elastic · maximpn · Sep 15, 2025 · Sep 12, 2025 · Sep 15, 2025 · Sep 15, 2025
@@ -555,10 +555,10 @@ If this rule is already installed, it should be updated. Its `is_customized` fie
 **Automation**: 1 API integration test.
 
 ```Gherkin
-Given the import payload contains a non-customized prebuilt rule
+Given the import payload contains a prebuilt rule
 And its rule_id matches one or more rule assets from the installed package
 And its version does NOT match any of those rule assets
-And this rule is already installed and marked as non-customized
+And this rule is already installed and marked as <customization_state>
 And the installed rule is NOT equal to the import payload
 When the user imports the rule
 Then the rule should be updated
@@ -568,6 +568,10 @@ And the updated rule's version should match the import payload
 And the updated rule's parameters should match the import payload
 ```
 
+**Examples:**
+
+`<customization_state>` = `customized` | `non-customized`
+
 #### **Scenario: Importing a prebuilt rule with a missing base version when it's already installed, is not customized, and is equal to the import payload**
 
 If this rule is already installed, it should be updated. Its `is_customized` field should stay unchanged (`false` or `true`) if the rule from the import payload is equal to the installed rule.

@@ -20,6 +20,7 @@ export default ({ getService }: FtrProviderContext): void => {
   const supertest = getService('supertest');
   const es = getService('es');
   const log = getService('log');
+  const securitySolutionApi = getService('securitySolutionApi');
 
   const PREBUILT_RULE_ID = 'prebuilt-rule';
   const CURRENT_PREBUILT_RULE_VERSION = 5;
@@ -112,7 +113,7 @@ export default ({ getService }: FtrProviderContext): void => {
     });
 
     describe('with override (prebuilt rule is installed)', () => {
-      it('imports a non-customized prebuilt rule with a missing base version when import payload is not equal to the installed prebuilt rule', async () => {
+      it('imports a prebuilt rule with a missing base version when import payload IS NOT EQUAL to the installed and non-customized prebuilt rule', async () => {
         await installPrebuiltRules(es, supertest);
 
         const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
@@ -147,9 +148,54 @@ export default ({ getService }: FtrProviderContext): void => {
         });
       });
 
+      it('imports a prebuilt rule with a missing base version when import payload IS NOT EQUAL to the installed and customized prebuilt rule', async () => {
+        await installPrebuiltRules(es, supertest);
+        await securitySolutionApi
+          .patchRule({
+            body: {
+              rule_id: PREBUILT_RULE_ID,
+              name: 'Customized prebuilt rule A',
+              tags: ['custom-tag'],
+            },
+          })
+          .expect(200);
+
+        const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
+        const NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT = {
+          ...PREBUILT_RULE_ASSET['security-rule'],
+          name: 'Some old prebuilt rule A',
+          description: 'Some old value',
+          version: VERSION,
+          immutable: true,
+          rule_source: {
+            type: 'external',
+            is_customized: false,
+          },
+        };
+
+        await importRulesWithSuccess({
+          getService,
+          rules: [NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT],
+          overwrite: true,
+        });
+
+        await assertImportedRule({
+          getService,
+          expectedRule: {
+            ...NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT,
+            version: VERSION,
+            immutable: true,
+            rule_source: {
+              type: 'external',
+              is_customized: true,
+            },
+          },
+        });
+      });
+
       // The test fails most probably due to a bug. It requires  further investigation.
       // https://github.com/elastic/kibana/issues/223253 has been created to track it.
-      it.skip('imports a non-customized prebuilt rule with a missing base version when import payload is equal to the installed prebuilt rule', async () => {
+      it.skip('imports a prebuilt rule with a missing base version when import payload IS EQUAL to the installed and not-customized prebuilt rule', async () => {
         await installPrebuiltRules(es, supertest);
 
         const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
@@ -183,14 +229,22 @@ export default ({ getService }: FtrProviderContext): void => {
         });
       });
 
-      it('imports a customized prebuilt rule with a missing base version when import payload and is equal to the installed customized prebuilt rule', async () => {
+      it('imports a prebuilt rule with a missing base version when import payload IS EQUAL to the installed customized prebuilt rule', async () => {
         await installPrebuiltRules(es, supertest);
+        await securitySolutionApi
+          .patchRule({
+            body: {
+              rule_id: PREBUILT_RULE_ID,
+              name: 'Customized prebuilt rule A',
+              tags: ['custom-tag'],
+            },
+          })
+          .expect(200);
 
-        const VERSION = CURRENT_PREBUILT_RULE_VERSION - 1;
         const NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT = {
           ...PREBUILT_RULE_ASSET['security-rule'],
+          name: 'Customized prebuilt rule A',
           tags: ['custom-tag'],
-          version: VERSION,
           immutable: true,
           rule_source: {
             type: 'external',
@@ -208,7 +262,6 @@ export default ({ getService }: FtrProviderContext): void => {
           getService,
           expectedRule: {
             ...NON_CUSTOMIZED_PREBUILT_RULE_TO_IMPORT,
-            version: VERSION,
             immutable: true,
             rule_source: {
               type: 'external',