[Security Solution][Detections] Add rule type specific fields in agent builder inline attachment (#264669)

## Summary

Renders rule-type-specific fields in the Agent Builder inline attachment
card so users can review the definition-level details the AI agent
produced for each rule type.

### Changes

- **Threshold rules**: threshold field(s), value (`>= N`), cardinality
(reused `Threshold` component)
- **Indicator match rules**: indicator index patterns (reused
`ThreatIndex`), indicator index query (copyable), indicator mapping
(reused `constructThreatMappingDescription`)
- **Machine learning rules**: ML job ID(s), anomaly score threshold
- **New terms rules**: fields (reused `NewTermsFields`), history window
size
- **EQL rules**: event category override, tiebreaker field, timestamp
field
- **ES|QL rules**: ES|QL query display with syntax highlighting
- **Saved query rules**: saved query name display
- **Filters**: renders rule filters as badges with support for phrase,
exists, range, negated, and aliased filters
- **Copyable queries**: all query code blocks (main query and threat
query) are copyable
- **Aligned labels**: uses exact labels from the rule details page —
"Custom query", "EQL query", "ES|QL query", "Saved query", "Index
patterns"
- **Consistent font size**: all field labels and values use the same
`size="s"` styling
- **Refactored structure**: split into focused files under
`attachment_types/rule/` (rule_attachment, rule_type_details,
filters_display)

### Approach

- `MachineLearningJobList` intentionally not reused (depends on
`useSecurityJobs()` hook / ML context unavailable in Agent Builder
sidebar)
- Filters rendered as lightweight badges via `getFilterLabel()` utility
(existing `Filters` component requires `useDataView` hook and data
plugin services not available in Agent Builder sidebar)
- Added `@elastic/security-detection-engine` as CODEOWNERS for the
`rule/` folder

### Testing

97 unit tests across 3 suites covering all rule types, edge cases,
`getFilterLabel` (12 tests), `FiltersDisplay` (5 tests), and integration
tests.

## Screenshots

### Threshold rule
![Threshold
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_threshold.png)

### EQL rule
![EQL
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_eql.png)

### ES|QL rule
![ES|QL
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_esql.png)

### New Terms rule
![New Terms
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_new_terms.png)

### Indicator Match rule
![Indicator Match
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_threat_match.png)

### Machine Learning rule
![Machine Learning
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_ml.png)

### Saved Query rule
![Saved Query
rule](https://raw.githubusercontent.com/vitaliidm/kibana/screenshots-264669/.github/screenshots/agent_builder_saved_query.png)

## References

Closes elastic/security-team#16598


Made with [Cursor](https://cursor.com)

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

.github/CODEOWNERS

@@ -2791,6 +2791,8 @@ src/platform/packages/shared/kbn-connector-schemas/thehive @elastic/kibana-cases
 /x-pack/solutions/security/test/security_solution_cypress/cypress/support @elastic/security-detection-engine @elastic/security-detection-rule-management @elastic/security-threat-hunting
 /x-pack/solutions/security/test/security_solution_cypress/cypress/urls @elastic/security-threat-hunting @elastic/security-detection-engine
 
+/x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule @elastic/security-threat-hunting @elastic/security-generative-ai @elastic/security-detection-engine
+
 /x-pack/solutions/security/plugins/security_solution/common/test @elastic/security-detection-engine @elastic/security-detection-rule-management @elastic/security-threat-hunting
 
 /x-pack/solutions/security/plugins/security_solution/public/common/components/callouts @elastic/security-detection-rule-management

x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/index.ts

@@ -138,7 +138,7 @@ export const registerRuleAttachment = ({
 }): void => {
   void import(
     /* webpackChunkName: "security_rule_attachment" */
-    './rule_attachment'
+    './rule'
   ).then(({ registerRuleAttachment: register }) => {
     register({ attachments, application, aiRuleCreation, uiSettings });
   });

x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule/filters_display.test.tsx

