[SIEM][Detection Engine] Fixes critical regression on the backend with immutable and tags (#55256)

## Summary

Fixes regression with immutable caused from:
https://github.com/elastic/kibana/pull/55004

* Updated types of Prepackaged 
* Updated unit tests
* Fixed unit test for it

Testing:

```
./post_rule.sh 
{
  "created_at": "2020-01-17T19:11:31.813Z",
  "updated_at": "2020-01-17T19:11:31.813Z",
  "created_by": "elastic_kibana",
  "description": "Query with a rule_id that acts like an external id",
  "enabled": true,
  "false_positives": [],
  "from": "now-6m",
  "id": "41ef6309-ef98-4c9f-8d2d-90a070361fb7",
  "immutable": false,
  "interval": "5m",
  "rule_id": "query-rule-id",
  "language": "kuery",
  "output_index": ".siem-signals-frank-hassanabad-default",
  "max_signals": 100,
  "risk_score": 1,
  "name": "Query with a rule id",
  "query": "user.name: root or user.name: admin",
  "references": [],
  "severity": "high",
  "updated_by": "elastic_kibana",
  "tags": [],
  "to": "now",
  "type": "query",
  "threats": [],
  "version": 1
}
```

Then get the saved object using whatever the id is comes back from above. In this example it is 41ef6309-ef98-4c9f-8d2d-90a070361fb7, yours will be different

```
./get_saved_objects.sh alert 41ef6309-ef98-4c9f-8d2d-90a070361fb7
{
  "id": "41ef6309-ef98-4c9f-8d2d-90a070361fb7",
  "type": "alert",
  "updated_at": "2020-01-17T19:11:32.844Z",
  "version": "WzY5NTQsMV0=",
  "attributes": {
    "name": "Query with a rule id",
    "tags": [
      "__internal_rule_id:query-rule-id",
      "__internal_immutable:false"
    ],
    "alertTypeId": "siem.signals",
    "consumer": "siem",
    "params": {
      "createdAt": "2020-01-17T19:11:31.813Z",
      "description": "Query with a rule_id that acts like an external id",
      "ruleId": "query-rule-id",
      "index": null,
      "falsePositives": [],
      "from": "now-6m",
      "immutable": false,
      "query": "user.name: root or user.name: admin",
      "language": "kuery",
      "outputIndex": ".siem-signals-frank-hassanabad-default",
      "savedId": null,
      "timelineId": null,
      "timelineTitle": null,
      "meta": null,
      "filters": null,
      "maxSignals": 100,
      "riskScore": 1,
      "severity": "high",
      "threats": [],
      "to": "now",
      "type": "query",
      "updatedAt": "2020-01-17T19:11:31.813Z",
      "references": [],
      "version": 1
    },
    "schedule": {
      "interval": "5m"
    },
    "enabled": true,
    "actions": [],
    "throttle": null,
    "apiKeyOwner": "elastic_kibana",
    "createdBy": "elastic_kibana",
    "updatedBy": "elastic_kibana",
    "createdAt": "2020-01-17T19:11:32.245Z",
    "muteAll": false,
    "mutedInstanceIds": [],
    "scheduledTaskId": "2c5cc340-395d-11ea-9276-d3c1c264ca9a"
  },
  "references": []
}
```

Ensure you have the internal immutable of "__internal_immutable:false" In your tags


Next test is to do a find filter of non-packaged rules:

```
./find_rule_by_filter.sh "alert.attributes.tags:%20%22__internal_immutable:false%22"
```

You should get back the above rule any others you created.

### Checklist

Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR.

~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~

~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~

~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~

- [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios

~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~

### For maintainers

~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~

- [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts

@@ -18,9 +18,9 @@ import {
   DETECTION_ENGINE_PREPACKAGED_URL,
 } from '../../../../../common/constants';
 import { RuleAlertType, IRuleSavedAttributesSavedObjectAttributes } from '../../rules/types';
-import { RuleAlertParamsRest } from '../../types';
+import { RuleAlertParamsRest, PrepackagedRules } from '../../types';
 
