[Security Solution][Threat Intelligence] convert the IOC flyout to expandable flyout (elastic#231959)

> [!WARNING]
> The PR is a little on the big side, but a lot of the code was just
moved from the `threat_intelligance` folder to the `flyout` folder.

## Summary

This PR converts the flyout used in the Intelligence page from a normal
EUI flyout to the expandable flyout using the [expandable flyout
package](https://github.com/elastic/kibana/tree/main/x-pack/solutions/security/packages/expandable-flyout).

> [!NOTE]
> The PR does not make any UI changes to the flyout content. The
overview, table and json tabs remains identical (outside of the header
of the flyout itself).
> The PR also should not make any UI or behavior changes to the rest of
the application.


Here are some benefit of using the expandable flyout:
- we persist automatically which tab was opened last (in local storage)
and future flyout are reopened on the same tab
- we can better interact with all the other existing flyouts
- we will have the ability to add an expanded state when necessary
- it will facilitate the transition to the new flyout system as it's now
using the same api as the other existing flyouts in Security Solution

#### Flyout interaction remains unchanged on the Intelligence page


https://github.com/user-attachments/assets/bcfe5bfa-2756-46d2-9092-24c38db667bb

#### The add to new case functionality still works as before


https://github.com/user-attachments/assets/c25b0efa-122a-4b35-a156-5b9530d93db3

#### Interaction with Timeline is also working as before


https://github.com/user-attachments/assets/43fbf775-cf3a-48ff-a79d-dcafbb3d40a6

#### Flyout history now has an entry for this new IoC panel


https://github.com/user-attachments/assets/5778d0b8-8fff-4896-86f4-65c5bc338133

## How to test

- ingest some threat intelligence data
- navigate to the Intelligence page and interact with the flyout
- verify all actions in the flyout's take action button
- verify the interaction with the cases page

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [x] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

Author: PhilippeOberti

x-pack/solutions/security/plugins/security_solution/public/flyout/index.tsx

@@ -14,8 +14,8 @@ import type {
   FindingsVulnerabilityPanelExpandableFlyoutPropsNonPreview,
   FindingsVulnerabilityPanelExpandableFlyoutPropsPreview,
 } from '@kbn/cloud-security-posture';
-import { GraphGroupedNodePreviewPanelKey } from '@kbn/cloud-security-posture-graph';
 import type { GraphGroupedNodePreviewPanelProps } from '@kbn/cloud-security-posture-graph';
+import { GraphGroupedNodePreviewPanelKey } from '@kbn/cloud-security-posture-graph';
 import type { GenericEntityDetailsExpandableFlyoutProps } from './entity_details/generic_details_left';
 import {
   GenericEntityDetailsPanel,
@@ -89,6 +89,10 @@ import { AttackDetailsRightPanelKey } from './attack_details/constants/panel_key
 import type { AttackDetailsProps } from './attack_details/types';
 import { AttackDetailsProvider } from './attack_details/context';
 import { AttackDetailsPanel } from './attack_details';
+import type { IOCDetailsProps } from './ioc_details/types';
+import { IOCDetailsProvider } from './ioc_details/context';
+import { IOCPanel } from './ioc_details';
+import { IOCRightPanelKey } from './ioc_details/constants/panel_keys';
 
 const GraphGroupedNodePreviewPanel = React.lazy(() =>
   import('@kbn/cloud-security-posture-graph').then((module) => ({
@@ -286,6 +290,14 @@ const expandableFlyoutDocumentsPanels: ExpandableFlyoutProps['registeredPanels']
       />
     ),
   },
+  {
+    key: IOCRightPanelKey,
+    component: (props) => (
+      <IOCDetailsProvider {...(props as IOCDetailsProps).params}>
+        <IOCPanel path={props.path as IOCDetailsProps['path']} />
+      </IOCDetailsProvider>
+    ),
+  },
 ];
 
 export const SECURITY_SOLUTION_ON_CLOSE_EVENT = `expandable-flyout-on-close-${Flyouts.securitySolution}`;

