[FR] Add support to decouple `actions` and `exception_list` from rules

[brokensound77]

related to #3298

While the repo technically supports both the actions and exceptions fields within the defined schema, it is not actually practical to populate those fields in any prebuilt rules. This is because it would create a situation where the rules would get out of sync from a versioning perspective and be in the same situation as modifying prebuilt rules.

The easiest solution would be to decouple them completely.

• Allow users to set directories for actions and exceptions
• The format would be TOML (or YAML), with the rule_id as the key and an array of entries respectively
• We would need to “assemble” these at package build time, likely exposing it in the to_api_format method as well as a parameter for building packages
• We could validate the schema of these structures just like any other rule component
• We would likely not validate the contents of these structures (valid fields), but could consider it for the future
• For the build time assembly, we should consider options for multi-tenancy to allow users to maintain and combine unique lists

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[brokensound77]

Most of this was completed in https://github.com/elastic/detection-rules/pull/3407 - however, since it remains in a feature branch during testing, we can leave the issue open until merged to main (or deemed as not viable)

[eric-forte-elastic]

With the exception of this issue https://github.com/elastic/detection-rules/issues/3962. This has been completed with DAC-feature merging to main https://github.com/elastic/detection-rules/pull/3889.