[Security Solution] [142435] add is one of operator

[jamster10]

Summary

This PR adds support for an is one of operator allowing users to filter multiple values for one field.

Some investigation by @andrew-goldstein revealed that since the underlying engine uses Lucene, we can add support for multiple values by using an OR query:

kibana.alert.workflow_status: ("open" OR "closed" OR "acknowledged") is equivalent to

"terms": {
      "kibana.alert.workflow_status": [ "open", "closed", "acknowledged"]
    }

Where the former is usable in our DataProviders used by timeline and other components that navigate a user to a pre-populated timeline.

As an enhancement to the timeline view, users can also use this is one of operator by interacting with the Add field button and selecting the new operator.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

Known issues

This operator does not support timeline templates at this time so usage there disables the ability for conversion to template field but a better approach should be implemented to notify users. #142437. For now I have added a template message and prevented users from creating templates with this operator:

Testing

Create a new timeline or visit an existing one.
Click 'Add field' button on Timeline in OR query section
add any field ( preferably one that can have many values- consider kibana.alerts.workflow_status but this requires alerts.
Select the is one of or is not one of operator
Add or remove values in the value section.
Click save.

[andrew-goldstein]

@jamster10 thanks for enhancing Timeline's Data Providers to implement the is one of and is not one of operators! 🙏

• For users, this feature adds additional expressiveness to Timeline's query builder
• For developers, existing Investigate in timeline actions may, pending addtional support for overriding labels, integrate with this feature to use Data Providers instead of filters

Desk tested locally

LGTM 🚀

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 65abc5b

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	3302	3305	+3

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	9.7MB	9.7MB	-300.0B
timelines	74.7KB	74.7KB	-4.0B
total			-304.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
timelines	139.0KB	139.8KB	+816.0B

Unknown metric groups

ESLint disabled in files

id	before	after	diff
osquery	1	2	+1

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	19	21	+2
fleet	59	65	+6
osquery	108	113	+5
securitySolution	441	447	+6
total			+19

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	20	22	+2
fleet	67	73	+6
osquery	109	115	+6
securitySolution	518	524	+6
total			+20

History

• 💔 Build #88283 failed fcad40d
• 💔 Build #88270 failed cc9d2cc
• 💔 Build #88088 failed 7307630
• 💔 Build #88023 failed a4c41fb
• 💔 Build #87713 failed c32be57
• 💔 Build #87665 failed aee9d98

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jamster10