[8.12] [Security Solution] Fix importing rules referencing preconfigu…

…red connectors (elastic#176284) (elastic#176887)

# Backport

This will backport the following commits from `main` to `8.12`:
- [[Security Solution] Fix importing rules referencing preconfigured
connectors (elastic#176284)](elastic#176284)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-02-13T15:30:25Z","message":"[Security
Solution] Fix importing rules referencing preconfigured connectors
(elastic#176284)\n\n**Fixes:**
https://github.com/elastic/kibana/issues/157253\r\n\r\n##
Summary\r\n\r\nThis PR fixes rules import with
`overwrite_action_connectors` set to true when ndjson contains rules
with actions referencing preconfigured action connectors.\r\n\r\n##
Details\r\n\r\nA user can preconfigure action connectors as described
[here](https://www.elastic.co/guide/en/kibana/current/pre-configured-connectors.html).
At the same time Elastic Could instances have Elastic-cloud-SMTP
connector preconfigured. In particular import doesn't work as expected
in Elastic Cloud for rules having actions referencing the preconfigured
Elastic-cloud-SMTP connector.\r\n\r\nThis is fixed by filtering out
preconfigured connector ids so importing logic only handles custom
action connectors.\r\n\r\nOn top of this functional tests have been
added to make sure the problem won't come back.\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios\r\n- [x]
[Ran](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5139)
in Flaky test runner for ESS and Serverless and no flakiness has been
revealed","sha":"934a06ccf7c599685e04469ff0801e461ee9c2d5","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","impact:medium","Team:Detections
and Resp","Team: SecuritySolution","Feature:Rule
Actions","Team:Detection Rule Management","Feature:Rule
Import/Export","v8.13.0","v8.12.2"],"number":176284,"url":"https://github.com/elastic/kibana/pull/176284","mergeCommit":{"message":"[Security
Solution] Fix importing rules referencing preconfigured connectors
(elastic#176284)\n\n**Fixes:**
https://github.com/elastic/kibana/issues/157253\r\n\r\n##
Summary\r\n\r\nThis PR fixes rules import with
`overwrite_action_connectors` set to true when ndjson contains rules
with actions referencing preconfigured action connectors.\r\n\r\n##
Details\r\n\r\nA user can preconfigure action connectors as described
[here](https://www.elastic.co/guide/en/kibana/current/pre-configured-connectors.html).
At the same time Elastic Could instances have Elastic-cloud-SMTP
connector preconfigured. In particular import doesn't work as expected
in Elastic Cloud for rules having actions referencing the preconfigured
Elastic-cloud-SMTP connector.\r\n\r\nThis is fixed by filtering out
preconfigured connector ids so importing logic only handles custom
action connectors.\r\n\r\nOn top of this functional tests have been
added to make sure the problem won't come back.\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios\r\n- [x]
[Ran](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5139)
in Flaky test runner for ESS and Serverless and no flakiness has been
revealed","sha":"934a06ccf7c599685e04469ff0801e461ee9c2d5"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"main","label":"v8.13.0","labelRegex":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/176284","number":176284,"mergeCommit":{"message":"[Security
Solution] Fix importing rules referencing preconfigured connectors
(elastic#176284)\n\n**Fixes:**
https://github.com/elastic/kibana/issues/157253\r\n\r\n##
Summary\r\n\r\nThis PR fixes rules import with
`overwrite_action_connectors` set to true when ndjson contains rules
with actions referencing preconfigured action connectors.\r\n\r\n##
Details\r\n\r\nA user can preconfigure action connectors as described
[here](https://www.elastic.co/guide/en/kibana/current/pre-configured-connectors.html).
At the same time Elastic Could instances have Elastic-cloud-SMTP
connector preconfigured. In particular import doesn't work as expected
in Elastic Cloud for rules having actions referencing the preconfigured
Elastic-cloud-SMTP connector.\r\n\r\nThis is fixed by filtering out
preconfigured connector ids so importing logic only handles custom
action connectors.\r\n\r\nOn top of this functional tests have been
added to make sure the problem won't come back.\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios\r\n- [x]
[Ran](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5139)
in Flaky test runner for ESS and Serverless and no flakiness has been
revealed","sha":"934a06ccf7c599685e04469ff0801e461ee9c2d5"}},{"branch":"8.12","label":"v8.12.2","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

x-pack/plugins/security_solution/common/api/detection_engine/rule_management/import_rules/rule_to_import.mock.ts

