[DO NOT MERGE][Security Solution][Attacks/Alerts] POC: Alerts/Attacks promotion

[e40pud]

Summary

This PR introduces a Proof of Concept (POC) for scheduling ad-hoc rule executions within the Alerting framework. This mechanism allows triggering a one-off execution of a rule type using inline parameters and the authenticated user's credentials, without requiring a persistent Rule Saved Object.

Overview

For a detailed explanation of the problem, proposal, and design, please refer to the following overview document.

Key Changes

1. AdHocExecutionClient: A new client in the Alerting framework dedicated to queuing ad-hoc rule runs. It validates parameters, creates an AdHocRunSO, and schedules the execution task.
2. Task Runner Updates: The AdHocTaskRunner has been enhanced to execute rules based solely on the context provided in the AdHocRunSO (including a generated API Key), bypassing the need to fetch a Rule Saved Object.
3. Reuse of Backfill Logic: The implementation reuses existing transformation logic and data structures from the Backfill domain (AdHocRunSO, transformBackfillParamToAdHocRun) to ensure consistency and minimize code duplication.
4. Security Solution Integration: A new internal API endpoint (POST /internal/attack_discovery/promote) and a corresponding rule executor (security.attack.promotion) demonstrate how this capability enables the "Attack Promotion" workflow.

---

PR developed with Cursor + Gemini 3 Pro

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🏷️ Required labels (at least one) (6)

• reviewer:coderabbit
• Team:Search
• Team:Operations
• Team:QA
• Team:SigEvents
• Team:Kibana Management

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: b7b96b40-f376-4061-a0da-dfd526f651dc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}