[SIEM] [Detection Engine] Reject if duplicate rule_id in request payload

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.test.ts

@@ -20,6 +20,8 @@ import {
 } from '../__mocks__/request_responses';
 import { DETECTION_ENGINE_RULES_URL } from '../../../../../common/constants';
 import { createRulesBulkRoute } from './create_rules_bulk_route';
+import { BulkError } from '../utils';
+import { OutputRuleAlertRest } from '../../types';
 
 describe('create_rules_bulk', () => {
   let { server, alertsClient, actionsClient, elasticsearch } = createMockServer();
@@ -124,4 +126,19 @@ describe('create_rules_bulk', () => {
       expect(statusCode).toBe(400);
     });
   });
+
+  test('returns 409 if duplicate rule_ids found in request payload', async () => {
+    alertsClient.find.mockResolvedValue(getFindResult());
+    alertsClient.get.mockResolvedValue(getResult());
+    actionsClient.create.mockResolvedValue(createActionResult());
+    alertsClient.create.mockResolvedValue(getResult());
+    const request: ServerInjectOptions = {
+      method: 'POST',
+      url: `${DETECTION_ENGINE_RULES_URL}/_bulk_create`,
+      payload: [typicalPayload(), typicalPayload()],
+    };
+    const { payload } = await server.inject(request);
+    const output: Array<BulkError | Partial<OutputRuleAlertRest>> = JSON.parse(payload);
+    expect(output.some(item => item.error?.status_code === 409)).toBeTruthy();
+  });
 });

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/create_rules_bulk_route.ts

@@ -12,7 +12,7 @@ import { createRules } from '../../rules/create_rules';
 import { BulkRulesRequest } from '../../rules/types';
 import { ServerFacade } from '../../../../types';
 import { readRules } from '../../rules/read_rules';
-import { transformOrBulkError } from './utils';
+import { transformOrBulkError, getMapDuplicates, getDuplicates } from './utils';
 import { getIndexExists } from '../../index/get_index_exists';
 import {
   callWithRequestFactory,
@@ -48,6 +48,9 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
         return headers.response().code(404);
       }
 
+      const mappedDuplicates = getMapDuplicates(request.payload, 'rule_id');
+      const dupes = getDuplicates(mappedDuplicates);
+
       const rules = await Promise.all(
         request.payload.map(async payloadRule => {
           const {
@@ -77,6 +80,13 @@ export const createCreateRulesBulkRoute = (server: ServerFacade): Hapi.ServerRou
             timeline_title: timelineTitle,
             version,
           } = payloadRule;
+          if (ruleId != null && dupes?.includes(ruleId)) {
+            return createBulkErrorObject({
+              ruleId,
+              statusCode: 409,
+              message: `rule_id: "${ruleId}" already exists`,
+            });
+          }
           const ruleIdOrUuid = ruleId ?? uuid.v4();
           try {
             const finalIndex = outputIndex != null ? outputIndex : getIndex(request, server);

x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/rules/utils.ts

@@ -206,3 +206,32 @@ export const transformOrImportError = (
     });
   }
 };
+
+export const getMapDuplicates = (
+  arr: Array<{ [key: string]: string }>,
+  prop: string
+): Map<string, number> =>
+  arr.reduce<Map<string, number>>((acc, item) => {
+    if (item[prop] != null && acc.has(item[prop])) {
+      const totalView = acc.get(item[prop]) ?? 1;
+      acc.set(item[prop], totalView + 1);
+    } else if (item[prop] != null) {
+      acc.set(item[prop], 1);
+    }
+    return acc;
+  }, new Map());
+
+export const getDuplicates = (someMap: Map<string, number>): string | null => {
+  const hasDuplicates = Array.from(someMap.values()).some(i => i > 1);
+  if (hasDuplicates) {
+    return Array.from(someMap.entries())
+      .reduce<string[]>((acc, [key, val]) => {
+        if (val > 1) {
+          return [...acc, key];
+        }
+        return acc;
+      }, [])
+      .join(', ');
+  }
+  return null;
+};