[SigEvents] Add lifecycle view and filters for significant events (#271380)

## Summary

Adds an event lifecycle endpoint and timeline UI so users can trace the
full chain of detections → discoveries → verdicts → event versions when
clicking a significant event. Also introduces search and filter controls
on the events tab.

### Lifecycle
- New `GET /internal/sig_events/events/{id}/lifecycle` endpoint that
walks the event chain via `previous_event_id`, collects related
discoveries and verdicts in parallel, and deduplicates detections
- Flyout with event details, root cause, recommendations, evidences, and
a chronological lifecycle timeline

### Filters & search
- Added verdict, impact, and stream filter popovers to the events tab
- Added debounced text search
- Route accepts array-based query params for multi-select filters


https://github.com/user-attachments/assets/2a11830b-f726-45b2-b110-10810ccf63cf

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: cesco-f

x-pack/platform/packages/shared/kbn-streams-schema/index.ts

@@ -212,6 +212,8 @@ export type {
   GeneratedSignificantEventQuery,
   SignificantEventsQueriesGenerationResult,
   SignificantEventsQueriesGenerationTaskResult,
+  LifecycleDetection,
+  EventLifecycleResponse,
 } from './src/api/significant_events';
 export { generatedSignificantEventQuerySchema } from './src/api/significant_events';
 

x-pack/platform/packages/shared/kbn-streams-schema/src/api/significant_events/index.ts

@@ -16,6 +16,9 @@ import {
   type StreamQuery,
 } from '../../queries';
 import type { TaskStatus } from '../../tasks/types';
+import type { Discovery } from '../../sig_events/discoveries';
+import type { Verdict } from '../../sig_events/verdicts';
+import type { SigEvent } from '../../sig_events/events';
 
 /**
  * SignificantEvents Get Response
@@ -123,6 +126,21 @@ type SignificantEventsQueriesGenerationTaskResult =
       status: TaskStatus.Completed | TaskStatus.Acknowledged;
     } & SignificantEventsQueriesGenerationResult);
 
+interface LifecycleDetection {
+  detection_id: string;
+  rule_name?: string;
+  stream_name?: string;
+  change_point_type?: string;
+  detected_at: string;
+}
+
+interface EventLifecycleResponse {
+  detections: LifecycleDetection[];
+  discoveries: Discovery[];
+  verdicts: Verdict[];
+  events: SigEvent[];
+}
+
 export type {
   SignificantEventsResponse,
   SignificantEventsGetResponse,
@@ -131,4 +149,6 @@ export type {
   SignificantEventsGenerateResponse,
   SignificantEventsQueriesGenerationResult,
   SignificantEventsQueriesGenerationTaskResult,
+  LifecycleDetection,
+  EventLifecycleResponse,
 };

x-pack/platform/plugins/shared/streams/server/lib/sig_events/detections/detection_client.ts

@@ -7,14 +7,16 @@
 
 import type { IDataStreamClient } from '@kbn/data-streams';
 import { esql } from '@elastic/esql';
+import type { ESQLAstExpression } from '@elastic/esql/types';
 import type { ElasticsearchClient } from '@kbn/core/server';
 import {
   type CommonSearchOptions,
   type PaginatedSearchOptions,
   type PaginatedResponse,
 } from '../query_utils';
 import {
-  type LatestSourceWhereCondition,
+  andWhere,
+  inFilter,
   runLatestSourceEsqlQuery,
   runPaginatedLatestSourceEsqlQuery,
   runFindByIdEsqlQuery,
@@ -25,6 +27,7 @@ import {
   type StoredDetection,
   type detectionsMappings,
 } from './data_stream';
+import { FIELD_DETECTION_ID } from '../field_names';
 
 export type DetectionDataStreamClient = IDataStreamClient<
   typeof detectionsMappings,
@@ -41,15 +44,6 @@ export interface DetectionsPaginatedSearchOptions extends PaginatedSearchOptions
   rule_name?: string;
 }
 
-const andWhere = (
-  current: LatestSourceWhereCondition | undefined,
-  next: LatestSourceWhereCondition
-): LatestSourceWhereCondition => {
-  return current ? esql.exp`${current} AND ${next}` : next;
-};
-
-const GROUP_BY_FIELD = 'detection_id';
-
 export class DetectionClient {
   constructor(
     private readonly clients: {
@@ -66,13 +60,9 @@ export class DetectionClient {
     });
   }
 
