[Security Solution][Attacks/Alerts] Add a possibility to see both filtered out along the filtered in alerts (#17468)

[e40pud]

Summary

Closes https://github.com/elastic/security-team/issues/17468.

This PR implements the "always show all alerts" behavior on the Unified Attacks page, in accordance with the design team's recommendations.

By default, the Alerts Tab within an attack's details will now display all alerts associated with the attack, regardless of active grouping filters. Alerts that do not match the current filters are visually de-emphasized using a grey background (the Base/Disabled color).

Key changes:

• Added a new use_filtered_related_alert_ids hook to determine which alert IDs match the active filters.
• Updated the AlertsTab to override the native AlertsTable query with all attack alert IDs, and selectively highlight rows that have been filtered out.
• Added a conditional info EuiCallOut above the table to explain the filtering behavior ("This filter applies to attacks, not individual alerts. Grey rows may not include the filtered field.") when grouping filters are applied and at least one alert is filtered out.
• Embedded an EuiSwitch inside the callout to allow users to toggle back to the "Show matching alerts only" mode.
• Ensured the toggle state is persisted across attacks using useLocalStorage.
• Added telemetry tracking (AttacksEventTypes.ViewOptionChanged) for when the "Show matching alerts only" toggle is interacted with, capturing the option name as showMatchingAlertsOnly.

Verification Steps

1. Navigate to the Unified Attacks page.
2. Apply a filter and expand an attack group.
3. Observe that the Alerts tab displays all alerts related to the attack.
4. Verify that alerts missing the filtered field (filtered-out alerts) are highlighted with a grey background.
5. Verify the info callout appears above the table explaining the grey rows.
6. Toggle the "Show matching alerts only" switch in the callout.
7. Verify the table refreshes to only show alerts matching the filter, removing the grey highlighting and the info callout.
8. Collapse the attack group and open a different attack group. Verify the toggle state was persisted.

Screenshots

---

PR developed with Cursor + Gemini 3.1 Pro

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-solution (Team: SecuritySolution)

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[e40pud]

/ci

[kibanamachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: df4a6bb
• Build duration: 50 mins

Failed CI Steps

• FTR Configs #42
• FTR Configs #123
• FTR Configs #192
• Defend Workflows Cypress Tests on Serverless #5
• Serverless Rule Management - Security Solution Cypress Tests #7
• Serverless Rule Management - Prebuilt Rules Installation - Security Solution Cypress Tests #2
• Osquery Cypress Tests #2

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	9585	9586	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	12.1MB	12.1MB	+3.4KB

History

• 💔 Build #450655 failed df4a6bb
• 💚 Build #450548 succeeded 99bfac6
• 💛 Build #450500 was flaky 9969cf2

cc @e40pud