[Security Solution] Move prebuilt rule install/upgrade/revert into DetectionRulesClient

[maximpn]

Follow-up to: #270446
Epic: https://github.com/elastic/security-team/issues/12367 (internal)

Summary

Follow-up to #270446, which added change tracking instrumentation to DetectionRulesClient
(DRC) by threading changeTracking parameters through API handlers. While that PR wired up
the tracking parameters, the actual prebuilt rule install/upgrade/revert logic remained in
standalone helpers under prebuilt_rules/logic/rule_objects/. This PR completes the
consolidation by moving that logic into the DRC itself, making the DRC the single authoritative
layer for all prebuilt rule management operations — including their change tracking.

Details

Detection Rules Client — new methods

• Added installPrebuiltRules and installAllPrebuiltRules
• Added upgradePrebuiltRules and upgradeAllPrebuiltRules
• Added revertPrebuiltRules
• Updated IDetectionRulesClient interface accordingly
• Renamed create_upgradeable_rules_payload.ts → logic/create_modified_prebuilt_rule_assets.ts

Detection Rules Client — deleted helpers

• Deleted prebuilt_rules/logic/rule_objects/create_prebuilt_rules.ts
• Deleted prebuilt_rules/logic/rule_objects/upgrade_prebuilt_rules.ts
• Deleted prebuilt_rules/logic/rule_objects/revert_prebuilt_rules.ts

API handlers — simplified

• perform_rule_installation_handler.ts and perform_rule_upgrade_handler.ts:
  bulk prebuilt rule logic now delegated to the new DRC methods
• revert_prebuilt_rule_handler.ts: delegates to revertPrebuiltRules
• legacy_create_prepackaged_rules.ts: updated to use installAllPrebuiltRules
• install_endpoint_security_prebuilt_rule.ts and install_promotion_rules.ts: updated

Rule import and Security Solution Migrations

• import_rules.ts refactored to use DRC consistently
• siem_migrations/rules/api/util/installation.ts updated to the new DRC API

How to test

This is a pure refactoring — no API surface or user-visible behavior changes. All existing
automated tests cover the affected paths.

Run the unit test suite for the affected areas:

node scripts/jest x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/

To verify end-to-end behavior with change tracking enabled, follow the manual steps from #270446.

Release note

skip

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

Identify risks

Low risk — pure internal refactoring. No API surface, schema, or user-visible behavior changes.
All external API routes remain unchanged. The only risk is a regression in prebuilt rule
management operations, which is guarded by the existing unit and integration test suites.

[infra-vault-gh-plugin-prod]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!

[kibanamachine]

💔 Build Failed

• Buildkite Build
• Commit: a12b7c3
• Storybooks Preview
• Build duration: 108 mins

Failed CI Steps

• Jest Tests #1
• Jest Tests #1
• Jest Tests #3
• Jest Tests #3
• FTR Configs #12
• FTR Configs #12
• FTR Configs #14
• FTR Configs #196
• FTR Configs #196
• FTR Configs #201
• FTR Configs #201
• Defend Workflows Cypress Tests #15
• Serverless Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1
• Serverless Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1
• Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1
• Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1

Test Failures

• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route createPrepackagedRules uses exception lists client from context when available
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route createPrepackagedRules uses exception lists client from context when available
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route createPrepackagedRules uses passed in exceptions list client when lists client not available in context
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route createPrepackagedRules uses passed in exceptions list client when lists client not available in context
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route responses 1 rule is installed and 0 are updated when find results are empty
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route responses 1 rule is installed and 0 are updated when find results are empty
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route responses 1 rule is updated and 0 are installed when we return a single find and the versions are different
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route responses 1 rule is updated and 0 are installed when we return a single find and the versions are different
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should include the result of installing prepackaged timelines - skip the error message
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should include the result of installing prepackaged timelines - skip the error message
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should include the result of installing prepackaged timelines - timelines_installed
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should include the result of installing prepackaged timelines - timelines_installed
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should include the result of installing prepackaged timelines - timelines_updated
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should include the result of installing prepackaged timelines - timelines_updated
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should install prepackaged timelines
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route should install prepackaged timelines
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route status codes returns 200
• [job] [logs] Jest Tests #1 / add_prepackaged_rules_route status codes returns 200
• [job] [logs] FTR Configs #201 / Detection Engine - Exception workflows APIs @serverless @ess @skipInServerlessMKI exceptions workflows for prebuilt rules creating rules with exceptions should override any updates to pre-packaged rules if the user removes the exception list through the API but the new version of a rule has an exception list again
• [job] [logs] FTR Configs #201 / Detection Engine - Exception workflows APIs @serverless @ess @skipInServerlessMKI exceptions workflows for prebuilt rules creating rules with exceptions should override any updates to pre-packaged rules if the user removes the exception list through the API but the new version of a rule has an exception list again
• [job] [logs] Serverless Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a customized prebuilt rule to a different rule type upgrades a customized prebuilt rule to a different rule type
• [job] [logs] Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a customized prebuilt rule to a different rule type upgrades a customized prebuilt rule to a different rule type
• [job] [logs] Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a customized prebuilt rule to a different rule type upgrades a customized prebuilt rule to a different rule type
• [job] [logs] Serverless Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a customized prebuilt rule to a different rule type upgrades a customized prebuilt rule to a different rule type
• [job] [logs] Serverless Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a non-customized prebuilt rule to a different rule type upgrades a non-customized prebuilt rule to a different rule type
• [job] [logs] Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a non-customized prebuilt rule to a different rule type upgrades a non-customized prebuilt rule to a different rule type
• [job] [logs] Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a non-customized prebuilt rule to a different rule type upgrades a non-customized prebuilt rule to a different rule type
• [job] [logs] Serverless Rule Management - Prebuilt Rules Upgrade - Security Solution Cypress Tests #1 / Detection rules, Prebuilt Rules Upgrade With Preview type change upgrade upgrades a non-customized prebuilt rule to a different rule type upgrades a non-customized prebuilt rule to a different rule type
• [job] [logs] FTR Configs #12 / Rules Management - Prebuilt Rules Upgrade (Customization Enabled) @ess @serverless @skipInServerlessMKI Bulk upgrade all prebuilt rules with historical versions upgrades to BASE version
• [job] [logs] FTR Configs #196 / Rules Management - Prebuilt Rules Upgrade (Customization Enabled) @ess @serverless @skipInServerlessMKI Bulk upgrade all prebuilt rules with historical versions upgrades to BASE version
• [job] [logs] FTR Configs #12 / Rules Management - Prebuilt Rules Upgrade (Customization Enabled) @ess @serverless @skipInServerlessMKI Bulk upgrade all prebuilt rules with historical versions upgrades to BASE version
• [job] [logs] FTR Configs #196 / Rules Management - Prebuilt Rules Upgrade (Customization Enabled) @ess @serverless @skipInServerlessMKI Bulk upgrade all prebuilt rules with historical versions upgrades to BASE version
• [job] [logs] FTR Configs #14 / Serverless Common UI - Home Page Sample data in serverless Sample data loads

Metrics [docs]

✅ unchanged

History

• 💔 Build #450665 failed 6f976fa
• 💔 Build #450662 failed dc9be8e

cc @maximpn