[Security Solution] Rules mistakenly marked as customized

[xcrzx]

Summary

A prebuilt rule is marked as customized when an action is attached to it. The diff algorithm incorrectly detects changes to the threat and rule_schedule fields.

Steps to Reproduce

1. Open any prebuilt rule for editing.
2. With the feature flag off, attaching actions is the only possible edit to prebuilt rules. So, add a rule action and save the rule.
3. Read the rule using the rule read API.

Expected Result

Since adding or changing rule actions should not mark rules as customized, the returned rule should have rule_source.is_customized = false.

Actual Result

The rule is incorrectly marked as customized.

Initial Analysis

The rule asset object and installed rule saved object have some values represented in different formats, leading to mismatches. The differences include:

• rule_schedule is in minutes (e.g., 4m) in one case and seconds (e.g., 240s) in another.
• threat may omit optional fields, such as subtechnique, in the rule asset object, whereas the rule saved object has them as empty arrays (e.g., subtechnique: []).

Other fields may also have similar format differences. To address this, the diff algorithm should:

• Account for values like empty arrays being equivalent to missing values for certain fields.
• Normalize units before comparison (e.g., convert minutes to seconds).

This ensures consistency in identifying rule changes.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)