[FR] Allow filter-only KQL and Indicator Match rules

[eric-forte-elastic]

Pull Request

Issue link(s):

Resolves #6283, #6167

Summary - What I changed

Fixes DaC custom rule handling for filter-only KQL rules and filter-only indicator match exports.

Custom KQL query rules can now load when CUSTOM_RULES_DIR is active and the rule intentionally relies on filters with an empty query. The schema keeps empty queries invalid for prebuilt rules and for custom rules that do not include filters, preserving the existing validation behavior outside the filter-only custom-rule case.

Custom rule TOML export now preserves present-but-empty query and threat_query fields instead of dropping them during formatting. This prevents export/import round-trip loss for filter-only custom rules, including indicator match rules that use threat_filters without an indicator index query.

The impacted DaC paths are the custom rule load/export flows, including:

• view-rule and other schema-loading paths for custom filter-only KQL rules
• kibana export-rules --custom-rules-only
• custom rule TOML formatting during export

How To Test

Run the focused schema and formatter tests:

source env/detection-rules-build/bin/activate
python -m pytest \
  tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_valid_for_custom_rules \
  tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_invalid_for_prebuilt_rules \
  tests/test_schemas.py::TestSchemas::test_empty_kuery_without_filters_is_invalid_for_custom_rules \
  tests/test_toml_formatter.py \
  -q

Expected result:

11 passed

Test with filter only rules
20260626T135835L.ndjson.txt
test_filter_only_rule.toml.txt
test_threat_query_filter_only_rule.toml.txt

With CUSTOM_DIR:

Without CUSTOM_DIR:

With CUSTOM_DIR

Without CUSTOM_DIR

Export:

Threat Indicator Rule Testing

Kibana import/export path for both rules:

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[Copilot]

Pull request overview

This PR updates the DaC (Detection-as-Code) custom-rule load/export flow to support “filter-only” rules where Kibana allows an intentionally empty query / threat_query as long as filters are present (including indicator match rules).

Changes:

• Relax query validation for custom KQL rules to allow empty query text when filters are provided (while keeping existing validation behavior for other cases).
• Update TOML export formatting to preserve present-but-empty query and threat_query fields during custom-rule exports to prevent lossy round-trips.
• Improve Kibana import error reporting when error payloads are missing expected fields (e.g., missing rule_id).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
detection_rules/rule.py	Allows filter-only custom KQL rules by adjusting query validation/validator behavior.
detection_rules/rule_formatter.py	Preserves empty query / threat_query in TOML output when exporting custom rules.
detection_rules/rule_validators.py	Handles the now-optional query type in ES
detection_rules/kbwrap.py	Makes import error output resilient to missing rule_id/error details.
tests/test_schemas.py	Adds schema tests for empty-query-with-filters custom rule loading vs prebuilt behavior.
tests/test_toml_formatter.py	Adds formatter tests ensuring empty query / threat_query are preserved for custom exports.
pyproject.toml	Bumps package version to 1.7.4.