[SIEM][Detection Engine] Adds a tags service and optimizes alert_id lookups

[FrankHassanabad]

Summary

• Adds a tags services for use by UI's that want to get a list of all the unique tags that are on all of the rules just like an aggregation
• Removes the horribly inefficient alert_id look up that was a full alert scan and instead uses an internal structure that it augments to the tags for fast alert_id look ups.
• Adds unit tests for the tags and internal structure tags
• Updates other unit tests

Usage for the UI:

GET /api/detection_engine/tags

or shell script:

./get_tags.sh

Returns:

[
  "tag_1",
  "tag_2"
]

Testing:
Ensure that the internal structure does not leak when doing any of these script/API calls

• ./get_tags.sh
• ./post_rule.sh ./rules/queries/query_with_tags.json
• ./update_rule.sh ./rules/queries/query_with_tags.json
• ./delete_rule.sh
• ./find_rules.sh
• ./find_rule_by_filter.sh "alert.attributes.enabled:%20true"
• ./find_rule_by_filter.sh "alert.attributes.tags:tag_1"

Caveat:

You can do filter searches against tags that have the double underscore such as:

./find_rule_by_filter.sh "alert.attributes.tags:%20__*"

But that shouldn't be a big problem and more than likely no one will be naming something with double underscores.

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

- [ ] This was checked for cross-browser compatibility, including a check against IE11

- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support

- [ ] Documentation was added for features that require explanation or tutorials

• Unit or functional tests were updated or added to match the most common scenarios

- [ ] This was checked for keyboard-only and screenreader accessibility

For maintainers

- [ ] This was checked for breaking API changes and was labeled appropriately

• This includes a feature addition or change that requires a release note and was labeled appropriately

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 48e366d

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[dhurley14]

It might be (slightly) more performant here to utilize concat to append the internal rule id tag.

[FrankHassanabad]

Per conversations we will keep using the ES2015+ style unless we are dealing with larger arrays.

Thanks for pointing out though that technically the concat is faster as I typically like that style more but the ES2015 is what we encourage on the team for small stuff.

[dhurley14]

Left an optional comment but reviewed and tested locally and everything looks awesome!