-  private buildWhere(options: DetectionsSearchOptions): LatestSourceWhereCondition | undefined {
-    let where: LatestSourceWhereCondition | undefined;
-
-    const ruleUuidLiterals = options.rule_uuid?.map((ruleUuid) => esql.str(ruleUuid));
-    if (ruleUuidLiterals?.length) {
-      where = andWhere(where, esql.exp`${esql.col('rule_uuid')} IN (${ruleUuidLiterals})`);
-    }
+  private buildWhere(options: DetectionsSearchOptions): ESQLAstExpression | undefined {
+    let where: ESQLAstExpression | undefined;
+    where = inFilter({ where, field: 'rule_uuid', values: options.rule_uuid });
 
     if (options.rule_name) {
       where = andWhere(where, esql.exp`${esql.col('rule_name')} == ${esql.str(options.rule_name)}`);
@@ -88,7 +78,7 @@ export class DetectionClient {
       options,
       index: DETECTIONS_DATA_STREAM,
       where: this.buildWhere(options),
-      groupBy: GROUP_BY_FIELD,
+      groupBy: FIELD_DETECTION_ID,
     });
   }
 
@@ -101,7 +91,7 @@ export class DetectionClient {
       options,
       index: DETECTIONS_DATA_STREAM,
       where: this.buildWhere(options),
-      groupBy: GROUP_BY_FIELD,
+      groupBy: FIELD_DETECTION_ID,
     });
   }
 
@@ -110,7 +100,7 @@ export class DetectionClient {
       esClient: this.clients.esClient,
       space: this.clients.space,
       index: DETECTIONS_DATA_STREAM,
-      idField: GROUP_BY_FIELD,
+      idField: FIELD_DETECTION_ID,
       idValue: detectionId,
     });
   }

x-pack/platform/plugins/shared/streams/server/lib/sig_events/discoveries/discovery_client.ts

@@ -16,21 +16,21 @@ import {
   runLatestSourceEsqlQuery,
   runPaginatedLatestSourceEsqlQuery,
   runFindByIdEsqlQuery,
+  runFindByIdsEsqlQuery,
 } from '../latest_source_query';
 import {
   DISCOVERIES_DATA_STREAM,
   type Discovery,
   type StoredDiscovery,
   type discoveriesMappings,
 } from './data_stream';
+import { FIELD_DISCOVERY_ID, FIELD_DISCOVERY_SLUG } from '../field_names';
 
 export type DiscoveryDataStreamClient = IDataStreamClient<
   typeof discoveriesMappings,
   StoredDiscovery
 >;
 
-const GROUP_BY_FIELD = 'discovery_id';
-
 export class DiscoveryClient {
   constructor(
     private readonly clients: {
@@ -53,7 +53,7 @@ export class DiscoveryClient {
       space: this.clients.space,
       options,
       index: DISCOVERIES_DATA_STREAM,
-      groupBy: GROUP_BY_FIELD,
+      groupBy: FIELD_DISCOVERY_ID,
     });
   }
 
@@ -65,7 +65,7 @@ export class DiscoveryClient {
       space: this.clients.space,
       options,
       index: DISCOVERIES_DATA_STREAM,
-      groupBy: GROUP_BY_FIELD,
+      groupBy: FIELD_DISCOVERY_ID,
     });
   }
 
@@ -74,8 +74,28 @@ export class DiscoveryClient {
       esClient: this.clients.esClient,
       space: this.clients.space,
       index: DISCOVERIES_DATA_STREAM,
-      idField: GROUP_BY_FIELD,
+      idField: FIELD_DISCOVERY_ID,
       idValue: discoveryId,
     });
   }
+
+  async findByIds(discoveryIds: string[]): Promise<{ hits: Discovery[] }> {
+    return runFindByIdsEsqlQuery<Discovery>({
+      esClient: this.clients.esClient,
+      space: this.clients.space,
+      index: DISCOVERIES_DATA_STREAM,
+      idField: FIELD_DISCOVERY_ID,
+      idValues: discoveryIds,
+    });
+  }
+
+  async findBySlug(slug: string): Promise<{ hits: Discovery[] }> {
+    return runFindByIdEsqlQuery<Discovery>({
+      esClient: this.clients.esClient,
+      space: this.clients.space,
+      index: DISCOVERIES_DATA_STREAM,
+      idField: FIELD_DISCOVERY_SLUG,
+      idValue: slug,
+    });
+  }
 }

x-pack/platform/plugins/shared/streams/server/lib/sig_events/events/data_stream.ts

@@ -19,7 +19,13 @@ export const eventsMappings = {
     event_id: mappings.keyword(),
     discovery_id: mappings.keyword(),
     discovery_slug: mappings.keyword(),
+    previous_event_id: mappings.keyword(),
     rule_names: mappings.keyword(),
+    stream_names: mappings.keyword(),
+    verdict: mappings.keyword(),
+    impact: mappings.keyword(),
+    title: mappings.text(),
+    summary: mappings.text(),
   },
 } satisfies MappingsDefinition;
 