@@ -7,17 +7,19 @@
 
 import type { RuleToImport } from './rule_to_import';
 
-export const getImportRulesSchemaMock = (ruleId = 'rule-1'): RuleToImport => ({
-  description: 'some description',
-  name: 'Query with a rule id',
-  query: 'user.name: root or user.name: admin',
-  severity: 'high',
-  type: 'query',
-  risk_score: 55,
-  language: 'kuery',
-  rule_id: ruleId,
-  immutable: false,
-});
+export const getImportRulesSchemaMock = (rewrites?: Partial<RuleToImport>): RuleToImport =>
+  ({
+    description: 'some description',
+    name: 'Query with a rule id',
+    query: 'user.name: root or user.name: admin',
+    severity: 'high',
+    type: 'query',
+    risk_score: 55,
+    language: 'kuery',
+    rule_id: 'rule-1',
+    immutable: false,
+    ...rewrites,
+  } as RuleToImport);
 
 export const getImportRulesWithIdSchemaMock = (ruleId = 'rule-1'): RuleToImport => ({
   id: '6afb8ce1-ea94-4790-8653-fd0b021d2113',
@@ -47,42 +49,46 @@ export const rulesToNdJsonString = (rules: RuleToImport[]) => {
  * @param ruleIds Array of ruleIds with which to generate rule JSON
  */
 export const ruleIdsToNdJsonString = (ruleIds: string[]) => {
-  const rules = ruleIds.map((ruleId) => getImportRulesSchemaMock(ruleId));
+  const rules = ruleIds.map((ruleId) => getImportRulesSchemaMock({ rule_id: ruleId }));
   return rulesToNdJsonString(rules);
 };
 
-export const getImportThreatMatchRulesSchemaMock = (ruleId = 'rule-1'): RuleToImport => ({
-  description: 'some description',
-  name: 'Query with a rule id',
-  query: 'user.name: root or user.name: admin',
-  severity: 'high',
-  type: 'threat_match',
-  risk_score: 55,
-  language: 'kuery',
-  rule_id: ruleId,
-  threat_index: ['index-123'],
-  threat_mapping: [{ entries: [{ field: 'host.name', type: 'mapping', value: 'host.name' }] }],
-  threat_query: '*:*',
-  threat_filters: [
-    {
-      bool: {
-        must: [
-          {
-            query_string: {
-              query: 'host.name: linux',
-              analyze_wildcard: true,
-              time_zone: 'Zulu',
+export const getImportThreatMatchRulesSchemaMock = (
+  rewrites?: Partial<RuleToImport>
+): RuleToImport =>
+  ({
+    description: 'some description',
+    name: 'Query with a rule id',
+    query: 'user.name: root or user.name: admin',
+    severity: 'high',
+    type: 'threat_match',
+    risk_score: 55,
+    language: 'kuery',
+    rule_id: 'rule-1',
+    threat_index: ['index-123'],
+    threat_mapping: [{ entries: [{ field: 'host.name', type: 'mapping', value: 'host.name' }] }],
+    threat_query: '*:*',
+    threat_filters: [
+      {
+        bool: {
+          must: [
+            {
+              query_string: {
+                query: 'host.name: linux',
+                analyze_wildcard: true,
+                time_zone: 'Zulu',
+              },
             },
-          },
-        ],
-        filter: [],
-        should: [],
-        must_not: [],
+          ],
+          filter: [],
+          should: [],
+          must_not: [],
+        },
       },
-    },
-  ],
-  immutable: false,
-});
+    ],
+    immutable: false,
+    ...rewrites,
+  } as RuleToImport);
 
 export const webHookConnector = {
   id: 'cabc78e0-9031-11ed-b076-53cc4d57aaf1',
@@ -104,8 +110,7 @@ export const webHookConnector = {
 
 export const ruleWithConnectorNdJSON = (): string => {
   const items = [
-    {
-      ...getImportRulesSchemaMock(),
+    getImportRulesSchemaMock({
       actions: [
         {
           group: 'default',
@@ -114,7 +119,7 @@ export const ruleWithConnectorNdJSON = (): string => {
           params: {},
         },
       ],
-    },
+    }),
     webHookConnector,
   ];
   const stringOfExceptions = items.map((item) => JSON.stringify(item));