Create index pattern in "Create threat detector" flow

[xeniatup]

Is your feature request related to a problem? A user who is investigating a security finding should not have to provide an index pattern to see surrounding documents. Creating an index pattern can be handled upstream, at the time of creating a detector.

Current experience

What solution would you like? An index pattern should be created automatically for the data source (indexes or wildcard pattern) selected at the time of creating a threat detector. There are three potential cases:

1. An index pattern already exists for the data source - the section for creating a new index pattern is hidden
2. There is no index pattern doesn't exists, and there is just one time field in the data source - an index pattern can be created behind the scenes with a default name and time field.
3. There is no index pattern exists and there are multiple time fields - the "Index pattern" section is shown on the "Review" page of "Create detector" flow with the index pattern name prefilled and the selection of the time fields.

What alternatives have you considered? Creating an index pattern with the default name and time fields as part of "View findings details -> View surrounding documents" workflow.

[kgcreative]

Keep in mind that Index Patterns are dashboards saved objects, so if you're creating a detector via the API, you wouldn't have awareness of index patterns. This may need to be an associated index pattern (similar to how we do associated detectors in a visualization). For the index pattern, I suggest exploring "Select existing" and "Create new" as options as well. There may be an index pattern in the system that already covers the given index in the detector.

[xeniatup]

We currently detect the associated index patterns automatically (selecting the first available one) and proceed from there. The modal appears when there is no index pattern associated.

[dblock]

[Triage -- attendees 1, 2, 3, 4, 5, 6, 7]