update patchRules function with same logic as updateRules for migrati…

…ng actions

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts

@@ -171,6 +171,7 @@ export const createPrepackagedRules = async (
   );
   await updatePrepackagedRules(
     rulesClient,
+    savedObjectsClient,
     context.securitySolution.getSpaceId(),
     ruleStatusClient,
     rulesToUpdate,

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/import_rules_route.ts

@@ -273,6 +273,7 @@ export const importRulesRoute = (
                       } else if (rule != null && request.query.overwrite) {
                         await patchRules({
                           rulesClient,
+                          savedObjectsClient,
                           author,
                           buildingBlockType,
                           spaceId: context.securitySolution.getSpaceId(),

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/patch_rules_bulk_route.ts

@@ -136,6 +136,7 @@ export const patchRulesBulkRoute = (
             const rule = await patchRules({
               rule: existingRule,
               rulesClient,
+              savedObjectsClient,
               author,
               buildingBlockType,
               description,

x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/patch_rules_route.ts

@@ -136,6 +136,7 @@ export const patchRulesRoute = (
 
         const rule = await patchRules({
           rulesClient,
+          savedObjectsClient,
           author,
           buildingBlockType,
           description,

x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.mock.ts

@@ -7,6 +7,7 @@
 
 import { PatchRulesOptions } from './types';
 import { rulesClientMock } from '../../../../../alerting/server/mocks';
+import { savedObjectsClientMock } from '../../../../../../../src/core/server/mocks';
 import { getAlertMock } from '../routes/__mocks__/request_responses';
 import { getMlRuleParams, getQueryRuleParams } from '../schemas/rule_schemas.mock';
 import { ruleExecutionLogClientMock } from '../rule_execution_log/__mocks__/rule_execution_log_client';
@@ -15,6 +16,7 @@ export const getPatchRulesOptionsMock = (isRuleRegistryEnabled: boolean): PatchR
   author: ['Elastic'],
   buildingBlockType: undefined,
   rulesClient: rulesClientMock.create(),
+  savedObjectsClient: savedObjectsClientMock.create(),
   spaceId: 'default',
   ruleStatusClient: ruleExecutionLogClientMock.create(),
   anomalyThreshold: undefined,
@@ -68,6 +70,7 @@ export const getPatchMlRulesOptionsMock = (isRuleRegistryEnabled: boolean): Patc
   author: ['Elastic'],
   buildingBlockType: undefined,
   rulesClient: rulesClientMock.create(),
+  savedObjectsClient: savedObjectsClientMock.create(),
   spaceId: 'default',
   ruleStatusClient: ruleExecutionLogClientMock.create(),
   anomalyThreshold: 55,

x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.ts

@@ -13,6 +13,8 @@ import {
   normalizeMachineLearningJobIds,
   normalizeThresholdObject,
 } from '../../../../common/detection_engine/utils';
+// eslint-disable-next-line no-restricted-imports
+import { legacyRuleActionsSavedObjectType } from '../rule_actions/legacy_saved_object_mappings';
 import { internalRuleUpdate, RuleParams } from '../schemas/rule_schemas';
 import { addTags } from './add_tags';
 import { enableRule } from './enable_rule';
@@ -35,8 +37,10 @@ class PatchError extends Error {
   }
 }
 
+// eslint-disable-next-line complexity
 export const patchRules = async ({
   rulesClient,
+  savedObjectsClient,
   author,
   buildingBlockType,
   ruleStatusClient,
@@ -92,6 +96,39 @@ export const patchRules = async ({
     return null;
   }
 
+  /**
+   * On update / patch I'm going to take the actions as they are, better off taking rules client.find (siem.notification) result
+   * and putting that into the actions array of the rule, then set the rules onThrottle property, notifyWhen and throttle from null -> actualy value (1hr etc..)
+   * Then use the rules client to delete the siem.notification
+   * Then with the legacy Rule Actions saved object type, just delete it.
+   */
+
+  // find it using the references array, not params.ruleAlertId
+  let migratedRule = false;
+  const siemNotification = await rulesClient.find({
+    options: {
+      hasReference: {
+        type: 'alert',
+        id: rule.id,
+      },
+    },
+  });
+
+  const legacyRuleActionsSO = await savedObjectsClient.find({
+    type: legacyRuleActionsSavedObjectType,
+  });
+
+  if (siemNotification != null && siemNotification.data.length > 0) {
+    await rulesClient.delete({ id: siemNotification.data[0].id });
+    if (legacyRuleActionsSO != null && legacyRuleActionsSO.saved_objects.length > 0) {
+      await savedObjectsClient.delete(
+        legacyRuleActionsSavedObjectType,
+        legacyRuleActionsSO.saved_objects[0].id
+      );
+    }
+    migratedRule = true;
+  }
+
   const calculatedVersion = calculateVersion(rule.params.immutable, rule.params.version, {
     author,
     buildingBlockType,
@@ -191,14 +228,24 @@ export const patchRules = async ({
 
