[event log] populate rule.* ECS fields for alert events

[pmuellr]

ECS defines a top-level rule object property, with a number of fields that correspond to Kibana alerting rules:

• rule.author - the rule updatedBy field
• rule.id - the rule saved object id
• rule.license - alert type license, basic, gold, etc
• rule.name - the rule name field
• rule.reference - url to the help page for the alert type

Some are less clear how they would relate:

• rule.description
• rule.category - could be producer, perhaps
• rule.ruleset - could be producer, perhaps
• rule.uuid - maybe this would be spaceId + id, or switch the values with rule.id (it would have spaceId)
• rule.version - could be stack version, and could perhaps also be a constant_keyword in our event log indices since we create new indices for every stack version

The one missing bit of info is the spaceId, which we could perhaps force into rule.ruleset or rule.category, but those aren't great fits. We'd probably want something like a rule.namespace: keyword sort of field added.

As a secondary item, there is a event.kind field that we can populate with alert - https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-kind . Related is event.category - almost smells like this could be the producer value to me.

FWIW, at the time we created the event log, I don't believe the rule properties existed, and the valid values for event.kind, and it's relation to event.category (secondary to event.kind) had been specified.