x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/block.test.tsx

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import React from 'react';
+import { IndicatorBlock } from './block';
+import { generateMockIndicator } from '../../../../common/threat_intelligence/types/indicator';
+import { TestProviders } from '../../../common/mock';
+
+const mockIndicator = generateMockIndicator();
+
+describe('IndicatorBlock', () => {
+  it('should render field and value', () => {
+    const { getByText } = render(
+      <TestProviders>
+        <IndicatorBlock field="threat.indicator.ip" indicator={mockIndicator} />
+      </TestProviders>
+    );
+
+    expect(getByText('threat.indicator.ip')).toBeInTheDocument();
+    expect(getByText('0.0.0.0')).toBeInTheDocument();
+  });
+
+  it('should render translated field and value', () => {
+    const { getByText } = render(
+      <TestProviders>
+        <IndicatorBlock field="threat.indicator.name" indicator={mockIndicator} />
+      </TestProviders>
+    );
+
+    expect(getByText('Indicator')).toBeInTheDocument();
+    expect(getByText('0.0.0.0')).toBeInTheDocument();
+  });
+});

…s/indicators/components/flyout/block.tsx …/flyout/ioc_details/components/block.tsxx-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/block.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/block.tsx x-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/block.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/block.tsx

@@ -8,15 +8,15 @@
 import { EuiPanel, EuiSpacer, EuiText } from '@elastic/eui';
 import type { FC } from 'react';
 import React from 'react';
-import type { Indicator } from '../../../../../../common/threat_intelligence/types/indicator';
-import { IndicatorFieldValue } from '../common/field_value';
-import { IndicatorFieldLabel } from '../common/field_label';
+import type { Indicator } from '../../../../common/threat_intelligence/types/indicator';
+import { IndicatorFieldValue } from '../../../threat_intelligence/modules/indicators/components/common/field_value';
+import { IndicatorFieldLabel } from '../../../threat_intelligence/modules/indicators/components/common/field_label';
 import {
   CellActionsMode,
   SecurityCellActions,
   SecurityCellActionsTrigger,
-} from '../../../../../common/components/cell_actions';
-import { getIndicatorFieldAndValue } from '../../utils/field_value';
+} from '../../../common/components/cell_actions';
+import { getIndicatorFieldAndValue } from '../../../threat_intelligence/modules/indicators/utils/field_value';
 
 const panelProps = {
   color: 'subdued' as const,

x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/empty_prompt.test.tsx

@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import React from 'react';
+import { I18nProvider } from '@kbn/i18n-react';
+import { IndicatorEmptyPrompt } from './empty_prompt';
+
+describe('IndicatorEmptyPrompt', () => {
+  it('should render component', () => {
+    const { getByText } = render(
+      <I18nProvider>
+        <IndicatorEmptyPrompt />
+      </I18nProvider>
+    );
+
+    expect(getByText('Unable to display indicator information')).toBeInTheDocument();
+    expect(
+      getByText('There was an error displaying the indicator fields and values.')
+    ).toBeInTheDocument();
+  });
+});

…ators/components/flyout/empty_prompt.tsx …/ioc_details/components/empty_prompt.tsxx-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/empty_prompt.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/empty_prompt.tsx x-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/empty_prompt.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/empty_prompt.tsx

@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { render } from '@testing-library/react';
+import React from 'react';
+import { I18nProvider } from '@kbn/i18n-react';
+import { IndicatorEmptyPrompt } from './empty_prompt';
+
+describe('IndicatorEmptyPrompt', () => {
+  it('should render component', () => {
+    const { getByText } = render(
+      <I18nProvider>
+        <IndicatorEmptyPrompt />
+      </I18nProvider>
+    );
+
+    expect(getByText('Unable to display indicator information')).toBeInTheDocument();
+    expect(
+      getByText('There was an error displaying the indicator fields and values.')
+    ).toBeInTheDocument();
+  });
+});