   const newRule = {
     tags: addTags(tags ?? rule.tags, rule.params.ruleId, rule.params.immutable),
-    throttle: throttle !== undefined ? transformToAlertThrottle(throttle) : rule.throttle,
-    notifyWhen: throttle !== undefined ? transformToNotifyWhen(throttle) : rule.notifyWhen,
     name: calculateName({ updatedName: name, originalName: rule.name }),
     schedule: {
       interval: calculateInterval(interval, rule.schedule.interval),
     },
-    actions: actions?.map(transformRuleToAlertAction) ?? rule.actions,
     params: removeUndefined(nextParams),
+    actions: migratedRule
+      ? siemNotification.data[0].actions
+      : actions?.map(transformRuleToAlertAction) ?? rule.actions,
+    throttle: migratedRule
+      ? siemNotification.data[0].schedule.interval
+      : throttle !== undefined
+      ? transformToAlertThrottle(throttle)
+      : rule.throttle,
+    notifyWhen: migratedRule
+      ? transformToNotifyWhen(siemNotification.data[0].throttle)
+      : throttle !== undefined
+      ? transformToNotifyWhen(throttle)
+      : rule.notifyWhen,
   };
 
   const [validated, errors] = validate(newRule, internalRuleUpdate);

x-pack/plugins/security_solution/server/lib/detection_engine/rules/types.ts

@@ -283,6 +283,7 @@ export interface PatchRulesOptions {
   spaceId: string;
   ruleStatusClient: IRuleExecutionLogClient;
   rulesClient: RulesClient;
+  savedObjectsClient: SavedObjectsClientContract;
   anomalyThreshold: AnomalyThresholdOrUndefined;
   author: AuthorOrUndefined;
   buildingBlockType: BuildingBlockTypeOrUndefined;

x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_prepacked_rules.test.ts

@@ -6,6 +6,7 @@
  */
 
 import { rulesClientMock } from '../../../../../alerting/server/mocks';
+import { savedObjectsClientMock } from '../../../../../../../src/core/server/mocks';
 import { getFindResultWithSingleHit } from '../routes/__mocks__/request_responses';
 import { updatePrepackagedRules } from './update_prepacked_rules';
 import { patchRules } from './patch_rules';
@@ -19,10 +20,12 @@ describe.each([
 ])('updatePrepackagedRules - %s', (_, isRuleRegistryEnabled) => {
   let rulesClient: ReturnType<typeof rulesClientMock.create>;
   let ruleStatusClient: ReturnType<typeof ruleExecutionLogClientMock.create>;
+  let savedObjectsClient: ReturnType<typeof savedObjectsClientMock.create>;
 
   beforeEach(() => {
     rulesClient = rulesClientMock.create();
     ruleStatusClient = ruleExecutionLogClientMock.create();
+    savedObjectsClient = savedObjectsClientMock.create();
   });
 
   it('should omit actions and enabled when calling patchRules', async () => {
@@ -40,6 +43,7 @@ describe.each([
 
     await updatePrepackagedRules(
       rulesClient,
+      savedObjectsClient,
       'default',
       ruleStatusClient,
       [{ ...prepackagedRule, actions }],

x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_prepacked_rules.ts

@@ -6,6 +6,7 @@
  */
 
 import { chunk } from 'lodash/fp';
+import { SavedObjectsClientContract } from 'kibana/server';
 import { AddPrepackagedRulesSchemaDecoded } from '../../../../common/detection_engine/schemas/request/add_prepackaged_rules_schema';
 import { RulesClient, PartialAlert } from '../../../../../alerting/server';
 import { patchRules } from './patch_rules';
@@ -51,6 +52,7 @@ export const UPDATE_CHUNK_SIZE = 50;
  */
 export const updatePrepackagedRules = async (
   rulesClient: RulesClient,
+  savedObjectsClient: SavedObjectsClientContract,
   spaceId: string,
   ruleStatusClient: IRuleExecutionLogClient,
   rules: AddPrepackagedRulesSchemaDecoded[],
@@ -61,6 +63,7 @@ export const updatePrepackagedRules = async (
   for (const ruleChunk of ruleChunks) {
     const rulePromises = createPromises(
       rulesClient,
+      savedObjectsClient,
       spaceId,
       ruleStatusClient,
       ruleChunk,
@@ -82,6 +85,7 @@ export const updatePrepackagedRules = async (
  */
 export const createPromises = (
   rulesClient: RulesClient,
+  savedObjectsClient: SavedObjectsClientContract,
   spaceId: string,
   ruleStatusClient: IRuleExecutionLogClient,
   rules: AddPrepackagedRulesSchemaDecoded[],
@@ -150,6 +154,7 @@ export const createPromises = (
     // or enable rules on the user when they were not expecting it if a rule updates
     return patchRules({
       rulesClient,
+      savedObjectsClient,
       author,
       buildingBlockType,
       description,