-export const fullRuleAlertParamsRest = (): RuleAlertParamsRest => ({
+export const mockPrepackagedRule = (): PrepackagedRules => ({
   rule_id: 'rule-1',
   description: 'Detecting root and admin users',
   index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
@@ -51,8 +51,6 @@ export const fullRuleAlertParamsRest = (): RuleAlertParamsRest => ({
   false_positives: [],
   saved_id: 'some-id',
   max_signals: 100,
-  created_at: '2019-12-13T16:40:33.400Z',
-  updated_at: '2019-12-13T16:40:33.400Z',
   timeline_id: 'timeline-id',
   timeline_title: 'timeline-title',
 });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts

@@ -55,7 +55,6 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
             enabled,
             false_positives: falsePositives,
             from,
-            immutable,
             query,
             language,
             output_index: outputIndex,
@@ -109,7 +108,7 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
               enabled,
               falsePositives,
               from,
-              immutable,
+              immutable: false,
               query,
               language,
               outputIndex: finalIndex,

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_route.ts

@@ -39,7 +39,6 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
         enabled,
         false_positives: falsePositives,
         from,
-        immutable,
         query,
         language,
         output_index: outputIndex,
@@ -96,7 +95,7 @@ export const createCreateRulesRoute = (server: ServerFacade): Hapi.ServerRoute =
           enabled,
           falsePositives,
           from,
-          immutable,
+          immutable: false,
           query,
           language,
           outputIndex: finalIndex,

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_bulk_route.ts

@@ -44,7 +44,6 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
             enabled,
             false_positives: falsePositives,
             from,
-            immutable,
             query,
             language,
             output_index: outputIndex,
@@ -77,7 +76,6 @@ export const createUpdateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
               enabled,
               falsePositives,
               from,
-              immutable,
               query,
               language,
               outputIndex,

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/update_rules_route.ts

@@ -33,7 +33,6 @@ export const createUpdateRulesRoute: Hapi.ServerRoute = {
       enabled,
       false_positives: falsePositives,
       from,
-      immutable,
       query,
       language,
       output_index: outputIndex,
@@ -75,7 +74,6 @@ export const createUpdateRulesRoute: Hapi.ServerRoute = {
         enabled,
         falsePositives,
         from,
-        immutable,
         query,
         language,
         outputIndex,

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/add_prepackaged_rules_schema.test.ts

@@ -4,20 +4,17 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { UpdateRuleAlertParamsRest } from '../../rules/types';
-import { ThreatParams, RuleAlertParamsRest } from '../../types';
+import { ThreatParams, PrepackagedRules } from '../../types';
 import { addPrepackagedRulesSchema } from './add_prepackaged_rules_schema';
 
 describe('add prepackaged rules schema', () => {
   test('empty objects do not validate', () => {
-    expect(
-      addPrepackagedRulesSchema.validate<Partial<UpdateRuleAlertParamsRest>>({}).error
-    ).toBeTruthy();
+    expect(addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({}).error).toBeTruthy();
   });
 
   test('made up values do not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest & { madeUp: string }>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules & { madeUp: string }>>({
         madeUp: 'hi',
       }).error
     ).toBeTruthy();
@@ -25,7 +22,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
       }).error
     ).toBeTruthy();
@@ -33,7 +30,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
       }).error
@@ -42,7 +39,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -52,7 +49,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -63,7 +60,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, name] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -75,7 +72,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, name, severity] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -88,7 +85,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, name, severity, type] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -102,7 +99,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, name, severity, type, interval] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -117,7 +114,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, name, severity, type, interval, index] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -133,7 +130,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, name, severity, type, query, index, interval, version] does validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -152,7 +149,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, index, name, severity, interval, type, query, language] does not validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -170,7 +167,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score, version] does validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -190,7 +187,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score, output_index] does not validate because output_index is not allowed', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         output_index: '.siem-signals',
         risk_score: 50,
@@ -211,7 +208,7 @@ describe('add prepackaged rules schema', () => {
 
   test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version] does validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         description: 'some description',
         from: 'now-5m',
@@ -229,7 +226,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can send in an empty array to threats', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -251,7 +248,7 @@ describe('add prepackaged rules schema', () => {
   });
   test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, version, threats] does validate', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -286,7 +283,7 @@ describe('add prepackaged rules schema', () => {
 
   test('allows references to be sent as valid', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -307,7 +304,7 @@ describe('add prepackaged rules schema', () => {
 
   test('defaults references to an array', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -327,7 +324,7 @@ describe('add prepackaged rules schema', () => {
 
