Backport changes from Elasticsearch EQL

[rw-access]

Context

EQL is being developed directly in Elasticsearch and can be tracked here: elastic/elasticsearch#51556

We've identified places where we need to tighten the semantics for EQL, make changes to existing behavior, or limit what can be expressed in the language. This meta issue is to track all the changes we need to back port to resolve incongruities between Endpoint and Elasticsearch EQL. This will help prepare users of EQL and Elastic endpoint security to make migration easier.

Changes will be tracked in the feature/backport branch.

Parser and validation updates

• add support for `backtick` identifiers Add backtick handling for field names and attributes #19
• require explicit boolean behaviors: no auto-casting of bools Implement SQL-consistent null and boolean handling #18
• allow null to be compared to anything. currently, null == 5 is not allowed Implement SQL-consistent null and boolean handling #18
• TBD: multi-valued/array field type validation
• use Elasticsearch time units for sequences, and remove float intervals Remove unsupported sequence parsing #23
  EQL: Use recognized time units for sequences elastic/elasticsearch#54760

Runtime updates

• function behavior: always propagate nulls from required arguments Implement SQL-consistent null and boolean handling #18
• correct handling of three-value boolean logic (true, false, null) Implement SQL-consistent null and boolean handling #18
• toggle-able case-sensitivity. right now, case-insensitivity is always on. we should add an option to turn this off, while preserving the default behavior. this parameter could be set by updating the config set to the parser or inspecting the rule metadata.
• TBD: multi-valued functions (will make arraySearch and arrayContains redundant). this isn't actually supported yet within ES, which only uses scalar values for painless

To be determined

• ES allows multi-valued fields to be indexed and queried, but within painless we may get one member back instead of the full array (need to investigate. see EQL: Support for multi-value fields elastic/elasticsearch#54970)
• if so, we should allow == and other comparisons to check array membership

Test Suite

• As changes are made, the test_queries.toml file should be updated
• We should update the test suite to externalize multiple tests
  • syntax and parsing
  • semantics, type checking, verifying, etc
  • folding
  • run-time function evaluation
  • integration testing with query and result validation

cc @colings86 @costin @paulewing