[DOCS] "New terms" rule type

[jmikell821]

PRs: elastic/kibana#134526, elastic/kibana#131010

Description

The "New Terms" rule type generates an alert for each new term it detects in source documents.

The rule accepts 2 new parameters that are unique to the new_terms rule type, in addition to common Security rule parameters such as query, index, and filters, to, from, etc. The new parameters are

• new_terms_fields: an array of field names, currently limited to an array of size 1. In the future we will likely allow multiple field names to be specified here.
  • Example: ['host.ip']
• history_window_start: defines the additional time range to search over when determining if a term is "new". If a term is found between the times history_window_start and from then it will not be classified as a new term.
  • Example: now-30d

Notes

New terms alerts have one special field at the moment: kibana.alert.new_terms. This field contains the detected term that caused the alert. A single source document may have multiple new terms if the source document contains an array of values in the specified field. In that case, multiple alerts will be generated from the single source document - one for each new value.