[Security Solution] Rule import/export needs to be updated to match functionality of import/export of Saved Object Management

[dhurley14]

Motivation: Saved objects will become share-capable sometime in 8.x. In 8.0, new id's are generated for all saved objects outside of the default space. Currently when users import rules with references after 8.0, those references may not resolve properly.

import from 7.x to 8.x -> new _ids are generated for all saved objects, need to make sure that any rules with reference saved objects like exceptions etc are referencing the right exceptions, actions etc..

In order to ensure things continue to work as expected we need to update the import / export api's to utilize functions built into the saved object management import / export which resolve properly.

Things to research include:

1. Will we always have access to the originId from alerting?
2. Does the originId / _id already exist and how does that work with the overwrite functionality on import?
3. Update the meta field to include the kibana version the rule was exported from which will allow us to skip the expensive checks outlined above.
4. Plans to deprecate this code too..

[dhurley14]

Hi everyone just wanted to outline some test cases I was working on manually to determine what changes needed to be made specifically for rules import route. Haven't found anything that would necessitate changes outside of the actions references in the PR #120975

Let me know what you all think of these test cases and if the outcomes are acceptable. Also, if anyone would like to add other test cases that might cause possible unexpected issues please comment here 😄

1. Test Cases
   1. Case 1:
      1. in 7.16, export rule from default space, upgrade to 8.0, then create a new, non-default space and try to import the rule
      2. will we get an error?
      3. no errors - imported just fine.
   2. Case 2:
      1. create a rule in non-default space in 7.16
      2. export rule
      3. upgrade to 8.0
      4. try to import that rule
      5. should fail because the signature ids will match
      6. select the "overwrite sig ids" and try to import
      7. will the originId be preserved?
      8. answer: no the originId is not preserved because the rules client update function actually is a create so a new SO is generated while preserving the _id of the 'updated' rule.
      9. so no originId since it's an entirely new object
      10. could be a problem with alerts-as-data deep linking to the old id?
      11. answer: not a problem because legacy-url-alias still exists
   3. Case 3:
      1. Create a rule in 7.16 in default space
      2. Export it
      3. Import into a non-default space
      4. Upgrade to 8.0
      5. Rule _id in the non-default space is regenerated
      6. Export rule from non-default space and import it back into the default space
      7. _id remains the same after importing non-default space rule into default space in 8.0

[dhurley14]

The only other area I could imagine being an issue is if a user has a legacy action side car (siem.notifications rule) which has a reference to the SO _id of the rule. But looking through the code we don't really use that anywhere. I thought it might be used for grabbing signals generated by that rule but we query by the signature id rule_id which remains unchanged between kibana versions..

I also was wondering if it could have an impact when we go to migrate users off of the legacy sidecar SO's but we are utilizing "real" SO references for the legacy action migration so we should be covered there as well which is great (I tested this out locally by creating a rule + action in a non-default space in 7.14, upgraded to 7.16 without touching the rule then upgraded to 8.0 and disabled the rule, triggering the migration process and the migration worked put the old sidecar data into the actions property of the rule so everything worked 👍 )

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)