[Security Solution] Incorrect Rule Source Type and Customization Status After Importing a Custom Rule

[pborgonovi]

Describe the bug:

When importing a custom rule with a matching rule_id and version of a prebuilt rule and setting the overwrite flag to true, the rule is incorrectly marked as an external prebuilt rule and flagged as customized. The system incorrectly sets rule_source.type to "external" and rule_source.is_customized to "true" instead of "internal" and "false".

Kibana/Elasticsearch Stack version:

8.18 Snapshot

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Rule Import

Steps to reproduce:

1. Create a custom rule
2. Export the custom rule and update it with a rule_id and version matching those of an existing prebuilt rule
3. Click to 'Import a rule'
4. Set 'Overwrite existing rule_id' to true

Current behavior:

• rule_source.type is set to "external".
• rule_source.is_customized is set to "true".

Expected behavior:

• rule_source.type should be set to "internal" since it’s a custom rule.
• is_customized should not be present (to confirm)

Screenshots (if relevant):

Prebuilt rule used: Prebuilt rule_Windows Defender Disabled.ndjson.txt

Custom rule used: Custom rule.ndjson.txt

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[dplumlee]

I think this ticket is very closely related to #180198. I'm not sure what the best way to fix it would be - maybe failing creation/update/import if the custom rule id matches a prebuilt rule id? What do you think @banderror @xcrzx?