@@ -0,0 +1,109 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { render, screen } from '@testing-library/react';
+import type { Filter } from '@kbn/es-query';
+import { FiltersDisplay, getFilterLabel } from './filters_display';
+
+describe('getFilterLabel', () => {
+  describe('alias handling', () => {
+    it('ignores key and type when alias is present', () => {
+      const filter: Filter = {
+        meta: { alias: 'Alias wins', key: 'host.name', type: 'phrase', value: 'ignored' },
+      };
+      expect(getFilterLabel(filter)).toBe('Alias wins');
+    });
+  });
+
+  describe('phrase type', () => {
+    it('handles numeric params.query', () => {
+      const filter: Filter = {
+        meta: { key: 'http.response.status_code', type: 'phrase', params: { query: 404 } },
+      };
+      expect(getFilterLabel(filter)).toBe('http.response.status_code: 404');
+    });
+
+    it('handles boolean params.query', () => {
+      const filter: Filter = {
+        meta: { key: 'event.ingested', type: 'phrase', params: { query: true } },
+      };
+      expect(getFilterLabel(filter)).toBe('event.ingested: true');
+    });
+  });
+
+  describe('phrases type', () => {
+    it('prepends NOT for negated phrases filter', () => {
+      const filter: Filter = {
+        meta: { key: 'status', negate: true, type: 'phrases', params: ['active', 'pending'] },
+      };
+      expect(getFilterLabel(filter)).toBe('NOT status: active, pending');
+    });
+  });
+
+  describe('range type', () => {
+    it('formats open-ended upper bound with lte only', () => {
+      const filter: Filter = {
+        meta: { key: 'risk_score', type: 'range', params: { lte: 100 } },
+      };
+      expect(getFilterLabel(filter)).toBe('risk_score: <= 100');
+    });
+
+    it('formats open-ended upper bound with lt only', () => {
+      const filter: Filter = {
+        meta: { key: 'risk_score', type: 'range', params: { lt: 100 } },
+      };
+      expect(getFilterLabel(filter)).toBe('risk_score: < 100');
+    });
+
+    it('prefers lte over lt when both are present', () => {
+      const filter: Filter = {
+        meta: { key: 'bytes', type: 'range', params: { lte: 500, lt: 501 } },
+      };
+      expect(getFilterLabel(filter)).toBe('bytes: <= 500');
+    });
+
+    it('prepends NOT for negated range filter', () => {
+      const filter: Filter = {
+        meta: { key: 'bytes', negate: true, type: 'range', params: { gte: 100, lte: 500 } },
+      };
+      expect(getFilterLabel(filter)).toBe('NOT bytes: >= 100 AND <= 500');
+    });
+  });
+
+  describe('missing key fallback', () => {
+    it('prepends NOT for negated filter with no key', () => {
+      const filter: Filter = { meta: { negate: true }, query: { match_all: {} } };
+      expect(getFilterLabel(filter)).toBe('NOT {"match_all":{}}');
+    });
+  });
+
+  describe('unknown/custom type fallback', () => {
+    it('shows key with value from meta.value', () => {
+      const filter: Filter = {
+        meta: { key: 'event.action', type: 'custom', value: 'login' },
+      };
+      expect(getFilterLabel(filter)).toBe('event.action: login');
+    });
+  });
+});
+
+describe('FiltersDisplay', () => {
+  it('renders nothing when all filters are invalid (no meta property)', () => {
+    const filters = [{ something: 'else' }, { query: { match_all: {} } }];
+    const { container } = render(<FiltersDisplay filters={filters} />);
+    expect(container).toBeEmptyDOMElement();
+  });
+
+  it('renders range filter in badge', () => {
+    const filters = [{ meta: { key: 'bytes', type: 'range', params: { gte: 100, lte: 500 } } }];
+
+    render(<FiltersDisplay filters={filters} />);
+
+    expect(screen.getByText('bytes: >= 100 AND <= 500')).toBeInTheDocument();
+  });
+});

