New terms, threshold, and indicator match rules still load fieldCaps for all fields on every rule execution. We should look into new terms and threshold next as they are more common rules than indicator match, and they should be simpler to fix than indicator match.
Once new terms and threshold are fixed, we should look at IM rules and check for any other places where we can reduce field caps usage.
Parent issue: https://github.com/elastic/security-team/issues/10106
This is a continuation of the work in https://github.com/elastic/kibana/pull/184890
New terms, threshold, and indicator match rules still load fieldCaps for all fields on every rule execution. We should look into new terms and threshold next as they are more common rules than indicator match, and they should be simpler to fix than indicator match.
Once new terms and threshold are fixed, we should look at IM rules and check for any other places where we can reduce field caps usage.
The offending logic is https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts#L340-L353