[Feature] Add support for immutable and rule_source fields in TOML export/import

[aarju]

Pull Request

Summary - What I changed

Added support for the immutable and rule_source fields that exist in the prebuilt rules. These rules are used to track modifications to Elastic prebuilt rules so we should preserve them when we export and import to and from the cluster.

How To Test

• Modify a prebuilt detection rule inside of Kibana
• Export the rule from the cluster to a repo
• Verify that the toml file has an immutable field and the rule_source fields
• import the rule from the repo back into kibana and verify that everything works after the import.

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[eric-forte-elastic]

@aarju thanks for the PR! In your PR descriptions you mention:

Added support for the immutable and rule_source fields that exist in the prebuilt rules.

I could not find where these exist in our pre-built rules? If they do can you provide an example? Or perhaps these are just for custom or customized rules? Main purpose for my question is whether or not there are additional conditions we need to look for in expecting these fields to be present. Thanks!

[aarju]

@eric-forte-elastic that field is in the ndjson when you modify a prebuilt rule.

For example, I modified this rule and you can see that the data view ID now shows as modified. I also added alert suppression while I was at it.

Then if you export this modified prebuilt rule it now contains the immutable and rule_source fields.

{
    "id": "9cda25df-2fd0-4969-9671-17532a494614",
    "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
    "name": "Accepted Default Telnet Port Connection",
    "immutable": true,
    "rule_source": {
        "type": "external",
        "is_customized": true,
        "customized_fields": [
            {
                "field_name": "index"
            },
            {
                "field_name": "data_view_id"
            },
            {
                "field_name": "alert_suppression"
            }
        ],
        "has_base_version": true
    },
    "version": 111,
    "revision": 2,
    "updated_at": "2026-03-17T15:17:54.873Z",
    "updated_by": "aaron.jewitt@elastic.co",
    "created_at": "2026-02-18T09:23:07.067Z",
    "created_by": "aaron.jewitt@elastic.co",
    "enabled": false,
    "interval": "5m",
    "from": "now-9m",
    "to": "now",
    "description": "This rule detects network...

[aarju]

@eric-forte-elastic @Mikaayenson is anything else needed to merge this PR?