x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule/filters_display.tsx

@@ -0,0 +1,105 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React from 'react';
+import { i18n } from '@kbn/i18n';
+import { EuiBadge, EuiFlexGroup, EuiFlexItem, EuiSpacer, EuiText } from '@elastic/eui';
+import type { Filter } from '@kbn/es-query';
+
+const FILTERS_LABEL = i18n.translate(
+  'xpack.securitySolution.detectionEngine.createRule.filtersLabel',
+  { defaultMessage: 'Filters' }
+);
+const SectionHeading: React.FC<{ children: React.ReactNode }> = ({ children }) => (
+  <EuiText size="s">
+    <strong>{children}</strong>
+  </EuiText>
+);
+
+const formatRangeFilter = (key: string, params: Record<string, unknown>): string => {
+  const parts: string[] = [];
+  if (params.gte !== undefined) {
+    parts.push(`>= ${params.gte}`);
+  } else if (params.gt !== undefined) {
+    parts.push(`> ${params.gt}`);
+  }
+  if (params.lte !== undefined) {
+    parts.push(`<= ${params.lte}`);
+  } else if (params.lt !== undefined) {
+    parts.push(`< ${params.lt}`);
+  }
+  return `${key}: ${parts.join(' AND ')}`;
+};
+
+const resolveParamValue = (params: Filter['meta']['params']): string => {
+  if (params == null) return '';
+  if (typeof params === 'string' || typeof params === 'number' || typeof params === 'boolean') {
+    return String(params);
+  }
+  if (Array.isArray(params)) return params.join(', ');
+  if (typeof params === 'object' && 'query' in params) return String(params.query);
+  return JSON.stringify(params);
+};
+
+const formatPhraseFilter = (
+  key: string,
+  value: Filter['meta']['value'],
+  params: Filter['meta']['params']
+): string => {
+  const display = typeof value === 'string' ? value : resolveParamValue(params);
+  return `${key}: ${display}`;
+};
+
+export const getFilterLabel = (filter: Filter): string => {
+  if (filter.meta?.alias) {
+    return filter.meta.alias;
+  }
+  const { key, negate, type, params, value } = filter.meta ?? {};
+  const prefix = negate ? 'NOT ' : '';
+
+  if (!key) {
+    return `${prefix}${JSON.stringify(filter.query ?? filter)}`;
+  }
+
+  if (type === 'exists') {
+    return `${prefix}${key}: exists`;
+  }
+
+  if (type === 'phrase' || type === 'phrases') {
+    return `${prefix}${formatPhraseFilter(key, value, params)}`;
+  }
+
+  if (type === 'range' && params && typeof params === 'object' && !Array.isArray(params)) {
+    return `${prefix}${formatRangeFilter(key, params as Record<string, unknown>)}`;
+  }
+
+  const displayValue = typeof value === 'string' ? value : resolveParamValue(params);
+  return displayValue ? `${prefix}${key}: ${displayValue}` : `${prefix}${key}`;
+};
+
+export const FiltersDisplay: React.FC<{ filters: unknown[] }> = ({ filters }) => {
+  const validFilters = filters.filter(
+    (f): f is Filter => f != null && typeof f === 'object' && 'meta' in f
+  );
+  if (validFilters.length === 0) {
+    return null;
+  }
+
+  return (
+    <>
+      <SectionHeading>{FILTERS_LABEL}</SectionHeading>
+      <EuiSpacer size="xs" />
+      <EuiFlexGroup responsive={false} gutterSize="xs" wrap>
+        {validFilters.map((filter, idx) => (
+          <EuiFlexItem grow={false} key={idx}>
+            <EuiBadge color="hollow">{getFilterLabel(filter)}</EuiBadge>
+          </EuiFlexItem>
+        ))}
+      </EuiFlexGroup>
+    </>
+  );
+};

x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule/index.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { registerRuleAttachment } from './rule_attachment';

…attachment_types/rule_attachment.test.ts …hment_types/rule/rule_attachment.test.tsx-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule_attachment.test.ts renamed to x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule/rule_attachment.test.ts x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule_attachment.test.ts renamed to x-pack/solutions/security/plugins/security_solution/public/agent_builder/attachment_types/rule/rule_attachment.test.ts

@@ -11,13 +11,13 @@ import type { AttachmentServiceStartContract } from '@kbn/agent-builder-browser/
 import { ActionButtonType } from '@kbn/agent-builder-browser/attachments';
 import { ENABLE_ESQL } from '@kbn/esql-utils';
 import { RULES_FEATURE_LATEST } from '@kbn/security-solution-features/constants';
-import { AiRuleCreationService } from '../../detection_engine/common/ai_rule_creation_store';
+import { AiRuleCreationService } from '../../../detection_engine/common/ai_rule_creation_store';
 import {
   createRuleAttachmentDefinition,
   isOnRuleFormPage,
   registerRuleAttachment,
 } from './rule_attachment';
-import { SecurityAgentBuilderAttachments } from '../../../common/constants';
+import { SecurityAgentBuilderAttachments } from '../../../../common/constants';
 
 const validRule = {
   name: 'Test Rule',
@@ -177,7 +177,7 @@ describe('createRuleAttachmentDefinition', () => {
       expect(buttons).toEqual([]);
     });
 
-    it('returns empty array when parsed rule has no name', () => {
+    it('returns action buttons for rule without name', () => {
       const application = makeApplication(true);
       const definition = createRuleAttachmentDefinition({
         application,
@@ -187,7 +187,7 @@ describe('createRuleAttachmentDefinition', () => {
       const buttons = definition.getActionButtons!(
         makeActionButtonsParams(JSON.stringify({ type: 'query' })) as never
       );
-      expect(buttons).toEqual([]);
+      expect(buttons).toHaveLength(1);
     });
 
     it('returns empty array when user lacks edit capabilities', () => {