Feature Request: Include previous_output in Alert Description for Child Rules.

[sakib789]

Dear Team,

I've observed scenarios where the previous_output field is not available for child rules, particularly when the child rule is constructed from composite rules or triggered based on the frequency of the parent rule. I propose an enhancement to include a trace of all the previous logs in the alert description, offering valuable insights into the triggers of the rule.

Consider the following rule as an example:

<rule id="100122" level="7" frequency="5" timeframe="120">
  <if_matched_sid>60122</if_matched_sid>
  <same_location />
  <description>Logon failure - Unknown user or bad password two times in a row</description>
  <mitre>
    <id>T1078</id>
    <id>T1531</id>
  </mitre>
<group>authentication_failed,gdpr_IV_32.2,gdpr_IV_35.7.d,gpg13_7.1,hipaa_164.312.b,nist_800_53_AC.7,nist_800_53_AU.14,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>

It would greatly enhance the system if the alert description included the five previous_output logs.