   test('defaults immutable to true', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -347,7 +344,7 @@ describe('add prepackaged rules schema', () => {
 
   test('immutable cannot be false', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -368,7 +365,7 @@ describe('add prepackaged rules schema', () => {
 
   test('immutable can be true', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -389,7 +386,7 @@ describe('add prepackaged rules schema', () => {
 
   test('defaults enabled to false', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -409,7 +406,7 @@ describe('add prepackaged rules schema', () => {
 
   test('rule_id is required', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         risk_score: 50,
         description: 'some description',
         from: 'now-5m',
@@ -429,7 +426,7 @@ describe('add prepackaged rules schema', () => {
   test('references cannot be numbers', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'references'>> & { references: number[] }
+        Partial<Omit<PrepackagedRules, 'references'>> & { references: number[] }
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -454,7 +451,7 @@ describe('add prepackaged rules schema', () => {
   test('indexes cannot be numbers', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'index'>> & { index: number[] }
+        Partial<Omit<PrepackagedRules, 'index'>> & { index: number[] }
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -477,7 +474,7 @@ describe('add prepackaged rules schema', () => {
 
   test('defaults interval to 5 min', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -494,7 +491,7 @@ describe('add prepackaged rules schema', () => {
 
   test('defaults max signals to 100', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -512,7 +509,7 @@ describe('add prepackaged rules schema', () => {
 
   test('saved_id is required when type is saved_query and will not validate without out', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -530,7 +527,7 @@ describe('add prepackaged rules schema', () => {
 
   test('saved_id is required when type is saved_query and validates with it', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -549,7 +546,7 @@ describe('add prepackaged rules schema', () => {
 
   test('saved_query type can have filters with it', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -570,7 +567,7 @@ describe('add prepackaged rules schema', () => {
   test('filters cannot be a string', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'filters'> & { filters: string }>
+        Partial<Omit<PrepackagedRules, 'filters'> & { filters: string }>
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -591,7 +588,7 @@ describe('add prepackaged rules schema', () => {
 
   test('language validates with kuery', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -612,7 +609,7 @@ describe('add prepackaged rules schema', () => {
 
   test('language validates with lucene', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -633,7 +630,7 @@ describe('add prepackaged rules schema', () => {
 
   test('language does not validate with something made up', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -654,7 +651,7 @@ describe('add prepackaged rules schema', () => {
 
   test('max_signals cannot be negative', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -676,7 +673,7 @@ describe('add prepackaged rules schema', () => {
 
   test('max_signals cannot be zero', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -698,7 +695,7 @@ describe('add prepackaged rules schema', () => {
 
   test('max_signals can be 1', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -720,7 +717,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can optionally send in an array of tags', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -744,7 +741,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot send in an array of tags that are numbers', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'tags'>> & { tags: number[] }
+        Partial<Omit<PrepackagedRules, 'tags'>> & { tags: number[] }
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -771,7 +768,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot send in an array of threats that are missing "framework"', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
+        Partial<Omit<PrepackagedRules, 'threats'>> & {
           threats: Array<Partial<Omit<ThreatParams, 'framework'>>>;
         }
       >({
@@ -815,7 +812,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot send in an array of threats that are missing "tactic"', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
+        Partial<Omit<PrepackagedRules, 'threats'>> & {
           threats: Array<Partial<Omit<ThreatParams, 'tactic'>>>;
         }
       >({
@@ -855,7 +852,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot send in an array of threats that are missing "techniques"', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
+        Partial<Omit<PrepackagedRules, 'threats'>> & {
           threats: Array<Partial<Omit<ThreatParams, 'technique'>>>;
         }
       >({
@@ -892,7 +889,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can optionally send in an array of false positives', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -916,7 +913,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot send in an array of false positives that are numbers', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'false_positives'>> & { false_positives: number[] }
+        Partial<Omit<PrepackagedRules, 'false_positives'>> & { false_positives: number[] }
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -942,7 +939,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can optionally set the immutable to be true', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -966,7 +963,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot set the immutable to be a number', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'immutable'>> & { immutable: number }
+        Partial<Omit<PrepackagedRules, 'immutable'>> & { immutable: number }
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -990,7 +987,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot set the risk_score to 101', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 101,
         description: 'some description',
@@ -1013,7 +1010,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot set the risk_score to -1', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: -1,
         description: 'some description',
@@ -1036,7 +1033,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can set the risk_score to 0', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 0,
         description: 'some description',
@@ -1059,7 +1056,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can set the risk_score to 100', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 100,
         description: 'some description',
@@ -1082,7 +1079,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can set meta to any object you want', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1109,7 +1106,7 @@ describe('add prepackaged rules schema', () => {
   test('You cannot create meta as a string', () => {
     expect(
       addPrepackagedRulesSchema.validate<
-        Partial<Omit<RuleAlertParamsRest, 'meta'> & { meta: string }>
+        Partial<Omit<PrepackagedRules, 'meta'> & { meta: string }>
       >({
         rule_id: 'rule-1',
         risk_score: 50,
@@ -1134,7 +1131,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You can omit the query string when filters are present', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1157,7 +1154,7 @@ describe('add prepackaged rules schema', () => {
 
