[One workflow] Event-driven triggers testing UX (#268832)

Relates to elastic/security-team#16717

## Summary

This change improves how users **test and inspect event-driven
workflows** from the run workflow flow. The legacy “event” JSON editor
path is split from **alert** configuration, the execute modal gains
clearer **trigger tab** behavior (including defaulting to the **Event**
tab when the definition uses custom event triggers), and the **Event**
tab surfaces **historical rows from `.workflows-events`** with KQL, time
range, and a document grid so users can pick a prior payload to reuse.

### User-visible changes

- **Run workflow modal**: Trigger tabs refined; **Alert** configuration
lives in **`WorkflowExecuteAlertForm`**; **Event** tab uses
**`WorkflowExecuteEventForm`** with search + table + payload selection
workflow.
- **Event tab**: Search bar (KQL), date range, paginated results, column
picker aligned to `.workflows-events` fields.

### Modal trigger selection

```mermaid
flowchart LR
  subgraph Modal[Workflow execute modal]
    T[Trigger tabs]
    A[Alert form]
    M[Manual / Index / …]
    E[Event form]
  end
  T --> A
  T --> M
  T --> E
  E --> Q[KQL + time range]
  E --> G[UnifiedDataTable on log hits]
  G --> S[Select row → seed JSON editor]
```

## 🎥 Demo


https://github.com/user-attachments/assets/65a4643c-a255-4dde-a29d-ee66567e0a05

## Follow ups

- Filter Run Tabs according to triggers in the workflow
- Clean up the toolbar, and remove things like `sort fields` 
- Unify table for Alerts and Document

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

src/platform/packages/shared/kbn-workflows-ui/src/api/types.ts

@@ -14,6 +14,7 @@ import type {
   WorkflowDetailDto,
   WorkflowExecutionSortField,
   WorkflowExecutionSortOrder,
+  WorkflowsEventsLogDocumentSource,
 } from '@kbn/workflows';
 
 export interface BulkCreateWorkflowsParams {
@@ -140,3 +141,23 @@ export interface ResumeExecutionParams {
 export interface WorkflowsConfig {
   eventDrivenExecutionEnabled: boolean;
 }
+
+export interface SearchTriggerEventLogParams {
+  kql?: string;
+  from?: string;
+  to?: string;
+  page?: number;
+  size?: number;
+}
+
+export interface SearchTriggerEventLogHit {
+  id: string;
+  source: WorkflowsEventsLogDocumentSource;
+}
+
+export interface SearchTriggerEventLogResult {
+  hits: SearchTriggerEventLogHit[];
+  total: number;
+  page: number;
+  size: number;
+}

src/platform/packages/shared/kbn-workflows-ui/src/api/workflows_api.mock.ts

@@ -45,4 +45,5 @@ export const createMockWorkflowApi = (): MockWorkflowApi =>
     getChildrenExecutions: jest.fn(),
 
     getConfig: jest.fn(),
+    searchTriggerEvents: jest.fn(),
   } as unknown as MockWorkflowApi);

src/platform/packages/shared/kbn-workflows-ui/src/api/workflows_api.test.ts

@@ -237,6 +237,24 @@ describe('WorkflowApi', () => {
     });
   });
 
+  describe('searchTriggerEvents', () => {
+    it('should call POST /internal/workflows/trigger_events/_search with body', async () => {
+      const params = {
+        kql: 'eventId: "e1"',
+        from: '2025-01-01',
+        to: '2025-12-31',
+        page: 2,
+        size: 25,
+      };
+      await api.searchTriggerEvents(params);
+
+      expect(http.post).toHaveBeenCalledWith('/internal/workflows/trigger_events/_search', {
+        body: JSON.stringify(params),
+        version: INTERNAL_VERSION,
+      });
+    });
+  });
+
   // ---------------------------------------------------------------------------
   // Execution operations
   // ---------------------------------------------------------------------------

