[Security Solution] Prebuilt Rule with query filters incorrectly marked as customized after saving without changes

[pborgonovi]

Description:

When editing a prebuilt rule that contains a query with one or more filters, if the user clicks to edit the rule and then saves it without making any changes, the rule is incorrectly marked as is_customized: true. This behavior only occurs if the query contains filters.

Kibana/Elasticsearch Stack version:

VERSION: 9.0.0
BUILD: 82496
COMMIT: a90a9fc92a469656ba16ad54bd36b2375b386137

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Prebuilt Rules

Pre requisites:

1. prebuiltRulesCustomizationEnabled flag is enabled
2. Prebuilt rules are available

Steps to reproduce:

1. Navigate to the Detection Rules section.
2. Select a prebuilt rule that contains a query with filters (e.g., PowerShell Script with Discovery Capabilities, PowerShell Suspicious Discovery Related Windows API Functions).
3. Click to edit the rule.
4. Without making any changes, click Save.

Current behavior:

The rule is marked as is_customized: true after saving, even though no changes were made.

Expected behavior:

If no changes are made during rule editing, the rule should not be marked as customized. The is_customized flag should remain false unless there are actual modifications to the rule.

Screenshots:

Screen.Recording.2025-01-13.at.2.45.12.PM.mov

Screen.Recording.2025-01-13.at.2.46.59.PM.mov

Screen.Recording.2025-01-13.at.2.47.35.PM.mov

Screen.Recording.2025-01-13.at.2.50.47.PM.mov

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[dplumlee]

This will be solved by #206344