[Security Solution] Error displayed when duplicating a rule with a deleted action connector

[benskelker]

[Originally reported by @MadameSheema]

Rules with actions that have been removed cannot be duplicated.

Kibana version: 7.8.0

Steps to Reproduce:

1. Create a rule with an action
2. Go to Stack Management > Connectors
3. Delete the Connector linked to the rule
4. Go to Detections > Manage signal detection rules
5. Duplicate the rule

Current Behaviour:

• An error is displayed
• The rule is not duplicated

Expected Behaviour:

• An error is not displayed
• The rule is correctly duplicated

Workaround

• Go to Edit rule settings for the affected Rule
• Click Actions, and click the X on the connector with the error (see image below)
• Click Save changes
• The user should now be able to duplicate the Rule

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security Solution)

[MadameSheema]

Please check https://github.com/elastic/kibana/issues/126756 for more information.

[pborgonovi]

Validated the behavior on latest 8.15 BC and it's still valid:

https://github.com/user-attachments/assets/2ad1cc65-d120-4d92-9160-c42cbb76541f

Error logs:

{ "name": "Error", "body": { "statusCode": 500, "error": "Internal Server Error", "message": "Bulk edit failed", "attributes": { "errors": [ { "message": "Failed to load action 9683a243-bfee-4145-b275-782a0cfa4b70 (404): Saved object [action/9683a243-bfee-4145-b275-782a0cfa4b70] not found", "status_code": 400, "rules": [ { "id": "86fd47cd-5055-465c-95f9-bd120c9b2191", "name": "test" } ] } ], "results": { "updated": [], "created": [], "deleted": [], "skipped": [] }, "summary": { "failed": 1, "succeeded": 0, "skipped": 0, "total": 1 } } }, "message": "", "stack": "{\n \"statusCode\": 500,\n \"error\": \"Internal Server Error\",\n \"message\": \"Bulk edit failed\",\n \"attributes\": {\n \"errors\": [\n {\n \"message\": \"Failed to load action 9683a243-bfee-4145-b275-782a0cfa4b70 (404): Saved object [action/9683a243-bfee-4145-b275-782a0cfa4b70] not found\",\n \"status_code\": 400,\n \"rules\": [\n {\n \"id\": \"86fd47cd-5055-465c-95f9-bd120c9b2191\",\n \"name\": \"test\"\n }\n ]\n }\n ],\n \"results\": {\n \"updated\": [],\n \"created\": [],\n \"deleted\": [],\n \"skipped\": []\n },\n \"summary\": {\n \"failed\": 1,\n \"succeeded\": 0,\n \"skipped\": 0,\n \"total\": 1\n }\n }\n}" }

[pborgonovi]

Downgrading the impact from Medium to Low due to the existing workaround.

After discussing with the team it was decided to keep this bug for future fix one since it prevents rule duplication (a seemingly very common use case) and the error text is not helping the user to understand why.

cc @banderror @MadameSheema