[Fleet] Installed Packages should attempt to create data_streams when installed or integration added to Policy

[kevinlog]

Describe the feature:
Currently, when packages are installed via Fleet, any data_streams contained within are created when the Agent or sub-process first attempts to send a document to ES. We should investigate if there's a way to create the data_streams earlier.

This bug illustrates an issue when we're unable to create data_streams before the first document is sent: #90401

Describe a specific use case for the feature:
As described in #90401

The logs-endpoint.alerts-* index pattern and corresponding mapping does not get created until the Elastic Endpoint sends the first event of type alert to the system. This means that the Elastic Endpoint Security rule will fail execution until the first alert gets sent from an endpoint.

This bug could be fixed if we were able to create data_streams earlier in the lifecycle.

[elasticmachine]

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[kevinlog]

I spoke with @scunningham about potential solutions for this one, but they seem complicated.

Options:

• Attempt to install data_streams included with a package when they are first installed or updated
  • This may work for static data_streams, but many rely on context within a deployed Agent Policy to get the naming correct
• Attempt to install data_streams when a corresponding integration is added to an Agent Policy.
  • This may be complicated because we would need to analyze all other integrations and settings assigned to the Policy

cc\ @ruflin @ph @peluja1012 @spong

[spong]

For the best Detections UX the only index that needs to be created on install of the Endpoint Security integration would be the logs-endpoint.alerts-* index, if that makes this any easier (or could be done as a one-off?).