src/platform/packages/shared/kbn-workflows-ui/src/api/workflows_api.ts

@@ -44,6 +44,8 @@ import type {
   MgetWorkflowsParams,
   ResumeExecutionParams,
   RunWorkflowOptions,
+  SearchTriggerEventLogParams,
+  SearchTriggerEventLogResult,
   TestWorkflowParams,
   UpdateWorkflowParams,
   ValidateWorkflowParams,
@@ -292,4 +294,13 @@ export class WorkflowApi {
       version: INTERNAL_API_VERSION,
     });
   }
+
+  async searchTriggerEvents(
+    params: SearchTriggerEventLogParams
+  ): Promise<SearchTriggerEventLogResult> {
+    return this.http.post(`${INTERNAL_BASE}/trigger_events/_search`, {
+      body: JSON.stringify(params),
+      version: INTERNAL_API_VERSION,
+    });
+  }
 }

src/platform/packages/shared/kbn-workflows-ui/src/hooks/index.ts

@@ -8,6 +8,7 @@
  */
 
 export * from './use_workflows';
+export * from './use_query_trigger_events';
 export * from './use_run_workflow';
 export * from './use_workflows_capabilities';
 export * from './use_workflows_ui_settings';

src/platform/packages/shared/kbn-workflows-ui/src/hooks/use_query_trigger_events.test.ts

@@ -0,0 +1,116 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { renderHook, waitFor } from '@testing-library/react';
+import React from 'react';
+import { QueryClient, QueryClientProvider } from '@kbn/react-query';
+import {
+  getWorkflowTriggerEventsLogQueryKey,
+  useQueryTriggerEvents,
+} from './use_query_trigger_events';
+import type { SearchTriggerEventLogResult } from '../api/types';
+import { createMockWorkflowApi } from '../api/workflows_api.mock';
+import { testQueryClientConfig } from '../test_utils';
+
+jest.mock('@kbn/kibana-react-plugin/public', () => ({
+  useKibana: jest.fn(),
+}));
+
+const mockWorkflowApi = createMockWorkflowApi();
+jest.mock('../api/use_workflows_api', () => ({
+  useWorkflowsApi: () => mockWorkflowApi,
+}));
+
+const queryClient = new QueryClient(testQueryClientConfig);
+
+const wrapper: React.FC<React.PropsWithChildren<{}>> = ({ children }) =>
+  React.createElement(QueryClientProvider, { client: queryClient }, children);
+
+describe('getWorkflowTriggerEventsLogQueryKey', () => {
+  it('returns the same key for equivalent param objects', () => {
+    const paramsA = {
+      page: 1,
+      size: 10,
+      from: '2025-01-01',
+      to: '2025-01-02',
+      kql: 'triggerId: foo',
+    };
+    const paramsB = {
+      kql: 'triggerId: foo',
+      from: '2025-01-01',
+      to: '2025-01-02',
+      page: 1,
+      size: 10,
+    };
+
+    expect(getWorkflowTriggerEventsLogQueryKey(paramsA)).toEqual(
+      getWorkflowTriggerEventsLogQueryKey(paramsB)
+    );
+  });
+
+  it('omits optional fields as undefined in the key tuple', () => {
+    expect(getWorkflowTriggerEventsLogQueryKey({ page: 2, size: 50 })).toEqual([
+      'workflowTriggerEventsLog',
+      undefined,
+      undefined,
+      undefined,
+      2,
+      50,
+    ]);
+  });
+});
+
+describe('useQueryTriggerEvents', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    queryClient.clear();
+  });
+
+  it('calls searchTriggerEvents with correct params', async () => {
+    const mockData: SearchTriggerEventLogResult = {
+      hits: [],
+      total: 0,
+      page: 1,
+      size: 10,
+    };
+    const params = { page: 1, size: 10, from: '2025-01-01' };
+    mockWorkflowApi.searchTriggerEvents.mockResolvedValue(mockData);
+
+    const { result } = renderHook(() => useQueryTriggerEvents(params), { wrapper });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+
+    expect(mockWorkflowApi.searchTriggerEvents).toHaveBeenCalledWith(params);
+    expect(result.current.data).toEqual(mockData);
+  });
+
+  it('does not refetch when params object identity changes but values are unchanged', async () => {
+    const mockData: SearchTriggerEventLogResult = {
+      hits: [],
+      total: 0,
+      page: 1,
+      size: 10,
+    };
+    mockWorkflowApi.searchTriggerEvents.mockResolvedValue(mockData);
+
+    const initialParams = { page: 1, size: 10, from: '2025-01-01', to: '2025-01-02' };
+    const { result, rerender } = renderHook(
+      ({ params }: { params: typeof initialParams }) => useQueryTriggerEvents(params),
+      { wrapper, initialProps: { params: initialParams } }
+    );
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(mockWorkflowApi.searchTriggerEvents).toHaveBeenCalledTimes(1);
+
+    rerender({ params: { ...initialParams } });
+
+    await waitFor(() => expect(result.current.isFetching).toBe(false));
+    expect(mockWorkflowApi.searchTriggerEvents).toHaveBeenCalledTimes(1);
+  });
+});

