[SIEM][Detections] PATCHing a rule does not update synchronous actions

[rylnd]

Expected behavior: PATCHing a rule's actions causes them to be updated and reflected on the next rule execution
Actual behavior: PATCHing a rule's actions does not update synchronous actions

Notes:

• This bug only affects synchronous actions updated via PATCH. All actions can be updated via PUT, and all other asynchronous actions can be updated via PATCH.
• This bug is present in 7.7.0+
• Originally reported in this community post

Steps to reproduce:

1. Create a rule with an action of frequency "per rule execution" (synchronous)
2. Retrieve the current rule/action via the API, and then modify it:

   curl --location --request GET '$KIBANA_HOST/api/detection_engine/rules?id=7e024520-ebca-4c74-8a2c-8b42ba0ba521' \
   --header 'Content-Type: application/json' \
   --header 'Accept: application/json' \
   --header 'kbn-xsrf: true'
   
   # partial example response:
   # ...
       "id": "7e024520-ebca-4c74-8a2c-8b42ba0ba521",
       "actions": [
           {
               "action_type_id": ".slack",
               "id": "2933e581-d81c-4fe3-88fe-c57c6b8a5bfd",
               "params": {
                   "message": "Rule {{context.rule.name}} generated {{state.signals_count}} signals AND WAS UPDATED"
               },
               "group": "default"
           }
       ]
   # ...

3. Update the rule's action via the PATCH API :

   curl --location --request PATCH '$KIBANA_HOST/api/detection_engine/rules' \
   --header 'Content-Type: application/json' \
   --header 'Accept: application/json' \
   --header 'kbn-xsrf: true' \
   --data-raw '{
       "id": "7e024520-ebca-4c74-8a2c-8b42ba0ba521",
       "actions": [
           {
               "action_type_id": ".slack",
               "id": "2933e581-d81c-4fe3-88fe-c57c6b8a5bfd",
               "params": {
                   "message": "Rule {{context.rule.name}} generated {{state.signals_count}} signals AND WAS UPDATED"
               },
               "group": "default"
           }
       ]
   }'

4. Observe the following:

• Both the UI and the API reflect that the action has been updated
• When the rule next executes, the action will not use the updated content, but instead the original action's params

Workarounds

1. Use the GET and PUT endpoints to replace the rule
   • Some fields returned in the GET cannot be used in the PUT body, but the whitelisting can be automated
2. Save the PATCHed rule via the UI
   • After PATCHing the rule via the API, navigating to the Rule Details and clicking Edit Rule Settings -> Save will accomplish the same as workaround 1.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)