From 09939d1e43e56b3580b21a4d05a3de28345c9768 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 10 Dec 2024 21:25:16 +1100
Subject: [PATCH] [8.x] [Security Solution] Fix Threat Match rules inability to
 upgrade (#203366) (#203519)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Fix Threat Match rules inability to upgrade
(#203366)](https://github.com/elastic/kibana/pull/203366)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2024-12-10T08:09:31Z","message":"[Security
Solution] Fix Threat Match rules inability to upgrade
(#203366)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/203365\r\n\r\n##
Summary\r\n\r\nThis PR fixes a bug preventing Threat Match rules from
being upgraded.\r\n\r\n## Details\r\n\r\nIt's expected that users can
upgrade Elastic prebuilt rules without any customizations in any
possible way (in flyout, rules upgrade table, bulk actions). This
operation was blocked due to wrong Threat Match fields conversions to
Diffable rule. This PR fixes rule type specific fiels conversions and
merged `threat_query` field with `threat_query`.\r\n\r\n## Screen
recording (with the
fix)\r\n\r\nhttps://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f","sha":"b9addc2f23d676ae2bcb8c979dece80fb0a88554","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v8.18.0"],"title":"[Security Solution] Fix
Threat Match rules inability to
upgrade","number":203366,"url":"https://github.com/elastic/kibana/pull/203366","mergeCommit":{"message":"[Security
Solution] Fix Threat Match rules inability to upgrade
(#203366)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/203365\r\n\r\n##
Summary\r\n\r\nThis PR fixes a bug preventing Threat Match rules from
being upgraded.\r\n\r\n## Details\r\n\r\nIt's expected that users can
upgrade Elastic prebuilt rules without any customizations in any
possible way (in flyout, rules upgrade table, bulk actions). This
operation was blocked due to wrong Threat Match fields conversions to
Diffable rule. This PR fixes rule type specific fiels conversions and
merged `threat_query` field with `threat_query`.\r\n\r\n## Screen
recording (with the
fix)\r\n\r\nhttps://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f","sha":"b9addc2f23d676ae2bcb8c979dece80fb0a88554"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203366","number":203366,"mergeCommit":{"message":"[Security
Solution] Fix Threat Match rules inability to upgrade
(#203366)\n\n**Resolves:**
https://github.com/elastic/kibana/issues/203365\r\n\r\n##
Summary\r\n\r\nThis PR fixes a bug preventing Threat Match rules from
being upgraded.\r\n\r\n## Details\r\n\r\nIt's expected that users can
upgrade Elastic prebuilt rules without any customizations in any
possible way (in flyout, rules upgrade table, bulk actions). This
operation was blocked due to wrong Threat Match fields conversions to
Diffable rule. This PR fixes rule type specific fiels conversions and
merged `threat_query` field with `threat_query`.\r\n\r\n## Screen
recording (with the
fix)\r\n\r\nhttps://github.com/user-attachments/assets/9f0375fb-d39d-4b4b-a084-96ea265f306f","sha":"b9addc2f23d676ae2bcb8c979dece80fb0a88554"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>
---
 .../model/diff/diffable_rule/diffable_rule.ts |  2 -
 .../diff/convert_rule_to_diffable.ts          |  1 -
 .../threat_language.stories.tsx               | 39 -------------------
 .../threat_language/threat_language.tsx       | 33 ----------------
 .../threat_match_rule_field_readonly.tsx      |  3 --
 .../diffable_rule_fields_mappings.ts          |  3 ++
 .../calculation/calculate_rule_fields_diff.ts |  1 -
 7 files changed, 3 insertions(+), 79 deletions(-)
 delete mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.stories.tsx
 delete mode 100644 x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.tsx

diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts b/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
index 38331d3a01c62..428d30495722a 100644
--- a/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
+++ b/x-pack/plugins/security_solution/common/api/detection_engine/prebuilt_rules/model/diff/diffable_rule/diffable_rule.ts
@@ -12,7 +12,6 @@ import {
   HistoryWindowStart,
   InvestigationFields,
   InvestigationGuide,
-  KqlQueryLanguage,
   MachineLearningJobId,
   MaxSignals,
   NewTermsFields,
@@ -131,7 +130,6 @@ export const DiffableThreatMatchFields = z.object({
   threat_mapping: ThreatMapping,
   data_source: RuleDataSource.optional(), // NOTE: new field
   threat_indicator_path: ThreatIndicatorPath.optional(),
-  threat_language: KqlQueryLanguage.optional(),
   alert_suppression: AlertSuppression.optional(),
 });
 
