[Security Solution][Attacks/Alerts] Add a possibility to see both filtered out along the filtered in alerts (#17468)

[e40pud]

Summary

Closes https://github.com/elastic/security-team/issues/17468.

This PR implements the "always show all alerts" behavior on the Unified Attacks page, in accordance with the design team's recommendations.

By default, the Alerts Tab within an attack's details will now display all alerts associated with the attack, regardless of active grouping filters. Alerts that do not match the current filters are visually de-emphasized using a grey background (the Base/Disabled color).

Key changes:

• Added a new use_filtered_related_alert_ids hook to determine which alert IDs match the active filters.
• Updated the AlertsTab to override the native AlertsTable query with all attack alert IDs, and selectively highlight rows that have been filtered out.
• Added a conditional info EuiCallOut above the table to explain the filtering behavior ("This filter applies to attacks, not individual alerts. Grey rows may not include the filtered field.") when grouping filters are applied and at least one alert is filtered out.
• Embedded an EuiSwitch inside the callout to allow users to toggle back to the "Show matching alerts only" mode.
• Ensured the toggle state is persisted across attacks using useLocalStorage.
• Added telemetry tracking (AttacksEventTypes.ViewOptionChanged) for when the "Show matching alerts only" toggle is interacted with, capturing the option name as showMatchingAlertsOnly.
• Updated useGroupStats to calculate the total alerts count using the getAttack helper instead of relying on the filtered bucket count.

Verification Steps

1. Navigate to the Unified Attacks page.
2. Apply a filter and observe the attack group stats.
3. Verify that the "Alerts:" count under the attack group reflects the true total alerts of the attack, and not the filtered subset.
4. Expand an attack group.
5. Observe that the Alerts tab displays all alerts related to the attack.
6. Verify that alerts missing the filtered field (filtered-out alerts) are highlighted with a grey background.
7. Verify the info callout appears above the table explaining the grey rows.
8. Toggle the "Show matching alerts only" switch in the callout.
9. Verify the table refreshes to only show alerts matching the filter, removing the grey highlighting and the info callout.
10. Collapse the attack group and open a different attack group. Verify the toggle state was persisted.

Screenshots

---

PR developed with Cursor + Gemini 3.1 Pro

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-solution (Team: SecuritySolution)

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[e40pud]

/ci

[kibanamachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 39a704a
• Build duration: 67 mins

Failed CI Steps

• FTR Configs #41
• FTR Configs #148
• FTR Configs #150

Test Failures

• [job] [logs] FTR Configs #41 / Alerting bulkMuteUnmute bulk mute should mute multiple alert instances for a single rule
• [job] [logs] FTR Configs #150 / Cloud Security Posture - Group 5 (KSPM + Flyouts) Security Alerts Page - Graph visualization expanded flyout - filter by node

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	9585	9586	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	12.1MB	12.1MB	+3.5KB

History

• 💛 Build #450660 was flaky df4a6bb
• 💔 Build #450655 failed df4a6bb
• 💚 Build #450548 succeeded 99bfac6
• 💛 Build #450500 was flaky 9969cf2

cc @e40pud