Allow filter-only KQL custom rule exports

[srkyn]

Summary

• allow filter-only KQL rules to load when custom rule export mode is active
• keep empty-query KQL invalid for prebuilt rules and custom rules without filters
• bump the package patch version

Fixes #6167.

Tests

• python -m pytest tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_valid_for_custom_rules tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_invalid_for_prebuilt_rules -q
• python -m compileall -q detection_rules tests

[srkyn]

Reopened this as a clean replacement for #6180 after the old PR ref stopped updating cleanly. Local validation passed:

• python -m pytest tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_valid_for_custom_rules tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_invalid_for_prebuilt_rules -q
• python -m compileall -q detection_rules tests

The remaining failing add-comment workflow is label-gated. I tried to add bug, detections-as-code, and patch, but GitHub reports I do not have permission to add labels here.

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[eric-forte-elastic]

Testing importing, functions as expected.

Remote testing paths for pre-built and custom rules pass
make_test_remote_cli.txt

[eric-forte-elastic]

This will work for validation, but if you try to run view-rule it will still fail because the dataclass type check happens first. It looks like for this to work we will also need to update the schema similar to this patch,

filter_only_schema_optional_query.patch

Example test rule (.txt extension needed for github upload, remove before use):

rule_filter_only_export.ndjson.txt
test_filer_only_rule.toml.txt

[srkyn]

Thanks for testing this and adding the labels. I appreciate the validation on both the import path and the remote prebuilt/custom rule paths.