[Security Solution] Fix Threat Match rules inability to upgrade (elas…

…tic#203366)

**Resolves:** elastic#203365

## Summary

This PR fixes a bug preventing Threat Match rules from being upgraded.

## Details

It's expected that users can upgrade Elastic prebuilt rules without any customizations in any possible way (in flyout, rules upgrade table, bulk actions). This operation was blocked due to wrong Threat Match fields conversions to Diffable rule. This PR fixes rule type specific fiels conversions and merged `threat_query` field with `threat_query`.

## Screen recording (with the fix)

https://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f

x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts

@@ -12,7 +12,6 @@ import {
   HistoryWindowStart,
   InvestigationFields,
   InvestigationGuide,
-  KqlQueryLanguage,
   MachineLearningJobId,
   MaxSignals,
   NewTermsFields,
@@ -131,7 +130,6 @@ export const DiffableThreatMatchFields = z.object({
   threat_mapping: ThreatMapping,
   data_source: RuleDataSource.optional(), // NOTE: new field
   threat_indicator_path: ThreatIndicatorPath.optional(),
-  threat_language: KqlQueryLanguage.optional(),
   alert_suppression: AlertSuppression.optional(),
 });
 

x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts

@@ -213,7 +213,6 @@ const extractDiffableThreatMatchFieldsFromRuleObject = (
     threat_index: rule.threat_index,
     threat_mapping: rule.threat_mapping,
     threat_indicator_path: rule.threat_indicator_path,
-    threat_language: rule.threat_language,
     alert_suppression: rule.alert_suppression,
   };
 };

x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/threat_match_rule_field_readonly.tsx

@@ -16,7 +16,6 @@ import { ThreatQueryReadOnly } from './fields/threat_query/threat_query';
 import { TypeReadOnly } from './fields/type/type';
 import { AlertSuppressionReadOnly } from './fields/alert_suppression/alert_suppression';
 import { assertUnreachable } from '../../../../../../../common/utility_types';
-import { ThreatLanguageReadOnly } from './fields/threat_language/threat_language';
 
 interface ThreatMatchRuleFieldReadOnlyProps {
   fieldName: keyof DiffableThreatMatchFields;
@@ -53,8 +52,6 @@ export function ThreatMatchRuleFieldReadOnly({
           threatIndicatorPath={finalDiffableRule.threat_indicator_path}
         />
       );
-    case 'threat_language':
-      return <ThreatLanguageReadOnly threatLanguage={finalDiffableRule.threat_language} />;
     case 'threat_mapping':
       return <ThreatMappingReadOnly threatMapping={finalDiffableRule.threat_mapping} />;
     case 'threat_query':

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts

@@ -133,6 +133,9 @@ const SUBFIELD_MAPPING: Record<string, string> = {
   tiebreaker_field: 'tiebreaker_field',
   timestamp_field: 'timestamp_field',
   building_block_type: 'type',
+  threat_query: 'query',
+  threat_language: 'language',
+  threat_filters: 'filters',
   rule_name_override: 'field_name',
   timestamp_override: 'field_name',
   timestamp_override_fallback_disabled: 'fallback_disabled',

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts

@@ -273,7 +273,6 @@ const threatMatchFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableThreatMat
   threat_index: scalarArrayDiffAlgorithm,
   threat_mapping: simpleDiffAlgorithm,
   threat_indicator_path: singleLineStringDiffAlgorithm,
-  threat_language: simpleDiffAlgorithm,
   alert_suppression: simpleDiffAlgorithm,
 };