yes, the index threshold rule type does not yet support filters; in theory you could create a filtered alias to do that filtering, then use that alias with the rule.
The elasticsearch query rule is the other "generic" rule type, but does not yet support aggregations, so I don't think you can use that one either.
You might want to look at the Log Threshold or Metrics Threshold rule. The index patterns used for those rules are set in per-Kibana settings in the Observability solution pages in Kibana. I believe those indices may need to be ECS compatible as well, but it's possible that could be managed via field aliases, constant_keyword fields, etc ... Here's the doc for the metrics threshold index settings: Configure settings | Observability Guide [8.3] | Elastic