[8.x] [Security Solution] Fix Threat Match rules inability to upgrade (…

…elastic#203366) (elastic#203519)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Fix Threat Match rules inability to upgrade
(elastic#203366)](elastic#203366)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-10T08:09:31Z","message":"[Security
Solution] Fix Threat Match rules inability to upgrade
(elastic#203366)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/203365\r\n\r\n##
Summary\r\n\r\nThis PR fixes a bug preventing Threat Match rules from
being upgraded.\r\n\r\n## Details\r\n\r\nIt's expected that users can
upgrade Elastic prebuilt rules without any customizations in any
possible way (in flyout, rules upgrade table, bulk actions). This
operation was blocked due to wrong Threat Match fields conversions to
Diffable rule. This PR fixes rule type specific fiels conversions and
merged `threat_query` field with `threat_query`.\r\n\r\n## Screen
recording (with the
fix)\r\n\r\nhttps://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f","sha":"b9addc2f23d676ae2bcb8c979dece80fb0a88554","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0"],"title":"[Security Solution] Fix
Threat Match rules inability to
upgrade","number":203366,"url":"https://github.com/elastic/kibana/pull/203366","mergeCommit":{"message":"[Security
Solution] Fix Threat Match rules inability to upgrade
(elastic#203366)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/203365\r\n\r\n##
Summary\r\n\r\nThis PR fixes a bug preventing Threat Match rules from
being upgraded.\r\n\r\n## Details\r\n\r\nIt's expected that users can
upgrade Elastic prebuilt rules without any customizations in any
possible way (in flyout, rules upgrade table, bulk actions). This
operation was blocked due to wrong Threat Match fields conversions to
Diffable rule. This PR fixes rule type specific fiels conversions and
merged `threat_query` field with `threat_query`.\r\n\r\n## Screen
recording (with the
fix)\r\n\r\nhttps://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f","sha":"b9addc2f23d676ae2bcb8c979dece80fb0a88554"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203366","number":203366,"mergeCommit":{"message":"[Security
Solution] Fix Threat Match rules inability to upgrade
(elastic#203366)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/203365\r\n\r\n##
Summary\r\n\r\nThis PR fixes a bug preventing Threat Match rules from
being upgraded.\r\n\r\n## Details\r\n\r\nIt's expected that users can
upgrade Elastic prebuilt rules without any customizations in any
possible way (in flyout, rules upgrade table, bulk actions). This
operation was blocked due to wrong Threat Match fields conversions to
Diffable rule. This PR fixes rule type specific fiels conversions and
merged `threat_query` field with `threat_query`.\r\n\r\n## Screen
recording (with the
fix)\r\n\r\nhttps://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f","sha":"b9addc2f23d676ae2bcb8c979dece80fb0a88554"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <[email protected]>

x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts

@@ -12,7 +12,6 @@ import {
   HistoryWindowStart,
   InvestigationFields,
   InvestigationGuide,
-  KqlQueryLanguage,
   MachineLearningJobId,
   MaxSignals,
   NewTermsFields,
@@ -131,7 +130,6 @@ export const DiffableThreatMatchFields = z.object({
   threat_mapping: ThreatMapping,
   data_source: RuleDataSource.optional(), // NOTE: new field
   threat_indicator_path: ThreatIndicatorPath.optional(),
-  threat_language: KqlQueryLanguage.optional(),
   alert_suppression: AlertSuppression.optional(),
 });
 

x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts

@@ -213,7 +213,6 @@ const extractDiffableThreatMatchFieldsFromRuleObject = (
     threat_index: rule.threat_index,
     threat_mapping: rule.threat_mapping,
     threat_indicator_path: rule.threat_indicator_path,
-    threat_language: rule.threat_language,
     alert_suppression: rule.alert_suppression,
   };
 };

x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/threat_match_rule_field_readonly.tsx

@@ -16,7 +16,6 @@ import { ThreatQueryReadOnly } from './fields/threat_query/threat_query';
 import { TypeReadOnly } from './fields/type/type';
 import { AlertSuppressionReadOnly } from './fields/alert_suppression/alert_suppression';
 import { assertUnreachable } from '../../../../../../../common/utility_types';
-import { ThreatLanguageReadOnly } from './fields/threat_language/threat_language';
 
 interface ThreatMatchRuleFieldReadOnlyProps {
   fieldName: keyof DiffableThreatMatchFields;
@@ -53,8 +52,6 @@ export function ThreatMatchRuleFieldReadOnly({
           threatIndicatorPath={finalDiffableRule.threat_indicator_path}
         />
       );
-    case 'threat_language':
-      return <ThreatLanguageReadOnly threatLanguage={finalDiffableRule.threat_language} />;
     case 'threat_mapping':
       return <ThreatMappingReadOnly threatMapping={finalDiffableRule.threat_mapping} />;
     case 'threat_query':

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts

@@ -133,6 +133,9 @@ const SUBFIELD_MAPPING: Record<string, string> = {
   tiebreaker_field: 'tiebreaker_field',
   timestamp_field: 'timestamp_field',
   building_block_type: 'type',
+  threat_query: 'query',
+  threat_language: 'language',
+  threat_filters: 'filters',
   rule_name_override: 'field_name',
   timestamp_override: 'field_name',
   timestamp_override_fallback_disabled: 'fallback_disabled',

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts

@@ -273,7 +273,6 @@ const threatMatchFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableThreatMat
   threat_index: scalarArrayDiffAlgorithm,
   threat_mapping: simpleDiffAlgorithm,
   threat_indicator_path: singleLineStringDiffAlgorithm,
-  threat_language: simpleDiffAlgorithm,
   alert_suppression: simpleDiffAlgorithm,
 };