[Security Solution] Editing rules independently of source data

[jpdjere]

Source of discussion: #178611

As part of the ongoing Prebuilt Rule Customization epic, the requirement to change the behaviour of rule validation on editing has come up.

Instead of blocking the editing of a rule when the rule's data source has not enough data for the query to work, the expected UX would only warn the user but continue to proceed with saving the rule.

However, such a change will have consequences on a number of features that depends on a rule's data source. We need to list them here, detail the consequences of such changes and find alternative behaviours where needed.

Please add any feature that might be impacted by this change, describing:

• Which feature is impacted?
• How is it impacted?
• Is the impact acceptable from a UX point of view?
• If not, what alternative behaviour could be desired?

[banderror]

@jpdjere I moved this to a discussion ticket #180407 to be able to assign people and use our standard workflows.