[DOCS] Document Rule Creation and Alert Triage workflows for leveraging non-ECS/custom/runtime fields

[spong]

Description

Historically, if users wanted to leverage custom fields with the Rule & Alerts workflows they could just add a custom mapping template to the .siem-signals index and they would be good to go. With changes implemented as part of RAC/Rule Registry, custom mapping templates are no longer supported and users are instead encouraged to leverage runtime fields to achieve searching/filtering capabilities on non-ECS/custom fields. That said, some variants of runtime fields aren't fully supported between rules and alerts (see elastic/kibana#103587), so there are some dev dependencies to fulfill before we can document a complete workflow.

Runtime field support:

• [Security Solutions] Detection Engine and Security Pages do not operate with runtime fields defined in Kibana Indexes  kibana#103587

Tangential dev issues:

• [Security Solution][Detections] Multi index pattern in securitySolution:defaultIndex not supported in Detection Rules kibana#103581
• [Security Solution] Rule Name Override does not support runtime fields kibana#107757

[joepeeples]

@spong Thanks for this issue -- do you know what release version the runtime field support and other dev dependencies are targeted to be done? (In other words, when could we document this issue fully?)

Similarly, in what version did custom mapping templates become unsupported? I thank that RAC/Rule Registry changes have spanned a couple releases...

[spong]

do you know what release version the runtime field support and other dev dependencies are targeted to be done? (In other words, when could we document this issue fully?)

They're an 8.2-candidate based on this project board it looks like.

Similarly, in what version did custom mapping templates become unsupported?

Definitely 8.0, but 7.16+ makes it harder to do as far as I understand. This functionality was never documented, so it was more of a custom workaround than officially supported feature I'd say.

[joepeeples]

Thanks for the extra info, @spong! I've labeled this for 8.2.0 but will keep an eye on those dependencies in case this is ready to fully document sooner.