src/platform/packages/shared/kbn-workflows-ui/src/hooks/use_query_trigger_events.ts

@@ -0,0 +1,51 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { useQuery } from '@kbn/react-query';
+import type { SearchTriggerEventLogParams, SearchTriggerEventLogResult } from '../api/types';
+import { useWorkflowsApi } from '../api/use_workflows_api';
+
+export type WorkflowTriggerEventsLogQueryKey = readonly [
+  'workflowTriggerEventsLog',
+  string | undefined,
+  string | undefined,
+  string | undefined,
+  number | undefined,
+  number | undefined
+];
+
+/**
+ * Primitive query-key parts so equivalent searches share a cache entry even when
+ * callers pass a new `params` object reference each render.
+ */
+export const getWorkflowTriggerEventsLogQueryKey = (
+  params: SearchTriggerEventLogParams
+): WorkflowTriggerEventsLogQueryKey => [
+  'workflowTriggerEventsLog',
+  params.kql,
+  params.from,
+  params.to,
+  params.page,
+  params.size,
+];
+
+export function useQueryTriggerEvents(
+  params: SearchTriggerEventLogParams,
+  options?: { enabled?: boolean }
+) {
+  const api = useWorkflowsApi();
+
+  return useQuery<SearchTriggerEventLogResult>({
+    networkMode: 'always',
+    queryKey: getWorkflowTriggerEventsLogQueryKey(params),
+    queryFn: () => api.searchTriggerEvents(params),
+    enabled: options?.enabled ?? true,
+    keepPreviousData: true,
+  });
+}

src/platform/packages/shared/kbn-workflows/common/event_trigger_replay.ts

@@ -0,0 +1,56 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+/**
+ * Shape of a `.workflows-events` document returned by trigger-event log search.
+ * Mirrors the execution engine trigger-event document shape.
+ */
+export interface WorkflowsEventsLogDocumentSource {
+  '@timestamp': string;
+  eventId: string;
+  triggerId: string;
+  spaceId: string;
+  subscriptions: string[];
+  sourceExecutionId?: string;
+  payload: Record<string, unknown>;
+}
+
+/**
+ * `_source` from a trigger-event log hit used to build a manual replay payload.
+ * Fields other than `payload` are ignored today but documented for callers.
+ */
+export type TriggerEventReplaySource = Partial<WorkflowsEventsLogDocumentSource>;
+
+/**
+ * Platform fields injected when replaying a logged trigger event from the Event tab.
+ * Custom trigger payload properties are merged at the same level (see {@link EventTriggerReplayEvent}).
+ */
+export interface EventTriggerReplayPlatformFields {
+  /** ISO-8601 time for this test run (not the logged `@timestamp`). */
+  timestamp: string;
+  /** Active Kibana space for the replay run. */
+  spaceId: string;
+  /** Reset for manual replay so chain depth does not carry over from production dispatch. */
+  eventChainDepth: 0;
+  /** Reset for manual replay so cycle detection starts fresh. */
+  eventChainVisitedWorkflowIds: string[];
+}
+
+/**
+ * `event` object passed to a manual / test workflow run for an event-driven trigger.
+ * Trigger-specific payload fields from the log entry are spread alongside platform fields.
+ */
+export type EventTriggerReplayEvent = EventTriggerReplayPlatformFields & Record<string, unknown>;
+
+/**
+ * Top-level workflow run `inputs` JSON built when selecting a row in the Event trigger picker.
+ */
+export interface EventTriggerReplayInput {
+  event: EventTriggerReplayEvent;
+}

