[Bug] CLI detection_rules kibana import-rules imports all exceptions and connectors if --rule-file or --rule-id is set

[frederikb96]

Describe the Bug

According to the CLI documentation for kibana import-rules command, when setting --rule-file or --rule-id argument, only a single rule should be imported and not everything recursively from the directory.

However, this imports all exceptions and connectors and not only the exception lists and connectors linked to the rule of interest.

So all exception lists and connectors are imported if the env CUSTOM_RULES_DIR is set (which is necessary to find items the rule depends on).

To Reproduce

In the Screenshare you can see the problem:

Screencast.From.2025-03-27.12-42-41.webm

1. The env is set
2. The command imports all the exceptions from the custom dir to Kibana though the rule doesn't contain any exceptions or connectors at all.
3. Unset the env
4. Only the rule is imported

Expected Behavior

Only the exceptions and connectors where the rule depends on should be imported.

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

[frederikb96]

This is especially problematic for the use of the flag -id, --rule-id TEXT since we need to have the environment variable CUSTOM_RULES_DIR set to use the flag. But this will also lead to all exceptions and action connectors being imported even though undesired:

export CUSTOM_RULES_DIR=custom-soc

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 
❯ python -m detection_rules kibana --space $SPACE --ignore-ssl-errors true import-rules -id $RULE_ID --overwrite                                                     
Loaded config file: /var/home/frederik/Programming/elastic-detection-rules-soc/.detection-rules-cfg.yaml

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

1 rule(s) successfully imported
 - 87596efc-e89a-4f3b-9a58-3632b4871d8d
34 exception list(s) successfully imported
 - 603046ce-ebb6-5a05-7c16-af43a6f0cbc1
 - e6ebb35a-c4d6-57dd-90b8-76e32ca39204
 - 71e61dae-2747-9c73-193a-f4acba5fe0cd
 - 3cb1354e-5455-d262-c469-521d80a71c3a
 - de04ed87-8cf2-2ca8-cacc-aca4a4369317
 - f96f3c40-32b6-b95d-0a90-016c8a17b395
 - 39f60ba5-e73c-d459-bb16-a3b96588515e
 - 673dc8a6-82b9-2c87-d6a8-a6f7a11a69db
 - 16b51475-3ad4-b56e-2d99-b3079c27bc1f
 - 8c2c204e-8307-ffab-6ed1-2706c61e3b4c
 - c27c6d38-59b4-6124-7159-f479a79da26d
 - a37e7ba5-8ced-2198-d509-4ffa9657ccae
 - 91947275-e3dc-248b-b4ea-ac201c54de07
 - 0afaedd0-9696-7940-0cee-e9c159430a56
 - 18aa544b-d01a-86a5-ecca-eaa9987913ab
 - e44cb041-4a0c-d9af-0012-13510798417a
 - 2bdb391f-08d2-2ae9-26e6-ccbfe3c55e53
 - d0b0fc33-9b21-bd46-5943-be05f54be114
 - 9a0769c6-9cf3-56dc-378c-6ecdc870e82c
 - 633faddc-961f-d921-8d76-f35bb1785ba0
 - c4427bc3-94c8-45a2-1896-e2d93ac7e831
 - fd65d23f-c99a-8172-92fb-0db99f94287f
 - 2de6ce98-7a02-5984-3e46-290e811ebbc6
 - 49dc4c8c-6d54-7611-5061-2c7e594877e9
 - 21930f3b-fe8f-b971-0edf-2edd760ca315
 - f6fd1793-4eb1-0e78-247c-653c6c27b2c6
 - 0ea680c8-9d7e-5212-6741-91a4c6a9b70a
 - aa5f489e-42a0-7bd2-f53e-e1cda46cdf9d
 - a2fbc437-f8b5-d8d6-4bd9-367aa12cf299
 - 14ff59f6-bab0-1aca-c334-6cb88cb9db74
 - ef343879-13bd-09e9-e9b4-bb55e705d8e3
 - 923d13c1-7f3c-4fab-7a33-ea4ddf86f88d
 - 773973bf-fc11-f63c-b335-86d5970dda6c
 - e02ade13-b9b5-d99b-8d32-c39ec555545a
1 action connector(s) successfully imported
 - 4a6ec133-d852-45ce-8573-52b9dada3327

and without the var set, no dir is find to look for the id:

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 
❯ unset CUSTOM_RULES_DIR

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 
❯ python -m detection_rules kibana --space $SPACE --ignore-ssl-errors true import-rules -id $RULE_ID --overwrite
Loaded config file: /var/home/frederik/Programming/elastic-detection-rules-soc/.detection-rules-cfg.yaml

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

CLI Error (): Could not find rules with IDs: 87596efc-e89a-4f3b-9a58-3632b4871d8d

[Mikaayenson]

We either need to filter before passing to import-rules https://github.com/elastic/detection-rules/blob/main/detection_rules/kbwrap.py#L161-L175 or within import-rules.