   test('validates with timeline_id and timeline_title', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1180,7 +1177,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot omit timeline_title when timeline_id is present', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1204,7 +1201,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot have a null value for timeline_title when timeline_id is present', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1229,7 +1226,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot have empty string for timeline_title when timeline_id is present', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1254,7 +1251,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot have timeline_title with an empty timeline_id', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',
@@ -1279,7 +1276,7 @@ describe('add prepackaged rules schema', () => {
 
   test('You cannot have timeline_title without timeline_id', () => {
     expect(
-      addPrepackagedRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+      addPrepackagedRulesSchema.validate<Partial<PrepackagedRules>>({
         rule_id: 'rule-1',
         risk_score: 50,
         description: 'some description',

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/create_rules_schema.test.ts

@@ -884,7 +884,6 @@ describe('create rules schema', () => {
         description: 'some description',
         from: 'now-5m',
         to: 'now',
-        immutable: true,
         index: ['index-1'],
         name: 'some-name',
         severity: 'severity',
@@ -907,7 +906,6 @@ describe('create rules schema', () => {
         description: 'some description',
         from: 'now-5m',
         to: 'now',
-        immutable: true,
         index: ['index-1'],
         name: 'some-name',
         severity: 'severity',
@@ -999,7 +997,6 @@ describe('create rules schema', () => {
         description: 'some description',
         from: 'now-5m',
         to: 'now',
-        immutable: true,
         index: ['index-1'],
         name: 'some-name',
         severity: 'severity',

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas/import_rules_schema.test.ts

@@ -9,18 +9,18 @@ import {
   importRulesQuerySchema,
   importRulesPayloadSchema,
 } from './import_rules_schema';
-import { ThreatParams, RuleAlertParamsRest, ImportRuleAlertRest } from '../../types';
+import { ThreatParams, ImportRuleAlertRest } from '../../types';
 import { ImportRulesRequest } from '../../rules/types';
 
 describe('import rules schema', () => {
   describe('importRulesSchema', () => {
     test('empty objects do not validate', () => {
-      expect(importRulesSchema.validate<Partial<RuleAlertParamsRest>>({}).error).toBeTruthy();
+      expect(importRulesSchema.validate<Partial<ImportRuleAlertRest>>({}).error).toBeTruthy();
     });
 
     test('made up values do not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest & { madeUp: string }>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest & { madeUp: string }>>({
           madeUp: 'hi',
         }).error
       ).toBeTruthy();
@@ -28,7 +28,7 @@ describe('import rules schema', () => {
 
     test('[rule_id] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
         }).error
       ).toBeTruthy();
@@ -36,7 +36,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
         }).error
@@ -45,7 +45,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -55,7 +55,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -66,7 +66,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, name] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -78,7 +78,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, name, severity] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -91,7 +91,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, name, severity, type] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -105,7 +105,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, name, severity, type, interval] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -120,7 +120,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, name, severity, type, interval, index] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -136,7 +136,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, name, severity, type, query, index, interval] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           risk_score: 50,
           description: 'some description',
@@ -154,7 +154,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, index, name, severity, interval, type, query, language] does not validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -172,7 +172,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           risk_score: 50,
           description: 'some description',
@@ -191,7 +191,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, index, name, severity, interval, type, query, language, risk_score, output_index] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -211,7 +211,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           description: 'some description',
           from: 'now-5m',
@@ -228,7 +228,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -246,7 +246,7 @@ describe('import rules schema', () => {
 
