[Security Solution] Rule Patch API ignores type specific fields

xcrzx commented 16 hours ago

Summary

When sending a partial patch request for a rule, all type-specific rule parameters are ignored unless the type field is explicitly included in the request.

Example of the Issue

Request That Doesn't Work:

// PATCH /api/detection_engine/rules
{
    "id": "af41ffbd-62b6-4417-8145-f3bde331e3f4",
    "machine_learning_job_id": ["rare_destination_country"]
}

In this case, machine_learning_job_id is not applied to the rule. An empty patch is applied instead, and no error is raised.

Request That Works:

// PATCH /api/detection_engine/rules
{
    "id": "af41ffbd-62b6-4417-8145-f3bde331e3f4",
    "type": "machine_learning",
    "machine_learning_job_id": ["rare_destination_country"]
}

Including the type field allows the patch to work as expected.

Root Cause

This happens because:

Payload validation strips out any unknown fields
Proper payload validation requires knowing the rule's type in advance
Without the type field, the system cannot validate type-specific fields like machine_learning_job_id

Solution

The patch endpoint should:

Accept all known rule fields as valid in the payload
Defer stripping of unknown values until after fetching the rule and determining its type

elasticmachine commented 16 hours ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 16 hours ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 16 hours ago

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elastic / kibana