FEATURE/DOCUMENTATION: Improve Playbook filtering documentation

[thedeadliestcatch]

The documentation for configuring Playbook -alert- filters is sorely lacking.

For instance, valuable documentation missing includes:

• Compound filters depending on multiple conditionals (ex. host, process executable, parent process executable).
• Compound filters using hosts lists.
• How to use any context variables in the filter.

There are many playbook rules that remain inactive by default that are quite useful in real-world setups, but need fine tuning due to false positives, for example in container environments. The documentation currently has no real content about configuration of said filters, and the publicly available information is also deficient. This most likely results in people just deactivating the problematic rules.... a zero-sum game.

[thedeadliestcatch]

@TOoSmOotH Mike, discussions is becoming (quite often) the place where legitimate issues go to die.

This is not a discussion, it is an issue/feature request, and should be tracked as such. I will be filing it again as such.