[FR][DAC] Add *LIMITED* support for version and revision to BaseRuleData

[brokensound77]

Note: this work will target the DAC-feature branch

related to #3407

---

The version and revision field are explicitly forbidden (left out of the schema) within the repo, because of how we lock versions abstractly (preventing us from accidentally explicitly adding a version). The revision field is newer.

We should add limited use of those fields in the schema for users who are managing rules (DAC) that may be versioning directly. The fields should be limited in that the default for the repo would be to make them not valid schema fields, only working for non built in rules. We could potentially achieve this by looking at the CUSTOM_RULE_DIR envvar (which may be too limited), or by parsing the path of a rule as being equal to the elastic default dirs.

Revision will also have to be a restricted field, only valid for the stack version it was released on and higher.

detection-rules/detection_rules/rule.py

Lines 318 to 375 in c567d37

	@dataclass(frozen=True)
	class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin):
	"""Base rule data."""
	@dataclass
	class InvestigationFields:
	field_names: List[definitions.NonEmptyStr]
	@dataclass
	class RequiredFields:
	name: definitions.NonEmptyStr
	type: definitions.NonEmptyStr
	ecs: bool
	@dataclass
	class RelatedIntegrations:
	package: definitions.NonEmptyStr
	version: definitions.NonEmptyStr
	integration: Optional[definitions.NonEmptyStr]
	actions: Optional[list]
	author: List[str]
	building_block_type: Optional[definitions.BuildingBlockType]
	description: str
	enabled: Optional[bool]
	exceptions_list: Optional[list]
	license: Optional[str]
	false_positives: Optional[List[str]]
	filters: Optional[List[Filter]]
	# trailing `_` required since `from` is a reserved word in python
	from_: Optional[str] = field(metadata=dict(data_key="from"))
	interval: Optional[definitions.Interval]
	investigation_fields: Optional[InvestigationFields] = field(metadata=dict(metadata=dict(min_compat="8.11")))
	max_signals: Optional[definitions.MaxSignals]
	meta: Optional[Dict[str, Any]]
	name: definitions.RuleName
	note: Optional[definitions.Markdown]
	# can we remove this comment?
	# explicitly NOT allowed!
	# output_index: Optional[str]
	references: Optional[List[str]]
	related_integrations: Optional[List[RelatedIntegrations]] = field(metadata=dict(metadata=dict(min_compat="8.3")))
	required_fields: Optional[List[RequiredFields]] = field(metadata=dict(metadata=dict(min_compat="8.3")))
	risk_score: definitions.RiskScore
	risk_score_mapping: Optional[List[RiskScoreMapping]]
	rule_id: definitions.UUIDString
	rule_name_override: Optional[str]
	setup: Optional[definitions.Markdown] = field(metadata=dict(metadata=dict(min_compat="8.3")))
	severity_mapping: Optional[List[SeverityMapping]]
	severity: definitions.Severity
	tags: Optional[List[str]]
	throttle: Optional[str]
	timeline_id: Optional[definitions.TimelineTemplateId]
	timeline_title: Optional[definitions.TimelineTemplateTitle]
	timestamp_override: Optional[str]
	to: Optional[str]
	type: definitions.RuleType
	threat: Optional[List[ThreatMapping]]