Normalize threshold field on routes that use legacy style schema definitions

Author: marshallmain

x-pack/plugins/security_solution/common/detection_engine/utils.ts

@@ -12,7 +12,7 @@ import {
   EntriesArray,
   ExceptionListItemSchema,
 } from '../shared_imports';
-import { Type, JobStatus } from './schemas/common/schemas';
+import { Type, JobStatus, Threshold, ThresholdNormalized } from './schemas/common/schemas';
 
 export const hasLargeValueItem = (
   exceptionItems: Array<ExceptionListItemSchema | CreateExceptionListItemSchema>
@@ -55,5 +55,12 @@ export const normalizeThresholdField = (
     : [thresholdField!];
 };
 
+export const normalizeThresholdObject = (threshold: Threshold): ThresholdNormalized => {
+  return {
+    ...threshold,
+    field: normalizeThresholdField(threshold.field),
+  };
+};
+
 export const getRuleStatusText = (value: JobStatus | null | undefined): JobStatus | null =>
   value === 'partial failure' ? 'warning' : value != null ? value : null;

x-pack/plugins/security_solution/server/lib/detection_engine/rules/create_rules.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { normalizeThresholdObject } from '../../../../common/detection_engine/utils';
 import { transformRuleToAlertAction } from '../../../../common/detection_engine/transform_actions';
 import { SanitizedAlert } from '../../../../../alerting/common';
 import { SERVER_APP_ID, SIGNALS_ID } from '../../../../common/constants';
@@ -97,7 +98,7 @@ export const createRules = async ({
         severity,
         severityMapping,
         threat,
-        threshold,
+        threshold: threshold ? normalizeThresholdObject(threshold) : undefined,
         /**
          * TODO: Fix typing inconsistancy between `RuleTypeParams` and `CreateRulesOptions`
          */

x-pack/plugins/security_solution/server/lib/detection_engine/rules/patch_rules.ts

@@ -14,6 +14,7 @@ import { addTags } from './add_tags';
 import { calculateVersion, calculateName, calculateInterval, removeUndefined } from './utils';
 import { ruleStatusSavedObjectsClientFactory } from '../signals/rule_status_saved_objects_client';
 import { internalRuleUpdate, RuleParams } from '../schemas/rule_schemas';
+import { normalizeThresholdObject } from '../../../../common/detection_engine/utils';
 
 class PatchError extends Error {
   public readonly statusCode: number;
@@ -150,7 +151,7 @@ export const patchRules = async ({
       severity,
       severityMapping,
       threat,
-      threshold,
+      threshold: threshold ? normalizeThresholdObject(threshold) : undefined,
       threatFilters,
       threatIndex,
       threatQuery,

x-pack/plugins/security_solution/server/lib/detection_engine/schemas/rule_converters.ts

@@ -7,7 +7,7 @@
 
 import uuid from 'uuid';
 import { SavedObject } from 'kibana/server';
-import { normalizeThresholdField } from '../../../../common/detection_engine/utils';
+import { normalizeThresholdObject } from '../../../../common/detection_engine/utils';
 import {
   InternalRuleCreate,
   RuleParams,
@@ -96,10 +96,7 @@ export const typeSpecificSnakeToCamel = (params: CreateTypeSpecific): TypeSpecif
         query: params.query,
         filters: params.filters,
         savedId: params.saved_id,
-        threshold: {
-          ...params.threshold,
-          field: normalizeThresholdField(params.threshold.field),
-        },
+        threshold: normalizeThresholdObject(params.threshold),
       };
     }
     case 'machine_learning': {