refactor(sig-events): rename verdict to status, simplify triage workflow

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: crespocarlos

src/platform/packages/shared/kbn-workflows/managed/definitions/sig_events/discovery.yaml

@@ -405,7 +405,7 @@ steps:
       continue: true
 
   - name: get_active_events
-    # No verdict filter — ES filters BEFORE collapse; post-filtered in compute_active_events_context.
+    # No status filter — ES filters BEFORE collapse; post-filtered in compute_active_events_context.
     type: elasticsearch.request
     with:
       method: POST
@@ -421,7 +421,7 @@ steps:
           includes:
             - discovery_slug
             - title
-            - verdict
+            - status
         query:
           bool:
             filter:
@@ -436,8 +436,8 @@ steps:
   - name: compute_active_events_context
     type: data.set
     with:
-      promoted_events: "${{ steps.get_active_events.output.hits.hits | where: '_source.verdict', 'promoted' | map: '_source' | default: [] }}"
-      acknowledged_events: "${{ steps.get_active_events.output.hits.hits | where: '_source.verdict', 'acknowledged' | map: '_source' | default: [] }}"
+      promoted_events: "${{ steps.get_active_events.output.hits.hits | where: '_source.status', 'promoted' | map: '_source' | default: [] }}"
+      acknowledged_events: "${{ steps.get_active_events.output.hits.hits | where: '_source.status', 'acknowledged' | map: '_source' | default: [] }}"
 
   - name: run_investigator_agent
     # TODO: agent-id and connector-id are config fields and are NOT rendered through Liquid by the
@@ -633,7 +633,7 @@ steps:
           is_not_group: "${{ foreach.item.grouped_discovery_ids == null or foreach.item.grouped_discovery_ids.size == 0 }}"
 
       - name: get_active_event_for_slug
-        # No verdict filter — post-filtered in compute_active_event_for_slug.
+        # No status filter — post-filtered in compute_active_event_for_slug.
         type: elasticsearch.request
         with:
           method: POST
@@ -647,7 +647,7 @@ steps:
                   order: desc
             _source:
               includes:
-                - verdict
+                - status
             query:
               bool:
                 filter:
@@ -663,9 +663,9 @@ steps:
         with:
           has_active_event: >-
             ${{ steps.get_active_event_for_slug.output.hits.total.value > 0
-            and steps.get_active_event_for_slug.output.hits.hits[0]._source.verdict == consts.VERDICT_PROMOTED
+            and steps.get_active_event_for_slug.output.hits.hits[0]._source.status == consts.STATUS_PROMOTED
             or steps.get_active_event_for_slug.output.hits.total.value > 0
-            and steps.get_active_event_for_slug.output.hits.hits[0]._source.verdict == consts.VERDICT_ACKNOWLEDGED }}
+            and steps.get_active_event_for_slug.output.hits.hits[0]._source.status == consts.STATUS_ACKNOWLEDGED }}
 
       - name: check_recent_finding
         if: "${{ foreach.item.detections != null and foreach.item.detections.size > 0 }}"

src/platform/packages/shared/kbn-workflows/managed/definitions/sig_events/index.ts

@@ -46,15 +46,15 @@ export const SIGEVENTS_DISCOVERY_WORKFLOW = {
 export const SIGEVENTS_ORCHESTRATOR_WORKFLOW = {
   id: SIGEVENTS_ORCHESTRATOR_WORKFLOW_ID,
   pluginId: 'streams',
-  version: 8,
+  version: 9,
   yaml: ORCHESTRATOR_YAML,
   management: SIGEVENTS_WORKFLOW_MANAGEMENT,
 } as const satisfies ManagedWorkflowDefinition;
 
 export const SIGEVENTS_TRIAGE_WORKFLOW = {
   id: SIGEVENTS_TRIAGE_WORKFLOW_ID,
   pluginId: 'streams',
-  version: 5,
+  version: 6,
   yaml: TRIAGE_YAML,
   management: SIGEVENTS_WORKFLOW_MANAGEMENT,
 } as const satisfies ManagedWorkflowDefinition;