src/platform/packages/shared/kbn-workflows/common/workflows_events.ts

@@ -0,0 +1,50 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { DataViewBase, DataViewFieldBase } from '@kbn/es-query';
+
+export const WORKFLOWS_EVENTS_DATA_STREAM = '.workflows-events';
+
+/**
+ * Upper bound passed to Elasticsearch `track_total_hits` when searching `.workflows-events`.
+ *
+ * Totals at or above this value are a lower bound only — the index may contain more matching
+ * documents. The trigger-event search API returns `total: WORKFLOWS_EVENTS_TRACK_TOTAL_HITS_CAP`
+ * in that case; clients should display `10,000+` (or equivalent) rather than an exact count.
+ *
+ * Matches UnifiedDataTable's `MAX_LOADED_GRID_ROWS` (10_000) so the Event tab grid and reported
+ * total stay aligned.
+ */
+export const WORKFLOWS_EVENTS_TRACK_TOTAL_HITS_CAP = 10_000;
+
+/**
+ * KQL field metadata for `.workflows-events`, shared by server and client:
+ *
+ * - **Server** ({@link WORKFLOWS_EVENTS_DATA_VIEW}): passed to `toElasticsearchQuery` in the
+ *   execution engine. That path has no access to registered browser data views, so we use a static
+ *   `DataViewBase` built from this list.
+ * - **Client** (Event trigger picker): creates an ephemeral ad-hoc data view for the KQL bar, then
+ *   replaces its fields with this same list so autocomplete and server translation stay aligned.
+ *
+ * `spaceId` is intentionally omitted — the search API always scopes results to the request space.
+ */
+export const WORKFLOWS_EVENTS_DATA_VIEW_FIELDS: DataViewFieldBase[] = [
+  { name: '@timestamp', type: 'date', esTypes: ['date'] },
+  { name: 'eventId', type: 'string', esTypes: ['keyword'] },
+  { name: 'triggerId', type: 'string', esTypes: ['keyword'] },
+  { name: 'sourceExecutionId', type: 'string', esTypes: ['keyword'] },
+  { name: 'subscriptions', type: 'string', esTypes: ['keyword'] },
+  { name: 'payload', type: 'object', esTypes: ['object'] },
+];
+
+/** Static data view used for server-side KQL → Elasticsearch translation. */
+export const WORKFLOWS_EVENTS_DATA_VIEW: DataViewBase = {
+  title: WORKFLOWS_EVENTS_DATA_STREAM,
+  fields: [...WORKFLOWS_EVENTS_DATA_VIEW_FIELDS],
+};

src/platform/packages/shared/kbn-workflows/index.ts

@@ -39,6 +39,8 @@ export * from './spec/deprecated_step_metadata';
 export * from './types/latest';
 export * from './types/utils';
 export * from './common/constants';
+export * from './common/workflows_events';
+export type * from './common/event_trigger_replay';
 export * from './common/well_known_trigger_sources';
 export type { WorkflowExecutionEventDispatchMetadata } from './common/workflow_execution_schedule_metadata';
 export * from './common/privileges';