     test('You can send in an empty array to threats', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -269,7 +269,7 @@ describe('import rules schema', () => {
 
     test('[rule_id, description, from, to, index, name, severity, interval, type, filter, risk_score, output_index, threats] does validate', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -304,7 +304,7 @@ describe('import rules schema', () => {
 
     test('allows references to be sent as valid', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -325,7 +325,7 @@ describe('import rules schema', () => {
 
     test('defaults references to an array', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -346,7 +346,7 @@ describe('import rules schema', () => {
     test('references cannot be numbers', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'references'>> & { references: number[] }
+          Partial<Omit<ImportRuleAlertRest, 'references'>> & { references: number[] }
         >({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
@@ -371,7 +371,7 @@ describe('import rules schema', () => {
     test('indexes cannot be numbers', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'index'>> & { index: number[] }
+          Partial<Omit<ImportRuleAlertRest, 'index'>> & { index: number[] }
         >({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
@@ -394,7 +394,7 @@ describe('import rules schema', () => {
 
     test('defaults interval to 5 min', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -411,7 +411,7 @@ describe('import rules schema', () => {
 
     test('defaults max signals to 100', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -429,7 +429,7 @@ describe('import rules schema', () => {
 
     test('saved_id is required when type is saved_query and will not validate without out', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -447,7 +447,7 @@ describe('import rules schema', () => {
 
     test('saved_id is required when type is saved_query and validates with it', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           risk_score: 50,
           output_index: '.siem-signals',
@@ -466,7 +466,7 @@ describe('import rules schema', () => {
 
     test('saved_query type can have filters with it', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -487,7 +487,7 @@ describe('import rules schema', () => {
     test('filters cannot be a string', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'filters'> & { filters: string }>
+          Partial<Omit<ImportRuleAlertRest, 'filters'> & { filters: string }>
         >({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
@@ -508,7 +508,7 @@ describe('import rules schema', () => {
 
     test('language validates with kuery', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -529,7 +529,7 @@ describe('import rules schema', () => {
 
     test('language validates with lucene', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           risk_score: 50,
           output_index: '.siem-signals',
@@ -550,7 +550,7 @@ describe('import rules schema', () => {
 
     test('language does not validate with something made up', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -571,7 +571,7 @@ describe('import rules schema', () => {
 
     test('max_signals cannot be negative', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -593,7 +593,7 @@ describe('import rules schema', () => {
 
     test('max_signals cannot be zero', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -615,7 +615,7 @@ describe('import rules schema', () => {
 
     test('max_signals can be 1', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -637,7 +637,7 @@ describe('import rules schema', () => {
 
     test('You can optionally send in an array of tags', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -660,7 +660,7 @@ describe('import rules schema', () => {
 
     test('You cannot send in an array of tags that are numbers', () => {
       expect(
-        importRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'tags'>> & { tags: number[] }>(
+        importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'tags'>> & { tags: number[] }>(
           {
             rule_id: 'rule-1',
             output_index: '.siem-signals',
@@ -688,7 +688,7 @@ describe('import rules schema', () => {
     test('You cannot send in an array of threats that are missing "framework"', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
+          Partial<Omit<ImportRuleAlertRest, 'threats'>> & {
             threats: Array<Partial<Omit<ThreatParams, 'framework'>>>;
           }
         >({
@@ -732,7 +732,7 @@ describe('import rules schema', () => {
     test('You cannot send in an array of threats that are missing "tactic"', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
+          Partial<Omit<ImportRuleAlertRest, 'threats'>> & {
             threats: Array<Partial<Omit<ThreatParams, 'tactic'>>>;
           }
         >({
@@ -772,7 +772,7 @@ describe('import rules schema', () => {
     test('You cannot send in an array of threats that are missing "techniques"', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'threats'>> & {
+          Partial<Omit<ImportRuleAlertRest, 'threats'>> & {
             threats: Array<Partial<Omit<ThreatParams, 'technique'>>>;
           }
         >({
@@ -809,7 +809,7 @@ describe('import rules schema', () => {
 
     test('You can optionally send in an array of false positives', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -833,7 +833,7 @@ describe('import rules schema', () => {
     test('You cannot send in an array of false positives that are numbers', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'false_positives'>> & { false_positives: number[] }
+          Partial<Omit<ImportRuleAlertRest, 'false_positives'>> & { false_positives: number[] }
         >({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
@@ -859,7 +859,7 @@ describe('import rules schema', () => {
 
