diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/utils.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/utils.ts
index 819bf87165e12..687bf91655e2a 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/utils.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/utils.ts
@@ -47,6 +47,9 @@ export const getOutputRuleAlertForRest = (): RuleResponse => ({
   from: 'now-6m',
   id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
   immutable: false,
+  rule_source: {
+    type: 'internal',
+  },
   index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
   interval: '5m',
   risk_score: 50,
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts
index ee0fe19bf64ed..6f98230043e74 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts
@@ -5,9 +5,9 @@
  * 2.0.
  */
 
+import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters';
 import type { BaseRuleParams } from '../../../../rule_schema';
 import { migrateLegacyInvestigationFields } from '../../../utils/utils';
-import { normalizeRuleSource } from './normalize_rule_source';
 
 export const commonParamsCamelToSnake = (params: BaseRuleParams) => {
   return {
@@ -39,10 +39,7 @@ export const commonParamsCamelToSnake = (params: BaseRuleParams) => {
     version: params.version,
     exceptions_list: params.exceptionsList,
     immutable: params.immutable,
-    rule_source: normalizeRuleSource({
-      immutable: params.immutable,
-      ruleSource: params.ruleSource,
-    }),
+    rule_source: convertObjectKeysToSnakeCase(params.ruleSource),
     related_integrations: params.relatedIntegrations ?? [],
     required_fields: params.requiredFields ?? [],
     setup: params.setup ?? '',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/internal_rule_to_api_response.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/internal_rule_to_api_response.ts
index 452f59df8dcf9..349f54b1e3b3c 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/internal_rule_to_api_response.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/internal_rule_to_api_response.ts
@@ -17,6 +17,7 @@ import {
 } from '../../../normalization/rule_actions';
 import { typeSpecificCamelToSnake } from './type_specific_camel_to_snake';
 import { commonParamsCamelToSnake } from './common_params_camel_to_snake';
+import { normalizeRuleParams } from './normalize_rule_params';
 
 export const internalRuleToAPIResponse = (
   rule: SanitizedRule<RuleParams> | ResolvedSanitizedRule<RuleParams>
@@ -31,6 +32,7 @@ export const internalRuleToAPIResponse = (
   const alertActions = rule.actions.map(transformAlertToRuleAction);
   const throttle = transformFromAlertThrottle(rule);
   const actions = transformToActionFrequency(alertActions, throttle);
+  const normalizedRuleParams = normalizeRuleParams(rule.params);
 
   return {
     // saved object properties
@@ -49,7 +51,7 @@ export const internalRuleToAPIResponse = (
     enabled: rule.enabled,
     revision: rule.revision,
     // Security solution shared rule params
-    ...commonParamsCamelToSnake(rule.params),
+    ...commonParamsCamelToSnake(normalizedRuleParams),
     // Type specific security solution rule params
     ...typeSpecificCamelToSnake(rule.params),
     // Actions
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_source.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_params.test.ts
similarity index 96%
rename from x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_source.test.ts
rename to x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_params.test.ts
index 5c39848ba2dbe..e147d203eec64 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_source.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_params.test.ts
@@ -5,7 +5,7 @@
  * 2.0.
  */
 
-import { normalizeRuleSource } from './normalize_rule_source';
+import { normalizeRuleSource } from './normalize_rule_params';
 import type { BaseRuleParams } from '../../../../rule_schema';
 
 describe('normalizeRuleSource', () => {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_params.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_params.ts
new file mode 100644
index 0000000000000..1b09e3fe73b99
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_params.ts
@@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import type { BaseRuleParams, RuleSourceCamelCased } from '../../../../rule_schema';
+
+interface NormalizeRuleSourceParams {
+  immutable: BaseRuleParams['immutable'];
+  ruleSource: BaseRuleParams['ruleSource'];
+}
+
+/*
+ * Since there's no mechanism to migrate all rules at the same time,
+ * we cannot guarantee that the ruleSource params is present in all rules.
+ * This function will normalize the ruleSource param, creating it if does
+ * not exist in ES, based on the immutable param.
+ */
+export const normalizeRuleSource = ({
+  immutable,
+  ruleSource,
+}: NormalizeRuleSourceParams): RuleSourceCamelCased => {
+  if (!ruleSource) {
+    const normalizedRuleSource: RuleSourceCamelCased = immutable
+      ? {
+          type: 'external',
+          isCustomized: false,
+        }
+      : {
+          type: 'internal',
+        };
+
+    return normalizedRuleSource;
+  }
+  return ruleSource;
+};
+
+export const normalizeRuleParams = (params: BaseRuleParams) => {
+  return {
+    ...params,
+    ruleSource: normalizeRuleSource({
+      immutable: params.immutable,
+      ruleSource: params.ruleSource,
+    }),
+  };
+};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_source.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_source.ts
deleted file mode 100644
index f05cc38c48f58..0000000000000
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/normalize_rule_source.ts
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
- * or more contributor license agreements. Licensed under the Elastic License
- * 2.0; you may not use this file except in compliance with the Elastic License
- * 2.0.
- */
-import type { RuleSource } from '../../../../../../../common/api/detection_engine';
-import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters';
-import type { BaseRuleParams } from '../../../../rule_schema';
-
-interface NormalizeRuleSourceParams {
-  immutable: BaseRuleParams['immutable'];
-  ruleSource: BaseRuleParams['ruleSource'];
-}
-export const normalizeRuleSource = ({
-  immutable,
-  ruleSource,
-}: NormalizeRuleSourceParams): RuleSource => {
-  if (!ruleSource) {
-    const normalizedRuleSource = immutable
-      ? {
-          type: 'external',
-          isCustomized: false,
-        }
-      : {
-          type: 'internal',
-        };
-
-    return convertObjectKeysToSnakeCase(normalizedRuleSource) as RuleSource;
-  }
-  return convertObjectKeysToSnakeCase(ruleSource) as RuleSource;
-};
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_all.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_all.test.ts
index 0ba0afbce715a..382df4bfa5ffc 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_all.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/export/get_export_all.test.ts
@@ -100,6 +100,9 @@ describe('getExportAll', () => {
       from: 'now-6m',
       id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
       immutable: false,
+      rule_source: {
+        type: 'internal',
+      },
       index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
       interval: '5m',
       rule_id: 'rule-1',
@@ -280,6 +283,9 @@ describe('getExportAll', () => {
       from: 'now-6m',
       id: '04128c15-0d1b-4716-a4c5-46997ac7f3bd',
       immutable: false,
+      rule_source: {
+        type: 'internal',
+      },
       index: ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'],
       interval: '5m',
       rule_id: 'rule-1',
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts
index 3a4fa1dadd778..8099d7a00049f 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.mock.ts
@@ -32,6 +32,9 @@ export const getBaseRuleParams = (): BaseRuleParams => {
     description: 'Detecting root and admin users',
     falsePositives: [],
     immutable: false,
+    ruleSource: {
+      type: 'internal',
+    },
     from: 'now-6m',
     to: 'now',
     severity: 'high',