diff --git a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts
index 95ceb5c718825..1c15a07e765fe 100644
--- a/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts
+++ b/x-pack/plugins/security_solution/common/detection_engine/prebuilt_rules/diff/convert_rule_to_diffable.ts
@@ -213,7 +213,6 @@ const extractDiffableThreatMatchFieldsFromRuleObject = (
     threat_index: rule.threat_index,
     threat_mapping: rule.threat_mapping,
     threat_indicator_path: rule.threat_indicator_path,
-    threat_language: rule.threat_language,
     alert_suppression: rule.alert_suppression,
   };
 };
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.stories.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.stories.tsx
deleted file mode 100644
index bae9f596de750..0000000000000
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.stories.tsx
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import React from 'react';
-import type { Story } from '@storybook/react';
-import { ThreatLanguageReadOnly } from './threat_language';
-import { FieldReadOnly } from '../../field_readonly';
-import type { DiffableRule } from '../../../../../../../../../common/api/detection_engine';
-import { mockThreatMatchRule } from '../../storybook/mocks';
-import { ThreeWayDiffStorybookProviders } from '../../storybook/three_way_diff_storybook_providers';
-
-export default {
-  component: ThreatLanguageReadOnly,
-  title: 'Rule Management/Prebuilt Rules/Upgrade Flyout/ThreeWayDiff/FieldReadOnly/threat_language',
-};
-
-interface TemplateProps {
-  finalDiffableRule: DiffableRule;
-}
-
-const Template: Story<TemplateProps> = (args) => {
-  return (
-    <ThreeWayDiffStorybookProviders finalDiffableRule={args.finalDiffableRule}>
-      <FieldReadOnly fieldName="threat_language" />
-    </ThreeWayDiffStorybookProviders>
-  );
-};
-
-export const Default = Template.bind({});
-
-Default.args = {
-  finalDiffableRule: mockThreatMatchRule({
-    threat_language: 'lucene',
-  }),
-};
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.tsx
deleted file mode 100644
index df43373783b1b..0000000000000
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/fields/threat_language/threat_language.tsx
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-
-import React from 'react';
-import { EuiDescriptionList } from '@elastic/eui';
-import * as ruleDetailsI18n from '../../../../translations';
-import type { KqlQueryLanguage } from '../../../../../../../../../common/api/detection_engine';
-import { getQueryLanguageLabel } from '../../../../helpers';
-
-interface ThreatLanguageReadOnlyProps {
-  threatLanguage?: KqlQueryLanguage;
-}
-
-export function ThreatLanguageReadOnly({ threatLanguage }: ThreatLanguageReadOnlyProps) {
-  if (!threatLanguage) {
-    return null;
-  }
-
-  return (
-    <EuiDescriptionList
-      listItems={[
-        {
-          title: ruleDetailsI18n.THREAT_QUERY_LANGUAGE_LABEL,
-          description: getQueryLanguageLabel(threatLanguage),
-        },
-      ]}
-    />
-  );
-}
diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/threat_match_rule_field_readonly.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/threat_match_rule_field_readonly.tsx
index 3e23a064d14f2..0296c711a6313 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/threat_match_rule_field_readonly.tsx
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_management/components/rule_details/three_way_diff/final_readonly/threat_match_rule_field_readonly.tsx
@@ -16,7 +16,6 @@ import { ThreatQueryReadOnly } from './fields/threat_query/threat_query';
 import { TypeReadOnly } from './fields/type/type';
 import { AlertSuppressionReadOnly } from './fields/alert_suppression/alert_suppression';
 import { assertUnreachable } from '../../../../../../../common/utility_types';
-import { ThreatLanguageReadOnly } from './fields/threat_language/threat_language';
 
 interface ThreatMatchRuleFieldReadOnlyProps {
   fieldName: keyof DiffableThreatMatchFields;
@@ -53,8 +52,6 @@ export function ThreatMatchRuleFieldReadOnly({
           threatIndicatorPath={finalDiffableRule.threat_indicator_path}
         />
       );
-    case 'threat_language':
-      return <ThreatLanguageReadOnly threatLanguage={finalDiffableRule.threat_language} />;
     case 'threat_mapping':
       return <ThreatMappingReadOnly threatMapping={finalDiffableRule.threat_mapping} />;
     case 'threat_query':
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
index d7e359b0daa25..dd36fcb6e74aa 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/api/perform_rule_upgrade/diffable_rule_fields_mappings.ts
@@ -133,6 +133,9 @@ const SUBFIELD_MAPPING: Record<string, string> = {
   tiebreaker_field: 'tiebreaker_field',
   timestamp_field: 'timestamp_field',
   building_block_type: 'type',
+  threat_query: 'query',
+  threat_language: 'language',
+  threat_filters: 'filters',
   rule_name_override: 'field_name',
   timestamp_override: 'field_name',
   timestamp_override_fallback_disabled: 'fallback_disabled',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts
index 78ea28137bbf5..b861a8432797b 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/logic/diff/calculation/calculate_rule_fields_diff.ts
@@ -273,7 +273,6 @@ const threatMatchFieldsDiffAlgorithms: FieldsDiffAlgorithmsFor<DiffableThreatMat
   threat_index: scalarArrayDiffAlgorithm,
   threat_mapping: simpleDiffAlgorithm,
   threat_indicator_path: singleLineStringDiffAlgorithm,
-  threat_language: simpleDiffAlgorithm,
   alert_suppression: simpleDiffAlgorithm,
 };