x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/fields_table.test.tsx

@@ -11,14 +11,14 @@ import { FormattedMessage } from '@kbn/i18n-react';
 import type { FC } from 'react';
 import React, { useMemo } from 'react';
 import { css } from '@emotion/react';
-import type { Indicator } from '../../../../../../common/threat_intelligence/types/indicator';
-import { IndicatorFieldValue } from '../common/field_value';
-import { unwrapValue } from '../../utils/unwrap_value';
+import type { Indicator } from '../../../../common/threat_intelligence/types/indicator';
+import { IndicatorFieldValue } from '../../../threat_intelligence/modules/indicators/components/common/field_value';
+import { unwrapValue } from '../../../threat_intelligence/modules/indicators/utils/unwrap_value';
 import {
   CellActionsMode,
   SecurityCellActions,
   SecurityCellActionsTrigger,
-} from '../../../../../common/components/cell_actions';
+} from '../../../common/components/cell_actions';
 
 const euiTableSearchOptions: EuiSearchBarProps = {
   box: {

…ators/components/flyout/fields_table.tsx …/ioc_details/components/fields_table.tsxx-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/fields_table.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/fields_table.tsx x-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/fields_table.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/fields_table.tsx

@@ -5,11 +5,11 @@
  * 2.0.
  */
 
-import React, { useMemo, type FC } from 'react';
+import React, { type FC, useMemo } from 'react';
 import { EuiPanel } from '@elastic/eui';
-import type { Indicator } from '../../../../../../common/threat_intelligence/types/indicator';
-import { RawIndicatorFieldId } from '../../../../../../common/threat_intelligence/types/indicator';
-import { unwrapValue } from '../../utils/unwrap_value';
+import type { Indicator } from '../../../../common/threat_intelligence/types/indicator';
+import { RawIndicatorFieldId } from '../../../../common/threat_intelligence/types/indicator';
+import { unwrapValue } from '../../../threat_intelligence/modules/indicators/utils/unwrap_value';
 import { IndicatorFieldsTable } from './fields_table';
 
 /**

…ents/flyout/highlighted_values_table.tsx …/components/highlighted_values_table.tsxx-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/highlighted_values_table.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/highlighted_values_table.tsx x-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/highlighted_values_table.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/highlighted_values_table.tsx

@@ -7,20 +7,25 @@
 
 import { render } from '@testing-library/react';
 import React from 'react';
-import type { Indicator } from '../../../../../../common/threat_intelligence/types/indicator';
-import { generateMockFileIndicator } from '../../../../../../common/threat_intelligence/types/indicator';
-import { TestProvidersComponent } from '../../../../mocks/test_providers';
-import { TakeAction } from './take_action';
-import { TAKE_ACTION_BUTTON_TEST_ID } from './test_ids';
+import { TAKE_ACTION_BUTTON_TEST_ID, TakeAction } from './take_action';
+import { useIOCDetailsContext } from '../context';
+import { generateMockIndicator } from '../../../../common/threat_intelligence/types/indicator';
+import { TestProviders } from '../../../common/mock';
+
+jest.mock('../context');
 
 describe('TakeAction', () => {
   it('should render an EuiContextMenuPanel', () => {
-    const indicator: Indicator = generateMockFileIndicator();
+    (useIOCDetailsContext as jest.Mock).mockReturnValue({
+      indicator: generateMockIndicator(),
+    });
+
     const { getByTestId, getAllByText } = render(
-      <TestProvidersComponent>
-        <TakeAction indicator={indicator} />
-      </TestProvidersComponent>
+      <TestProviders>
+        <TakeAction />
+      </TestProviders>
     );
+
     expect(getByTestId(TAKE_ACTION_BUTTON_TEST_ID)).toBeInTheDocument();
     expect(getAllByText('Take action')).toHaveLength(1);
   });

…s/components/flyout/take_action.test.tsx …_details/components/take_action.test.tsxx-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/take_action.test.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/take_action.test.tsx x-pack/solutions/security/plugins/security_solution/public/threat_intelligence/modules/indicators/components/flyout/take_action.test.tsx renamed to x-pack/solutions/security/plugins/security_solution/public/flyout/ioc_details/components/take_action.test.tsx

