[Security Solution][Alerts] Threshold rule alert history should be invalidated if rule is updated

[marshallmain]

Currently, threshold rules use alerting framework state to store information about written alerts. This information is used in future rule executions to limit the search query and exclude documents that have already been alerted on. However, the rule can be updated to add/remove fields from the list of "group by" fields, change the query/filters, change the interval/lookback, etc. This could result in unexpected behaviors if the rule is changed substantially but the history from prior the change is still used to exclude some documents.

We should detect if rule has changed substantively (terms, query, etc) since the history information was stored (including both alerting framework state or alerts in the alerts index, if the state is un-initialized) and include additional filters based on the history only when the rule has not changed. Some rule parameters should be able to change without invalidating the history, e.g. non-functional metadata like references.

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)