.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/bulk_actions/rule_params_modifier.test.ts
@ -73,7 +73,22 @@ describe('ruleParamsModifier', () => {
      expect(editedRuleParams).toHaveProperty('index', ['initial-index-*']);
    });

-    test('should rewrite index  pattern in rule', () => {
+    test('should return undefined index patterns on remove action if rule has dataViewId only', () => {
+      const testDataViewId = 'test-data-view-id';
+      const editedRuleParams = ruleParamsModifier(
+        { dataViewId: testDataViewId } as RuleAlertType['params'],
+        [
+          {
+            type: BulkActionEditType.delete_index_patterns,
+            value: ['index-2-*'],
+          },
+        ]
+      );
+      expect(editedRuleParams).toHaveProperty('index', undefined);
+      expect(editedRuleParams).toHaveProperty('dataViewId', testDataViewId);
+    });
+
+    test('should rewrite index pattern in rule', () => {
      const editedRuleParams = ruleParamsModifier(ruleParamsMock, [
        {
          type: BulkActionEditType.set_index_patterns,
@ -83,6 +98,34 @@ describe('ruleParamsModifier', () => {
      expect(editedRuleParams).toHaveProperty('index', ['index']);
    });

+    test('should set dataViewId to undefined if overwriteDataViews=true on set_index_patterns action', () => {
+      const editedRuleParams = ruleParamsModifier(
+        { dataViewId: 'test-data-view', index: ['test-*'] } as RuleAlertType['params'],
+        [
+          {
+            type: BulkActionEditType.set_index_patterns,
+            value: ['index'],
+            overwriteDataViews: true,
+          },
+        ]
+      );
+      expect(editedRuleParams).toHaveProperty('dataViewId', undefined);
+    });
+
+    test('should set dataViewId to undefined if overwriteDataViews=true on add_index_patterns action', () => {
+      const editedRuleParams = ruleParamsModifier(
+        { dataViewId: 'test-data-view', index: ['test-*'] } as RuleAlertType['params'],
+        [
+          {
+            type: BulkActionEditType.add_index_patterns,
+            value: ['index'],
+            overwriteDataViews: true,
+          },
+        ]
+      );
+      expect(editedRuleParams).toHaveProperty('dataViewId', undefined);
+    });
+
    test('should throw error on adding index pattern if rule is of machine learning type', () => {
      expect(() =>
        ruleParamsModifier({ type: 'machine_learning' } as RuleAlertType['params'], [
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/bulk_actions/rule_params_modifier.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/bulk_actions/rule_params_modifier.ts
@ -11,7 +11,6 @@ import type { BulkActionEditForRuleParams } from '../../../../../common/detectio
 import { BulkActionEditType } from '../../../../../common/detection_engine/schemas/common/schemas';

 import { invariant } from '../../../../../common/utils/invariant';
-import { isMachineLearningParams } from '../../signals/utils';

 export const addItemsToArray = <T>(arr: T[], items: T[]): T[] =>
  Array.from(new Set([...arr, ...items]));
@ -36,7 +35,7 @@ const applyBulkActionEditToRuleParams = (
        "Index patterns can't be added. Machine learning rule doesn't have index patterns property"
      );

-      if (!isMachineLearningParams(ruleParams) && action.overwriteDataViews) {
+      if (action.overwriteDataViews) {
        ruleParams.dataViewId = undefined;
      }

@ -49,7 +48,9 @@ const applyBulkActionEditToRuleParams = (
        "Index patterns can't be deleted. Machine learning rule doesn't have index patterns property"
      );

-      ruleParams.index = deleteItemsFromArray(ruleParams.index ?? [], action.value);
+      if (ruleParams.index) {
+        ruleParams.index = deleteItemsFromArray(ruleParams.index, action.value);
+      }
      break;

    case BulkActionEditType.set_index_patterns:
@ -58,6 +59,10 @@ const applyBulkActionEditToRuleParams = (
        "Index patterns can't be overwritten. Machine learning rule doesn't have index patterns property"
      );

+      if (action.overwriteDataViews) {
+        ruleParams.dataViewId = undefined;
+      }
+
      ruleParams.index = action.value;
      break;

--- a/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/perform_bulk_action.ts
+++ b/x-pack/test/detection_engine_api_integration/security_and_spaces/group1/perform_bulk_action.ts
@ -598,6 +598,42 @@ export default ({ getService }: FtrProviderContext): void => {
        expect(setIndexRule.index).to.eql(['initial-index-*']);
      });

+      it('should not delete data view in a rule when delete index pattern action applied', async () => {
+        const ruleId = 'ruleId';
+        const dataViewId = 'index1-*';
+        const simpleRule = {
+          ...getSimpleRule(ruleId),
+          index: undefined,
+          data_view_id: dataViewId,
+        };
+        await createRule(supertest, log, simpleRule);
+
+        const { body: bulkActionResponse } = await postBulkAction()
+          .send({
+            query: '',
+            action: BulkAction.edit,
+            [BulkAction.edit]: [
+              {
+                type: BulkActionEditType.delete_index_patterns,
+                value: ['initial-index-*'],
+              },
+            ],
+          })
+          .expect(200);
+
+        expect(bulkActionResponse.attributes.summary).to.eql({ failed: 0, succeeded: 1, total: 1 });
+
+        // Check that the updated rule is returned with the response
+        expect(bulkActionResponse.attributes.results.updated[0].data_view_id).to.be(dataViewId);
+        expect(bulkActionResponse.attributes.results.updated[0].index).to.be(undefined);
+
+        // Check that the updates have been persisted
+        const { body: updatedRule } = await fetchRule(ruleId).expect(200);
+
+        expect(updatedRule.data_view_id).to.be(dataViewId);
+        expect(updatedRule.index).to.be(undefined);
+      });
+
      it('should set timeline values in rule', async () => {
        const ruleId = 'ruleId';
        const timelineId = '91832785-286d-4ebe-b884-1a208d111a70';