From c0e4e0380813ab8d09980d6fd3c104a12dee2584 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Tue, 20 Jul 2021 07:51:40 -0600
Subject: [PATCH] Restore rules and disable prebuiltRulesFromSavedObjects

---
 .../lib/detection_engine/routes/__mocks__/index.ts   |  2 +-
 .../rules/prepackaged_rules/index.ts                 | 12 ++++++------
 x-pack/test/security_solution_cypress/config.ts      |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/index.ts
index 8d34e8a7c26a03..a768273c9d147c 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/index.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/__mocks__/index.ts
@@ -27,7 +27,7 @@ export const createMockConfig = (): ConfigType => ({
   packagerTaskInterval: '60s',
   alertMergeStrategy: 'missingFields',
   prebuiltRulesFromFileSystem: true,
-  prebuiltRulesFromSavedObjects: true,
+  prebuiltRulesFromSavedObjects: false,
 });
 
 export const mockGetCurrentUser = {
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
index c98d2baf836312..49cb1012e86a19 100644
--- a/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/index.ts
@@ -567,9 +567,9 @@ import rule554 from './privilege_escalation_printspooler_malicious_registry_modi
 import rule555 from './privilege_escalation_printspooler_suspicious_file_deletion.json';
 import rule556 from './privilege_escalation_unusual_printspooler_childprocess.json';
 import rule557 from './defense_evasion_disabling_windows_defender_powershell.json';
-// import rule558 from './defense_evasion_enable_network_discovery_with_netsh.json';
-// import rule559 from './defense_evasion_execution_windefend_unusual_path.json';
-// import rule560 from './persistence_via_bits_job_notify_command.json';
+import rule558 from './defense_evasion_enable_network_discovery_with_netsh.json';
+import rule559 from './defense_evasion_execution_windefend_unusual_path.json';
+import rule560 from './persistence_via_bits_job_notify_command.json';
 
 export const rawRules = [
   rule1,
@@ -1129,7 +1129,7 @@ export const rawRules = [
   rule555,
   rule556,
   rule557,
-  // rule558,
-  // rule559,
-  // rule560,
+  rule558,
+  rule559,
+  rule560,
 ];
diff --git a/x-pack/test/security_solution_cypress/config.ts b/x-pack/test/security_solution_cypress/config.ts
index d84b1435afd0a5..0026f5897019e6 100644
--- a/x-pack/test/security_solution_cypress/config.ts
+++ b/x-pack/test/security_solution_cypress/config.ts
@@ -39,7 +39,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
         `--elasticsearch.ssl.certificateAuthorities=${CA_CERT_PATH}`,
         // retrieve rules from the filesystem but not from fleet for Cypress tests
         '--xpack.securitySolution.prebuiltRulesFromFileSystem=true',
-        '--xpack.securitySolution.prebuiltRulesFromSavedObjects=true',
+        '--xpack.securitySolution.prebuiltRulesFromSavedObjects=false',
       ],
     },
   };