[Security Solution][Entity Analytics][Risk Score] Add Risk Scoring Alert Filtering - Frontend Implementation (#238004)

## Summary

This PR implements the frontend user interface for Risk Scoring Alert
Filtering in Entity Analytics. Users can now create and manage KQL-based
filters to target specific entity types (Users, Hosts, Services) during
risk score calculations.

## Design Implementation

- Based on the [Figma
mockups](https://www.figma.com/design/IKQr6HbQPAdFws9i7Ikcx9/-8.15-9.2--Entity-Analytics?node-id=7131-49715&t=8Z3JSBzT4pZ2HkXZ-0),
this implementation provides:
- KQL Search Bar with field suggestions
- Filter Management with visual chips and entity targeting
- Save Functionality with persistent storage


## User Interface

### Filter Creation Flow

- User types in KQL search bar (e.g., user.name: "root")
- Field suggestions appear as they type
- Press Enter to create a filter chip
- Select target entities (Users, Hosts, Services)
- Click "Save changes" to persist filters

### Filter Management

- Remove Individual Filters: Cross button on each filter chip
- Remove Entire Filter: Cross button at the end of each filter row
- Visual Feedback: Green values, proper spacing, and clear hierarchy

Screenshot : 

<img width="1913" height="881" alt="image"
src="https://github.com/user-attachments/assets/69c375d5-e3de-41ae-bd36-2dd6ca24fe9e"
/>


<img width="1918" height="930" alt="image"
src="https://github.com/user-attachments/assets/b5c6cf31-e8bc-404d-aec8-6c929d0ce2f4"
/>


### Checklist

Check the PR satisfies following conditions. 

Reviewers should verify this PR satisfies this list as well.

- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- [ ] Review the [backport
guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)
and apply applicable `backport:*` labels.

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Tiago Vila Verde <[email protected]>

Author: 3 people

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/api/api.ts

@@ -35,6 +35,7 @@ import type {
   SearchPrivilegesIndicesResponse,
   UpdateEntitySourceResponse,
   UploadAssetCriticalityRecordsResponse,
+  ConfigureRiskEngineSavedObjectRequestBodyInput,
 } from '../../../common/api/entity_analytics';
 import {
   API_VERSIONS,
@@ -440,7 +441,9 @@ export const useEntityAnalyticsRoutes = () => {
         method: 'DELETE',
       });
 
-    const updateSavedObjectConfiguration = (params: {}) =>
+    const updateSavedObjectConfiguration = (
+      params: ConfigureRiskEngineSavedObjectRequestBodyInput
+    ) =>
       http.fetch(RISK_ENGINE_CONFIGURE_SO_URL, {
         version: API_VERSIONS.public.v1,
         method: 'PUT',

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/api/hooks/use_configure_risk_engine_saved_object.ts

@@ -9,12 +9,16 @@ import type { UseMutationOptions } from '@kbn/react-query';
 import { useMutation } from '@kbn/react-query';
 import type { TaskManagerUnavailableResponse } from '../../../../common/api/entity_analytics/common';
 import { useEntityAnalyticsRoutes } from '../api';
-import type { ConfigureRiskEngineSavedObjectResponse } from '../../../../common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.gen';
+import type {
+  ConfigureRiskEngineSavedObjectRequestBody,
+  ConfigureRiskEngineSavedObjectResponse,
+} from '../../../../common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.gen';
 
 interface ConfigureRiskEngineParams {
   includeClosedAlerts: boolean;
   range: { start: string; end: string };
   enableResetToZero: boolean;
+  filters?: ConfigureRiskEngineSavedObjectRequestBody['filters'];
 }
 
 export const useConfigureSORiskEngineMutation = (
@@ -35,6 +39,7 @@ export const useConfigureSORiskEngineMutation = (
       exclude_alert_statuses: params.includeClosedAlerts ? [] : ['closed'],
       range: params.range,
       enable_reset_to_zero: params.enableResetToZero,
+      filters: params.filters,
     });
     return { risk_engine_saved_object_configured: true };
   }, options);

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/api/hooks/use_preview_risk_scores.ts

@@ -10,25 +10,39 @@ import type { RiskScoresPreviewRequest } from '../../../../common/api/entity_ana
 import { useEntityAnalyticsRoutes } from '../api';
 
 export type UseRiskScorePreviewParams = Omit<RiskScoresPreviewRequest, 'data_view_id'> & {
-  data_view_id?: string;
+  data_view_id?: RiskScoresPreviewRequest['data_view_id'];
 };
 
 export const useRiskScorePreview = ({
   data_view_id: dataViewId,
   range,
   filter,
   exclude_alert_statuses: excludeAlertStatuses,
+  filters,
+  ...otherParams
 }: UseRiskScorePreviewParams) => {
   const { fetchRiskScorePreview } = useEntityAnalyticsRoutes();
+  const serializedOtherParams = otherParams ? JSON.stringify(otherParams) : null;
 
   return useQuery(
-    ['POST', 'FETCH_PREVIEW_RISK_SCORE', range, filter, excludeAlertStatuses],
+    [
+      'POST',
+      'FETCH_PREVIEW_RISK_SCORE',
+      range,
+      filter,
+      excludeAlertStatuses,
+      filters,
+      serializedOtherParams,
+    ],
     async ({ signal }) => {
       if (!dataViewId) {
         return;
       }
 
-      const params: RiskScoresPreviewRequest = { data_view_id: dataViewId };
+      const params: RiskScoresPreviewRequest = {
+        data_view_id: dataViewId,
+        ...otherParams,
+      };
       if (range) {
         const startTime = dateMath.parse(range.start)?.utc().toISOString();
         const endTime = dateMath
@@ -54,6 +68,10 @@ export const useRiskScorePreview = ({
         params.exclude_alert_statuses = excludeAlertStatuses;
       }
 
+      if (filters && filters.length > 0) {
+        params.filters = filters;
+      }
+
       const response = await fetchRiskScorePreview({ signal, params });
 
       return response;