     test('You can optionally set the immutable to be true', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -883,7 +883,7 @@ describe('import rules schema', () => {
     test('You cannot set the immutable to be a number', () => {
       expect(
         importRulesSchema.validate<
-          Partial<Omit<RuleAlertParamsRest, 'immutable'>> & { immutable: number }
+          Partial<Omit<ImportRuleAlertRest, 'immutable'>> & { immutable: number }
         >({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
@@ -907,7 +907,7 @@ describe('import rules schema', () => {
 
     test('You cannot set the risk_score to 101', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 101,
@@ -930,7 +930,7 @@ describe('import rules schema', () => {
 
     test('You cannot set the risk_score to -1', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: -1,
@@ -953,7 +953,7 @@ describe('import rules schema', () => {
 
     test('You can set the risk_score to 0', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 0,
@@ -976,7 +976,7 @@ describe('import rules schema', () => {
 
     test('You can set the risk_score to 100', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 100,
@@ -999,7 +999,7 @@ describe('import rules schema', () => {
 
     test('You can set meta to any object you want', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1025,7 +1025,7 @@ describe('import rules schema', () => {
 
     test('You cannot create meta as a string', () => {
       expect(
-        importRulesSchema.validate<Partial<Omit<RuleAlertParamsRest, 'meta'> & { meta: string }>>({
+        importRulesSchema.validate<Partial<Omit<ImportRuleAlertRest, 'meta'> & { meta: string }>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1049,7 +1049,7 @@ describe('import rules schema', () => {
 
     test('You can omit the query string when filters are present', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1072,7 +1072,7 @@ describe('import rules schema', () => {
 
     test('validates with timeline_id and timeline_title', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1095,7 +1095,7 @@ describe('import rules schema', () => {
 
     test('You cannot omit timeline_title when timeline_id is present', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1117,7 +1117,7 @@ describe('import rules schema', () => {
 
     test('You cannot have a null value for timeline_title when timeline_id is present', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1140,7 +1140,7 @@ describe('import rules schema', () => {
 
     test('You cannot have empty string for timeline_title when timeline_id is present', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1165,7 +1165,7 @@ describe('import rules schema', () => {
 
     test('You cannot have timeline_title with an empty timeline_id', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,
@@ -1188,7 +1188,7 @@ describe('import rules schema', () => {
 
     test('You cannot have timeline_title without timeline_id', () => {
       expect(
-        importRulesSchema.validate<Partial<RuleAlertParamsRest>>({
+        importRulesSchema.validate<Partial<ImportRuleAlertRest>>({
           rule_id: 'rule-1',
           output_index: '.siem-signals',
           risk_score: 50,

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.test.ts

@@ -5,7 +5,7 @@
  */
 
 import { getPrepackagedRules } from './get_prepackaged_rules';
-import { RuleAlertParamsRest } from '../types';
+import { PrepackagedRules } from '../types';
 import { isEmpty } from 'lodash/fp';
 
 describe('get_existing_prepackaged_rules', () => {
@@ -15,7 +15,7 @@ describe('get_existing_prepackaged_rules', () => {
 
   test('no rule should have the same rule_id as another rule_id', () => {
     const prePacakgedRules = getPrepackagedRules();
-    let existingRuleIds: RuleAlertParamsRest[] = [];
+    let existingRuleIds: PrepackagedRules[] = [];
     prePacakgedRules.forEach(rule => {
       const foundDuplicate = existingRuleIds.reduce((accum, existingRule) => {
         if (existingRule.rule_id === rule.rule_id) {

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_prepackaged_rules.ts

@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { RuleAlertParamsRest } from '../types';
+import { PrepackagedRules } from '../types';
 import { addPrepackagedRulesSchema } from '../routes/schemas/add_prepackaged_rules_schema';
 import { rawRules } from './prepackaged_rules';
 
@@ -13,9 +13,7 @@ import { rawRules } from './prepackaged_rules';
  * that they are adding incorrect schema rules. Also this will auto-flush in all the default
  * aspects such as default interval of 5 minutes, default arrays, etc...
  */
-export const validateAllPrepackagedRules = (
-  rules: RuleAlertParamsRest[]
-): RuleAlertParamsRest[] => {
+export const validateAllPrepackagedRules = (rules: PrepackagedRules[]): PrepackagedRules[] => {
   return rules.map(rule => {
     const validatedRule = addPrepackagedRulesSchema.validate(rule);
     if (validatedRule.error != null) {
@@ -35,6 +33,6 @@ export const validateAllPrepackagedRules = (
   });
 };
 