@@ -28,7 +34,7 @@ export type { SigEvent };
 
 export const eventsDataStream: DataStreamDefinition<typeof eventsMappings, StoredEvent> = {
   name: EVENTS_DATA_STREAM,
-  version: 2,
+  version: 3,
   hidden: true,
   template: {
     priority: 500,

x-pack/platform/plugins/shared/streams/server/lib/sig_events/events/event_client.ts

@@ -6,13 +6,17 @@
  */
 
 import type { IDataStreamClient } from '@kbn/data-streams';
+import { esql } from '@elastic/esql';
+import type { ESQLAstExpression } from '@elastic/esql/types';
 import type { ElasticsearchClient } from '@kbn/core/server';
 import {
   type CommonSearchOptions,
   type PaginatedSearchOptions,
   type PaginatedResponse,
 } from '../query_utils';
 import {
+  andWhere,
+  inFilter,
   runLatestSourceEsqlQuery,
   runPaginatedLatestSourceEsqlQuery,
   runFindByIdEsqlQuery,
@@ -23,10 +27,17 @@ import {
   type StoredEvent,
   type eventsMappings,
 } from './data_stream';
+import { FIELD_EVENT_ID, FIELD_DISCOVERY_SLUG } from '../field_names';
 
 export type EventDataStreamClient = IDataStreamClient<typeof eventsMappings, StoredEvent>;
 
-const GROUP_BY_FIELD = 'event_id';
+export interface EventsFilterOptions {
+  verdict?: string[];
+  stream?: string[];
+  search?: string;
+}
+
+export interface EventsPaginatedSearchOptions extends PaginatedSearchOptions, EventsFilterOptions {}
 
 export class EventClient {
   constructor(
@@ -37,6 +48,25 @@ export class EventClient {
     }
   ) {}
 
+  private buildWhere(options: EventsFilterOptions): ESQLAstExpression | undefined {
+    let where: ESQLAstExpression | undefined;
+    where = inFilter({ where, field: 'verdict', values: options.verdict });
+    where = inFilter({ where, field: 'stream_names', values: options.stream });
+
+    if (options.search) {
+      const escaped = options.search.toLowerCase().replace(/\\/g, '\\\\').replace(/[*?]/g, '\\$&');
+      const pattern = esql.str(`*${escaped}*`);
+      where = andWhere(
+        where,
+        esql.exp`(TO_LOWER(${esql.col('title')}) LIKE ${pattern} OR TO_LOWER(${esql.col(
+          'summary'
+        )}) LIKE ${pattern})`
+      );
+    }
+
+    return where;
+  }
+
   async bulkCreate(events: SigEvent[]) {
     return this.clients.dataStreamClient.create({
       space: this.clients.space,
@@ -50,19 +80,20 @@ export class EventClient {
       space: this.clients.space,
       options,
       index: EVENTS_DATA_STREAM,
-      groupBy: GROUP_BY_FIELD,
+      groupBy: FIELD_DISCOVERY_SLUG,
     });
   }
 
   async findLatestPaginated(
-    options: PaginatedSearchOptions = {}
+    options: EventsPaginatedSearchOptions = {}
   ): Promise<PaginatedResponse<SigEvent>> {
     return runPaginatedLatestSourceEsqlQuery<SigEvent>({
       esClient: this.clients.esClient,
       space: this.clients.space,
       options,
       index: EVENTS_DATA_STREAM,
-      groupBy: GROUP_BY_FIELD,
+      where: this.buildWhere(options),
+      groupBy: FIELD_DISCOVERY_SLUG,
     });
   }
 
@@ -71,8 +102,18 @@ export class EventClient {
       esClient: this.clients.esClient,
       space: this.clients.space,
       index: EVENTS_DATA_STREAM,
-      idField: GROUP_BY_FIELD,
+      idField: FIELD_EVENT_ID,
       idValue: eventId,
     });
   }
+
+  async findByDiscoverySlug(slug: string): Promise<{ hits: SigEvent[] }> {
+    return runFindByIdEsqlQuery<SigEvent>({
+      esClient: this.clients.esClient,
+      space: this.clients.space,
+      index: EVENTS_DATA_STREAM,
+      idField: FIELD_DISCOVERY_SLUG,
+      idValue: slug,
+    });
+  }
 }

x-pack/platform/plugins/shared/streams/server/lib/sig_events/field_names.ts

@@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const FIELD_EVENT_ID = 'event_id';
+export const FIELD_DETECTION_ID = 'detection_id';
+export const FIELD_DISCOVERY_ID = 'discovery_id';
+export const FIELD_DISCOVERY_SLUG = 'discovery_slug';