[Security Solution][Detections] Updating prepackaged rules overwrites existing exceptions

[spong]

Kibana version:
7.9

When updating prepackaged rules any existing exceptions on the rules being updated will be overridden with whatever exceptions are on the prepackaged rules. To mitigate this, we can merge any existing exceptions_list items from the rulesFromFileSystem with those coming from the prepackagedRules.

Flow:

Get rules to update:

kibana/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts

Line 65 in 21156d6

const rulesToUpdate = getRulesToUpdate(rulesFromFileSystem, prepackagedRules);

Add logic for merging existing exceptions

kibana/x-pack/plugins/security_solution/server/lib/detection_engine/routes/rules/add_prepackaged_rules_route.ts

Line 87 in 21156d6

await updatePrepackagedRules(alertsClient, savedObjectsClient, rulesToUpdate, signalsIndex);

Patch in update_prepacked_rules.ts will now include any pre-existing exceptions and will no longer overwrite:

kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rules/update_prepacked_rules.ts

Line 63 in d6c7128

exceptions_list: exceptionsList,

Steps to recreate:

• Add prepackaged rules
• Add exception to prepackaged rule
• Increment version of the rule that the exception was added to
• Update prepackaged rules
• Observe exception added is no longer present

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security Solution)