[Security Solution] Alert deduping, alert grouping, incremental AD & AD attachment type

[patrykkopycinski]

Summary

This PR introduces several related improvements to Attack Discovery (AD), alert grouping, and the Cases integration:

Alert Deduping & Grouping

• Enhanced alert grouping components (kbn-grouping) with improved group stats rendering
• Updated alert sub-grouping in detections table
• Added experimental feature flags for alert deduping capabilities
• Updated alert page filters and KPI panels to support new grouping context

Incremental Attack Discovery

• Extended the default AD graph with incremental discovery support
• Enhanced the anonymized alerts retriever to support deduplication of previously-seen alerts
• Updated generate_and_update_discoveries to support incremental generation flow
• Added alertsIndexPattern propagation through the AD graph pipeline

Attack Discovery Case Attachment Type

• New Cases attachment type for Attack Discoveries (attack_discovery_attachment_type.tsx)
• Cases plugin integration: case_view_attack_discoveries.tsx component, attack_discovery_integration service
• New constants and domain types for AD attachments in Cases common
• Updated use_case_attachment_tabs to support the new AD tab
• Security Solution case attachment renderers (content, event, lazy loaders)

Agent Builder Integration

• New security_attack_discovery_skill for agent builder
• Enhanced agent builder attachment types: attack_discovery.ts, case.ts, timeline.ts
• Extended existing alert.ts and rule.ts attachments with richer metadata
• Updated attack_discovery_search_tool with improved search capabilities

Attacks Page Cleanup

• Simplified attack group take-action items (removed redundant bulk action hooks)
• Consolidated investigate-in-timeline context menu items
• Removed unused AI assistant context menu items from attacks bulk actions

Elastic Assistant Plugin

• Extended plugin types and routes to support AD case integration
• Updated kibana.jsonc and tsconfig.json for new dependencies

Test plan

• Verify alert grouping renders correctly with group stats
• Test incremental AD generation produces deduplicated results
• Verify AD attachment appears in case view tabs
• Test agent builder AD skill and search tool
• Verify attacks page bulk actions work after cleanup
• Confirm experimental feature flags gate the new functionality

Production-Readiness Checklist — Agent Skills Ecosystem

Generated against [Epic] Creation of the Agent Skills Ecosystem for Elastic Security.

Narrative role: Alert Deduplication skill — the upstream noise reduction node in the epic's skill graph, feeding Triage and Attack Discovery.

Must-do before this can ship

• Split this PR into four independently-reviewable pieces:
  • kbn-grouping group-stats improvements
  • Dedup feature flags + client
  • Incremental AD graph hook
  • AD Cases attachment type
• Define when dedup runs. The vision places it before triage/AD, so it must be a pipeline step / background task — not a UI filter (today's PR is UI-centric)
• Publish per-rule reduction-ratio telemetry (alerts_in / alerts_out) so downstream "feeds deduplicated clusters to Triage" is measurable
• Jaccard + meaningful-word dedup threshold needs an @kbn/evals suite with labeled ground truth — without it tuning is guesswork
• Consolidate the AD Cases attachment onto unified attachment v2 (coordinate with #260544 and #257708); do not land a bespoke attachment type
• Coordinate scope with #257949 XDR Correlation — both do alert grouping. Write an RFC before merging either
• All new functionality dark-by-default behind the experimental flags already declared in the PR

Follow-ups (post-merge)

• Emit dedup events as attachments on Attack Discoveries (durable artifact pillar)
• Expose dedup output as an Agent Builder tool so the AI Triage skill can request a clustered view of an entity's alerts

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!
• Click to trigger kibana-entity-store-performance-from-pr for this PR!
• Click to trigger kibana-storybooks-from-pr for this PR!