[9.1] [Security Solution] Make importing prebuilt rules with missing base version tests matching the test scenario (#234735) (#235114)

# Backport

This will backport the following commits from `main` to `9.1`:
- [[Security Solution] Make importing prebuilt rules with missing base
version tests matching the test scenario
(#234735)](#234735)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Maxim
Palenov","email":"maxim.palenov@elastic.co"},"sourceCommit":{"committedDate":"2025-09-15T16:36:35Z","message":"[Security
Solution] Make importing prebuilt rules with missing base version tests
matching the test scenario (#234735)\n\n**Relates to:**
https://github.com/elastic/kibana/pull/223421\n\n## Summary\n\nThis PR
makes little adjustments to [Importing
Prebuilt\nRules](#223421) with
missing base\nversion test scenario implementation to make it matching
test scenario\nsteps. In particular it makes sure an installed prebuilt
rule gets\ncustomized before testing
import.","sha":"10533ebfa440c6ac91166cc1d6d33b72d7102dc9","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["test","release_note:skip","Team:Detections
and Resp","Team: SecuritySolution","Team:Detection Rule
Management","Feature:Prebuilt Detection
Rules","backport:version","v9.2.0","v9.1.3","v8.19.3","v9.0.6","v8.18.7"],"title":"[Security
Solution] Make importing prebuilt rules with missing base version tests
matching the test
scenario","number":234735,"url":"https://github.com/elastic/kibana/pull/234735","mergeCommit":{"message":"[Security
Solution] Make importing prebuilt rules with missing base version tests
matching the test scenario (#234735)\n\n**Relates to:**
https://github.com/elastic/kibana/pull/223421\n\n## Summary\n\nThis PR
makes little adjustments to [Importing
Prebuilt\nRules](#223421) with
missing base\nversion test scenario implementation to make it matching
test scenario\nsteps. In particular it makes sure an installed prebuilt
rule gets\ncustomized before testing
import.","sha":"10533ebfa440c6ac91166cc1d6d33b72d7102dc9"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","8.19","9.0","8.18"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/234735","number":234735,"mergeCommit":{"message":"[Security
Solution] Make importing prebuilt rules with missing base version tests
matching the test scenario (#234735)\n\n**Relates to:**
https://github.com/elastic/kibana/pull/223421\n\n## Summary\n\nThis PR
makes little adjustments to [Importing
Prebuilt\nRules](#223421) with
missing base\nversion test scenario implementation to make it matching
test scenario\nsteps. In particular it makes sure an installed prebuilt
rule gets\ncustomized before testing
import.","sha":"10533ebfa440c6ac91166cc1d6d33b72d7102dc9"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.19","label":"v8.19.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.7","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co>

Author: kibanamachine

x-pack/solutions/security/plugins/security_solution/docs/testing/test_plans/detection_response/prebuilt_rules/prebuilt_rule_import.md

@@ -555,10 +555,10 @@ If this rule is already installed, it should be updated. Its `is_customized` fie
 **Automation**: 1 API integration test.
 
 ```Gherkin
-Given the import payload contains a non-customized prebuilt rule
+Given the import payload contains a prebuilt rule
 And its rule_id matches one or more rule assets from the installed package
 And its version does NOT match any of those rule assets
-And this rule is already installed and marked as non-customized
+And this rule is already installed and marked as <customization_state>
 And the installed rule is NOT equal to the import payload
 When the user imports the rule
 Then the rule should be updated
@@ -568,6 +568,10 @@ And the updated rule's version should match the import payload
 And the updated rule's parameters should match the import payload
 ```
 
+**Examples:**
+
+`<customization_state>` = `customized` | `non-customized`
+
 #### **Scenario: Importing a prebuilt rule with a missing base version when it's already installed, is not customized, and is equal to the import payload**
 
 If this rule is already installed, it should be updated. Its `is_customized` field should stay unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.

x-pack/solutions/security/test/security_solution_api_integration/test_suites/detections_response/rules_management/prebuilt_rules/common/import_export/import_with_missing_base_version.ts

@@ -20,6 +20,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const es = getService('es');
   const log = getService('log');
+  const securitySolutionApi = getService('securitySolutionApi');
 
   const PREBUILT_RULE_ID = 'prebuilt-rule';
   const CURRENT_PREBUILT_RULE_VERSION = 5;
@@ -112,7 +113,7 @@ export default ({ getService }: FtrProviderContext): void => {
     });
 
     describe('with override (prebuilt rule is installed)', () => {
-      it('imports a non-customized prebuilt rule with a missing base version when import payload is not equal to the installed prebuilt rule', async () => {
+      it('imports a prebuilt rule with a missing base version when import payload IS NOT EQUAL to the installed and non-customized prebuilt rule', async () => {
         await installPrebuiltRules(es, supertest);
 
         const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
@@ -147,9 +148,54 @@ export default ({ getService }: FtrProviderContext): void => {
         });
       });
 
+      it('imports a prebuilt rule with a missing base version when import payload IS NOT EQUAL to the installed and customized prebuilt rule', async () => {
+        await installPrebuiltRules(es, supertest);
+        await securitySolutionApi
+          .patchRule({
+            body: {
+              rule_id: PREBUILT_RULE_ID,
+              name: 'Customized prebuilt rule A',
+              tags: ['custom-tag'],
+            },
+          })
+          .expect(200);
+
+        const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
+        const NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT = {
+          ...PREBUILT_RULE_ASSET['security-rule'],
+          name: 'Some old prebuilt rule A',
+          description: 'Some old value',
+          version: VERSION,
+          immutable: true,
+          rule_source: {
+            type: 'external',
+            is_customized: false,
+          },
+        };
+
+        await importRulesWithSuccess({
+          getService,
+          rules: [NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT],
+          overwrite: true,
+        });
+
+        await assertImportedRule({
+          getService,
+          expectedRule: {
+            ...NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT,
+            version: VERSION,
+            immutable: true,
+            rule_source: {
+              type: 'external',
+              is_customized: true,
+            },
+          },
+        });
+      });
+
       // The test fails most probably due to a bug. It requires  further investigation.
       // https://github.com/elastic/kibana/issues/223253 has been created to track it.
-      it.skip('imports a non-customized prebuilt rule with a missing base version when import payload is equal to the installed prebuilt rule', async () => {
+      it.skip('imports a prebuilt rule with a missing base version when import payload IS EQUAL to the installed and not-customized prebuilt rule', async () => {
         await installPrebuiltRules(es, supertest);
 
         const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
@@ -183,14 +229,22 @@ export default ({ getService }: FtrProviderContext): void => {
         });
       });
 
-      it('imports a customized prebuilt rule with a missing base version when import payload and is equal to the installed customized prebuilt rule', async () => {
+      it('imports a prebuilt rule with a missing base version when import payload IS EQUAL to the installed customized prebuilt rule', async () => {
         await installPrebuiltRules(es, supertest);
+        await securitySolutionApi
+          .patchRule({
+            body: {
+              rule_id: PREBUILT_RULE_ID,
+              name: 'Customized prebuilt rule A',
+              tags: ['custom-tag'],
+            },
+          })
+          .expect(200);
 
-        const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
         const NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT = {
           ...PREBUILT_RULE_ASSET['security-rule'],
+          name: 'Customized prebuilt rule A',
           tags: ['custom-tag'],
-          version: VERSION,
           immutable: true,
           rule_source: {
             type: 'external',
@@ -208,7 +262,6 @@ export default ({ getService }: FtrProviderContext): void => {
           getService,
           expectedRule: {
             ...NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT,
-            version: VERSION,
             immutable: true,
             rule_source: {
               type: 'external',