-export const getPrepackagedRules = (rules = rawRules): RuleAlertParamsRest[] => {
+export const getPrepackagedRules = (rules = rawRules): PrepackagedRules[] => {
   return validateAllPrepackagedRules(rules);
 };

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_install.test.ts

@@ -5,7 +5,7 @@
  */
 
 import { getRulesToInstall } from './get_rules_to_install';
-import { getResult, fullRuleAlertParamsRest } from '../routes/__mocks__/request_responses';
+import { getResult, mockPrepackagedRule } from '../routes/__mocks__/request_responses';
 
 describe('get_rules_to_install', () => {
   test('should return empty array if both rule sets are empty', () => {
@@ -14,7 +14,7 @@ describe('get_rules_to_install', () => {
   });
 
   test('should return empty array if the two rule ids match', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
 
     const installedRule = getResult();
@@ -24,7 +24,7 @@ describe('get_rules_to_install', () => {
   });
 
   test('should return the rule to install if the id of the two rules do not match', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
 
     const installedRule = getResult();
@@ -34,10 +34,10 @@ describe('get_rules_to_install', () => {
   });
 
   test('should return two rules to install if both the ids of the two rules do not match', () => {
-    const ruleFromFileSystem1 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem1 = mockPrepackagedRule();
     ruleFromFileSystem1.rule_id = 'rule-1';
 
-    const ruleFromFileSystem2 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem2 = mockPrepackagedRule();
     ruleFromFileSystem2.rule_id = 'rule-2';
 
     const installedRule = getResult();
@@ -47,13 +47,13 @@ describe('get_rules_to_install', () => {
   });
 
   test('should return two rules of three to install if both the ids of the two rules do not match but the third does', () => {
-    const ruleFromFileSystem1 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem1 = mockPrepackagedRule();
     ruleFromFileSystem1.rule_id = 'rule-1';
 
-    const ruleFromFileSystem2 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem2 = mockPrepackagedRule();
     ruleFromFileSystem2.rule_id = 'rule-2';
 
-    const ruleFromFileSystem3 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem3 = mockPrepackagedRule();
     ruleFromFileSystem3.rule_id = 'rule-3';
 
     const installedRule = getResult();

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_install.ts

@@ -4,13 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { RuleAlertParamsRest } from '../types';
+import { PrepackagedRules } from '../types';
 import { RuleAlertType } from './types';
 
 export const getRulesToInstall = (
-  rulesFromFileSystem: RuleAlertParamsRest[],
+  rulesFromFileSystem: PrepackagedRules[],
   installedRules: RuleAlertType[]
-): RuleAlertParamsRest[] => {
+): PrepackagedRules[] => {
   return rulesFromFileSystem.filter(
     rule => !installedRules.some(installedRule => installedRule.params.ruleId === rule.rule_id)
   );

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_update.test.ts

@@ -5,7 +5,7 @@
  */
 
 import { getRulesToUpdate } from './get_rules_to_update';
-import { getResult, fullRuleAlertParamsRest } from '../routes/__mocks__/request_responses';
+import { getResult, mockPrepackagedRule } from '../routes/__mocks__/request_responses';
 
 describe('get_rules_to_update', () => {
   test('should return empty array if both rule sets are empty', () => {
@@ -14,7 +14,7 @@ describe('get_rules_to_update', () => {
   });
 
   test('should return empty array if the id of the two rules do not match', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
     ruleFromFileSystem.version = 2;
 
@@ -26,7 +26,7 @@ describe('get_rules_to_update', () => {
   });
 
   test('should return empty array if the id of file system rule is less than the installed version', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
     ruleFromFileSystem.version = 1;
 
@@ -38,7 +38,7 @@ describe('get_rules_to_update', () => {
   });
 
   test('should return empty array if the id of file system rule is the same as the installed version', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
     ruleFromFileSystem.version = 1;
 
@@ -50,7 +50,7 @@ describe('get_rules_to_update', () => {
   });
 
   test('should return the rule to update if the id of file system rule is greater than the installed version', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
     ruleFromFileSystem.version = 2;
 
