From 5da1389a5474e3c7348488b02694d4e564d45b52 Mon Sep 17 00:00:00 2001
From: Davis Plumlee <davis.plumlee@elastic.co>
Date: Tue, 12 Nov 2024 22:03:35 -0500
Subject: [PATCH] fixes patch logic

---
 .../mergers/apply_rule_patch.test.ts          | 32 +++++++++++++++++++
 .../mergers/apply_rule_patch.ts               |  4 ++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts
index 49592aff28f95..abf90c3f4dfc4 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.test.ts
@@ -453,4 +453,36 @@ describe('applyRulePatch', () => {
       })
     ).rejects.toThrowError('new_terms_fields: Expected array, received string');
   });
+
+  test('should retain existing required_fields when not present in rule patch body', async () => {
+    const rulePatch = {
+      name: 'new name',
+    } as PatchRuleRequestBody;
+    const existingRule = {
+      ...getRulesSchemaMock(),
+      required_fields: [
+        {
+          name: 'event.action',
+          type: 'keyword',
+          ecs: true,
+        },
+      ],
+    };
+    const patchedRule = await applyRulePatch({
+      rulePatch,
+      existingRule,
+      prebuiltRuleAssetClient,
+    });
+    expect(patchedRule).toEqual(
+      expect.objectContaining({
+        required_fields: [
+          {
+            name: 'event.action',
+            type: 'keyword',
+            ecs: true,
+          },
+        ],
+      })
+    );
+  });
 });
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts
index becc68f3d0075..9f5b167322491 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts
@@ -92,7 +92,9 @@ export const applyRulePatch = async ({
     meta: rulePatch.meta ?? existingRule.meta,
     max_signals: rulePatch.max_signals ?? existingRule.max_signals,
     related_integrations: rulePatch.related_integrations ?? existingRule.related_integrations,
-    required_fields: addEcsToRequiredFields(rulePatch.required_fields),
+    required_fields: rulePatch.required_fields
+      ? addEcsToRequiredFields(rulePatch.required_fields)
+      : existingRule.required_fields,
     risk_score: rulePatch.risk_score ?? existingRule.risk_score,
     risk_score_mapping: rulePatch.risk_score_mapping ?? existingRule.risk_score_mapping,
     rule_name_override: rulePatch.rule_name_override ?? existingRule.rule_name_override,