[FR] Add Documentation on the available custom rules config options

[eric-forte-elastic]

Issues

#15

Summary

This PR reconciles recent DAC feature updates with the local documentation in the detection rules repo as well as with the read the docs documentation.

Primary new features added are additional config options for bypass_version_lock and normalize_kql_keywords the exception_dir support was already documented, just not implemented.

Detection Rules PR: elastic/detection-rules#3881

[Mikaayenson]

Do you want to update the exception examples and the CLI commands to push/pull exception lists & merge this after those two PRs are in?

[eric-forte-elastic]

Do you want to update the exception examples and the CLI commands to push/pull exception lists & merge this after those two PRs are in?

Yes, will do good idea and prevents the needs for an additional PR for this. Also, we should update the CLI.md in detection rules.

[eric-forte-elastic]

I added some quick start examples, but I do not think we have a place in the read the docs where we go over how to use the CLI commands. Should we add one? Or should we defer to the existing documentation in Detection Rules (e.g. CLI.md)?

Update, for now referencing updates made in elastic/detection-rules#3881.

[Mikaayenson]

Don't forget the example toml files for exception lists.

[Mikaayenson]

@eric-forte-elastic I dont recall. Were you still planning to update the exception list example configs. Also would be good to add some the examples from the summary of your PR.

[eric-forte-elastic]

Put in the FAQ or Exceptions section and known intermittent issue when migrating between stack and how to address it (re-run job). There may be some where the exceptions do not exist and just need to re-run it. We recognize this and do not yet have a complete solution.

[eric-forte-elastic]

elastic/detection-rules#3955 (review). Also to add an example actions connector toml file similar to an actions toml file.