@@ -62,7 +62,7 @@ describe('get_rules_to_update', () => {
   });
 
   test('should return 1 rule out of 2 to update if the id of file system rule is greater than the installed version of just one', () => {
-    const ruleFromFileSystem = fullRuleAlertParamsRest();
+    const ruleFromFileSystem = mockPrepackagedRule();
     ruleFromFileSystem.rule_id = 'rule-1';
     ruleFromFileSystem.version = 2;
 
@@ -79,11 +79,11 @@ describe('get_rules_to_update', () => {
   });
 
   test('should return 2 rules out of 2 to update if the id of file system rule is greater than the installed version of both', () => {
-    const ruleFromFileSystem1 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem1 = mockPrepackagedRule();
     ruleFromFileSystem1.rule_id = 'rule-1';
     ruleFromFileSystem1.version = 2;
 
-    const ruleFromFileSystem2 = fullRuleAlertParamsRest();
+    const ruleFromFileSystem2 = mockPrepackagedRule();
     ruleFromFileSystem2.rule_id = 'rule-2';
     ruleFromFileSystem2.version = 2;
 

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/get_rules_to_update.ts

@@ -4,13 +4,13 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { RuleAlertParamsRest } from '../types';
+import { PrepackagedRules } from '../types';
 import { RuleAlertType } from './types';
 
 export const getRulesToUpdate = (
-  rulesFromFileSystem: RuleAlertParamsRest[],
+  rulesFromFileSystem: PrepackagedRules[],
   installedRules: RuleAlertType[]
-): RuleAlertParamsRest[] => {
+): PrepackagedRules[] => {
   return rulesFromFileSystem.filter(rule =>
     installedRules.some(installedRule => {
       return (

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/install_prepacked_rules.ts

@@ -7,12 +7,12 @@
 import { ActionsClient } from '../../../../../actions';
 import { AlertsClient } from '../../../../../alerting';
 import { createRules } from './create_rules';
-import { RuleAlertParamsRest } from '../types';
+import { PrepackagedRules } from '../types';
 
 export const installPrepackagedRules = async (
   alertsClient: AlertsClient,
   actionsClient: ActionsClient,
-  rules: RuleAlertParamsRest[],
+  rules: PrepackagedRules[],
   outputIndex: string
 ): Promise<void> => {
   await rules.forEach(async rule => {

x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/update_prepacked_rules.ts

@@ -7,12 +7,12 @@
 import { ActionsClient } from '../../../../../actions';
 import { AlertsClient } from '../../../../../alerting';
 import { updateRules } from './update_rules';
-import { RuleAlertParamsRest } from '../types';
+import { PrepackagedRules } from '../types';
 
 export const updatePrepackagedRules = async (
   alertsClient: AlertsClient,
   actionsClient: ActionsClient,
-  rules: RuleAlertParamsRest[],
+  rules: PrepackagedRules[],
   outputIndex: string
 ): Promise<void> => {
   await rules.forEach(async rule => {

x-pack/legacy/plugins/siem/server/lib/detection_engine/types.ts

@@ -58,6 +58,7 @@ export type RuleAlertParamsRest = Omit<
   RuleAlertParams,
   | 'ruleId'
   | 'falsePositives'
+  | 'immutable'
   | 'maxSignals'
   | 'savedId'
   | 'riskScore'
@@ -99,11 +100,25 @@ export type OutputRuleAlertRest = RuleAlertParamsRest & {
   id: string;
   created_by: string | undefined | null;
   updated_by: string | undefined | null;
+  immutable: boolean;
 };
 
 export type ImportRuleAlertRest = Omit<OutputRuleAlertRest, 'rule_id' | 'id'> & {
   id: string | undefined | null;
   rule_id: string;
+  immutable: boolean;
 };
 
+export type PrepackagedRules = Omit<
+  RuleAlertParamsRest,
+  | 'status'
+  | 'status_date'
+  | 'last_failure_at'
+  | 'last_success_at'
+  | 'last_failure_message'
+  | 'last_success_message'
+  | 'updated_at'
+  | 'created_at'
+> & { rule_id: string; immutable: boolean };
+
 export type CallWithRequest<T, U, V> = (endpoint: string, params: T, options?: U) => Promise<V>;