@@ -0,0 +1,108 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import React, { memo, useCallback, useMemo, useState } from 'react';
+import { EuiButton, EuiContextMenuPanel, EuiPopover, useGeneratedHtmlId } from '@elastic/eui';
+import { FormattedMessage } from '@kbn/i18n-react';
+import { BlockListFlyout } from '../../../threat_intelligence/modules/block_list/containers/flyout';
+import { useIOCDetailsContext } from '../context';
+import { canAddToBlockList } from '../../../threat_intelligence/modules/block_list/utils/can_add_to_block_list';
+import { AddToBlockListContextMenu } from '../../../threat_intelligence/modules/block_list/components/add_to_block_list';
+import { AddToNewCase } from '../../../threat_intelligence/modules/cases/components/add_to_new_case';
+import { AddToExistingCase } from '../../../threat_intelligence/modules/cases/components/add_to_existing_case';
+import { InvestigateInTimelineContextMenu } from '../../../threat_intelligence/modules/timeline/components/investigate_in_timeline';
+
+export const TAKE_ACTION_BUTTON_TEST_ID = 'tiIndicatorFlyoutTakeActionButton';
+export const INVESTIGATE_IN_TIMELINE_TEST_ID = 'tiIndicatorFlyoutInvestigateInTimelineContextMenu';
+export const ADD_TO_EXISTING_CASE_TEST_ID = 'tiIndicatorFlyoutAddToExistingCaseContextMenu';
+export const ADD_TO_NEW_CASE_TEST_ID = 'tiIndicatorFlyoutAddToNewCaseContextMenu';
+export const ADD_TO_BLOCK_LIST_TEST_ID = 'tiIndicatorFlyoutAddToBlockListContextMenu';
+
+/**
+ * Component rendered at the bottom of the indicators flyout
+ */
+export const TakeAction = memo(() => {
+  const { indicator } = useIOCDetailsContext();
+
+  const [blockListIndicatorValue, setBlockListIndicatorValue] = useState('');
+  const [isPopoverOpen, setPopover] = useState(false);
+  const smallContextMenuPopoverId = useGeneratedHtmlId({
+    prefix: 'smallContextMenuPopover',
+  });
+
+  const closePopover = useCallback(() => {
+    setPopover(false);
+  }, []);
+
+  const items = useMemo(
+    () => [
+      <InvestigateInTimelineContextMenu
+        key={'investigateInTime'}
+        data={indicator}
+        onClick={closePopover}
+        data-test-subj={INVESTIGATE_IN_TIMELINE_TEST_ID}
+      />,
+      <AddToExistingCase
+        key={'attachmentsExistingCase'}
+        indicator={indicator}
+        onClick={closePopover}
+        data-test-subj={ADD_TO_EXISTING_CASE_TEST_ID}
+      />,
+      <AddToNewCase
+        key={'attachmentsNewCase'}
+        indicator={indicator}
+        onClick={closePopover}
+        data-test-subj={ADD_TO_NEW_CASE_TEST_ID}
+      />,
+      <AddToBlockListContextMenu
+        key={'addToBlocklist'}
+        data={canAddToBlockList(indicator)}
+        onClick={closePopover}
+        data-test-subj={ADD_TO_BLOCK_LIST_TEST_ID}
+        setBlockListIndicatorValue={setBlockListIndicatorValue}
+      />,
+    ],
+    [closePopover, indicator]
+  );
+
+  const button = useMemo(
+    () => (
+      <EuiButton iconType="arrowDown" iconSide="right" onClick={() => setPopover(!isPopoverOpen)}>
+        <FormattedMessage
+          id="xpack.securitySolution.threatIntelligence.indicators.flyout.take-action.button"
+          defaultMessage="Take action"
+        />
+      </EuiButton>
+    ),
+    [isPopoverOpen]
+  );
+
+  return (
+    <>
+      <EuiPopover
+        id={smallContextMenuPopoverId}
+        button={button}
+        isOpen={isPopoverOpen}
+        closePopover={closePopover}
+        panelPaddingSize="none"
+        anchorPosition="downLeft"
+        data-test-subj={TAKE_ACTION_BUTTON_TEST_ID}
+      >
+        <EuiContextMenuPanel size="s" items={items} />
+      </EuiPopover>
+
+      {blockListIndicatorValue && (
+        <BlockListFlyout
+          indicatorFileHash={blockListIndicatorValue}
+          setBlockListIndicatorValue={setBlockListIndicatorValue}
+        />
+      )}
+    </>
+  );
+});
+
+TakeAction.displayName = 'TakeAction';