[Security Solution][Attacks/Alerts][Attacks page][KPIs section][Summary tab] Attack volume over time (#232607)

[e40pud]

Summary

Closes #232607

This PR introduces the Attacks Volume Panel to the Attacks page Summary view. It displays a line chart showing the volume of unique attacks detected over time.

Key Features

• "Attacks volume over time" Chart: A line chart visualization using @elastic/charts.
• Accurate Time Representation: Uses a two-step querying strategy to fetch actual attack start times:
  1. Aggregation Query: Retrieves unique kibana.alert.attack_ids within the time range from both alerts and attacks indices.
  2. Details Query: Fetches the exact kibana.alert.start (or @timestamp) for each unique attack ID from the attacks index.
• Dynamic Time Window: The chart's x-axis automatically extends to include the genesis of any attack detected within the selected time range, ensuring visibility of long-running attacks that started before the current window.
• Responsive Design: Uses EuiLoadingChart for loading states and responsive container sizing.

Technical Implementation

Components & Hooks

• AttacksVolumePanel: Main component rendering the chart.
• useAttacksVolumeData: Orchestrator hook that combines data fetching and processing.
• useAttackIds: Hook responsible for the first step: getting unique attack IDs via terms aggregation.
• useAttackTimestamps: Hook responsible for the second step: getting precise timestamps for those IDs.

Advanced Setting

1. Enable the enableAlertsAndAttacksAlignment experimental feature flag in kibana.dev.yml or kibana.yml:

   xpack.securitySolution.enableExperimental: ['enableAlertsAndAttacksAlignment']

2. Navigate to Stack Management > Advanced Settings > Space Settings > Security Solution.
3. Find the setting Enable alerts and attacks alignment (securitySolution:enableAlertsAndAttacksAlignment).
4. Enable the setting and save.
5. Refresh the page if necessary.

Screenshot

---

PR developed with Cursor + Gemini 3 Pro

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[NicholasPeretti]

Desk tested and works as expected! Great job! ☺️ 🚀

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 5e116d8

Failed CI Steps

• FTR Configs #74
• Scout: [ platform / fleet ] plugin

Test Failures

• [job] [logs] FTR Configs #74 / Actions and Triggers app - Rules Rule Details Header should snooze the rule for a set duration
• [job] [logs] Scout: [ platform / fleet ] plugin / Integrations are visible but cannot be added
• [job] [logs] Scout: [ platform / fleet ] plugin / stateful - When the user has All privileges for Integrations but None for Fleet - Integrations are visible but cannot be added

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	8709	8717	+8

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	10.8MB	10.9MB	+4.7KB

cc @e40pud