[Security Solution] Disable legacy rules on upgrade to 8.x (#121442)

* Disable legacy rule and notify user to upgrade * Ensure rules are disabled on upgrade * Fix dupe detection on upgrade * Revert "Fix dupe detection on upgrade" This reverts commit 021ec0f. * Add legacy notification * Add tests for 8.0 security_solution rule migration Co-authored-by: Kibana Machine <[email protected]>
elastic · Jan 10, 2022 · 1ddb647 · 1ddb647
1 parent 1ca5b89
commit 1ddb647
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 1,214 deletions.
diff --git a/x-pack/plugins/alerting/server/saved_objects/migrations.test.ts b/x-pack/plugins/alerting/server/saved_objects/migrations.test.ts
@@ -11,6 +11,7 @@ import { RawRule } from '../types';
 import { SavedObjectUnsanitizedDoc } from 'kibana/server';
 import { encryptedSavedObjectsMock } from '../../../encrypted_saved_objects/server/mocks';
 import { migrationMocks } from 'src/core/server/mocks';
+import { RuleType, ruleTypeMappings } from '@kbn/securitysolution-rules';
 
 const migrationContext = migrationMocks.createContext();
 const encryptedSavedObjectsSetup = encryptedSavedObjectsMock.createSetup();
@@ -2056,6 +2057,37 @@ describe('successful migrations', () => {
       );
     });
 
+    test('doesnt change AAD rule params if not a siem.signals rule', () => {
+      const migration800 = getMigrations(encryptedSavedObjectsSetup, isPreconfigured)['8.0.0'];
+      const alert = getMockData(
+        { params: { outputIndex: 'output-index', type: 'query' }, alertTypeId: 'not.siem.signals' },
+        true
+      );
+      expect(migration800(alert, migrationContext).attributes.alertTypeId).toEqual(
+        'not.siem.signals'
+      );
+      expect(migration800(alert, migrationContext).attributes.enabled).toEqual(true);
+      expect(migration800(alert, migrationContext).attributes.params.outputIndex).toEqual(
+        'output-index'
+      );
+    });
+
+    test.each(Object.keys(ruleTypeMappings) as RuleType[])(
+      'Changes AAD rule params accordingly if rule is a siem.signals %p rule',
+      (ruleType) => {
+        const migration800 = getMigrations(encryptedSavedObjectsSetup, isPreconfigured)['8.0.0'];
+        const alert = getMockData(
+          { params: { outputIndex: 'output-index', type: ruleType }, alertTypeId: 'siem.signals' },
+          true
+        );
+        expect(migration800(alert, migrationContext).attributes.alertTypeId).toEqual(
+          ruleTypeMappings[ruleType]
+        );
+        expect(migration800(alert, migrationContext).attributes.enabled).toEqual(false);
+        expect(migration800(alert, migrationContext).attributes.params.outputIndex).toEqual('');
+      }
+    );
+
     describe('Metrics Inventory Threshold rule', () => {
       test('Migrates incorrect action group spelling', () => {
         const migration800 = getMigrations(encryptedSavedObjectsSetup, isPreconfigured)['8.0.0'];

diff --git a/x-pack/plugins/alerting/server/saved_objects/migrations.ts b/x-pack/plugins/alerting/server/saved_objects/migrations.ts
@@ -131,7 +131,7 @@ export function getMigrations(
     (doc: SavedObjectUnsanitizedDoc<RawRule>): doc is SavedObjectUnsanitizedDoc<RawRule> => true,
     pipeMigrations(
       addThreatIndicatorPathToThreatMatchRules,
-      addRACRuleTypes,
+      addSecuritySolutionAADRuleTypes,
       fixInventoryThresholdGroupId
     )
   );
@@ -652,7 +652,7 @@ function setLegacyId(doc: SavedObjectUnsanitizedDoc<RawRule>): SavedObjectUnsani
   };
 }
 
-function addRACRuleTypes(
+function addSecuritySolutionAADRuleTypes(
   doc: SavedObjectUnsanitizedDoc<RawRule>
 ): SavedObjectUnsanitizedDoc<RawRule> {
   const ruleType = doc.attributes.params.type;
@@ -662,6 +662,7 @@ function addRACRuleTypes(
         attributes: {
           ...doc.attributes,
           alertTypeId: ruleTypeMappings[ruleType],
+          enabled: false,
           params: {
             ...doc.attributes.params,
             outputIndex: '',