[DOCS] Value list exceptions for all rule types

[joepeeples]

Description

PR elastic/kibana#133254 adds support for value list exceptions to all rule types (previously not supported for event correlation and threshold rule types).

The dev PR mentions several caveats and details, which I'll just paste here:

Adds value list exception support to every rule type with a few caveats. Structurally, this PR adds the definition of a "small" list that is able to be included directly in the rule executor's elasticsearch query instead of filtering out large lists in the post-execution process. This allows us to add value list exceptions for every rule type given some constraints, but still keep the post-execution logic and not degrade any current expected functionality.

Definitions

• "Small" value lists are defined as Keyword, IP value, or IP range* type lists that are under 65,536 items
• Small value lists are able to be used for every rule type
• Large value lists are defined as Keyword, IP value, or IP range* type lists that are over 65,536 items OR any sized text type list
• Large value lists are only able to be used for Query, Saved Query, ML, and Threat match rule types
• IP range value lists have two value types: slash notation (127.0.0.1/32) and dash notation (127.0.0.1-127.0.0.4)

Caveats

• IP range value lists are considered small only if the slash notation values are under 65,536, dash notation values require us to build the exception clauses differently and thus are limited to 200 for a small list size
• Text type value lists are currently not supported by small value lists

Additional notes

• Large lists will still display in the drop-down for selecting a value list, but will be grayed out. Might want to explain in docs what that means (UI may also provide info)

[dplumlee]

Do we know yet where these docs will live? Like what we could link to from the app itself. I'm going to update a link to whatever documentation we have before the 8.5 release

[joepeeples]

Do we know yet where these docs will live? Like what we could link to from the app itself. I'm going to update a link to whatever documentation we have before the 8.5 release

Hi @dplumlee, I haven't started drafting yet, but I anticipate the docs will live on the same page as before, just updated to include info about what kind of lists are supported now. Within that page, if you wanted to target a specific subsection, "Create value lists" is where I'll probably expand the introduction and add details about list size limitations, etc., so this URL should be a good bet:
https://www.elastic.co/guide/en/security/master/detections-ui-exceptions.html#manage-value-lists

I can let you know if this changes once I start drafting (probably first thing next week), but in the meantime I feel decently confident that the URL won't change.

[dplumlee]

Awesome, thanks @joepeeples!