[Security Solution] expandable flyout - prevalence data is calculated from 30d to now

[PhilippeOberti]

Summary

This previous PRs added the prevalence summary and the prevalence detail components to the expandable flyout right and left sections respectively.

This PR modifies the way the data is queried: instead of fetching some prevalence data. It was previously using a dynamic from/to time interval that was retrieved from timeline if timeline is active, or from the KQL bar. We're now retrieving prevalence information for the last 30 days (similar to the threat intelligence data). Changes have been made to the following hooks:

• useFetchFieldValuePairByEventType that retrieves all the unique hosts in the environment that have the field/value pair
• useFetchFieldValuePairWithAggregation that retrieves all the unique documents for the aggregationField in the environment that have the field/value pair

This PR shouldn't introduce any visual changes.

A follow up PR will add a datetime picker to the left section, to allow users to select a specific time range for the prevalence table.

https://github.com/elastic/security-team/issues/7014

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: fb58785

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	15.6MB	15.6MB	-1.3KB

History

• 💔 Build #146280 failed 678f20738a92a538dd6cf235e094199efde7bb31
• 💔 Build #146009 failed 6ecae1b
• 💔 Build #145979 failed fac29d94f9662cf526722f0cec54e4afa4556224
• 💔 Build #145963 failed 9b0d8462ab616294b62200794d774b2f28d0c3b0
• 💔 Build #145930 failed ba2f9093375d0fa6934f42b712123d6a52ac29ed

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[christineweng]

Implementation looks good to me! My only comment is that it's not obvious prevalence is calculated -30d to now. I know the date picker is down the line. It will still be helpful to have it spelled out like threat intelligence, or have an info icon to document that.

The inspection icon could be another option. It is widely used in alerts page

[PhilippeOberti]

Implementation looks good to me! My only comment is that it's not obvious prevalence is calculated -30d to now. I know the date picker is down the line. It will still be helpful to have it spelled out like threat intelligence, or have an info icon to document that.

@christineweng after discussing with Paul, if you're ok with it, I'm thinking about merging the PR as is and I will add the datetime picker after.