diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/emptify_mock.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/emptify_mock.ts
index 631eab18fc014..88a3052a61f74 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/emptify_mock.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/emptify_mock.ts
@@ -44,6 +44,7 @@ export function emptifyMock<T>(
   return {
     metadata,
     dataAccessLayer: {
+      ...dataAccessLayer,
       /**
        * Fetch related events for an entity ID
        */
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
index fd086bd9b984e..2fa351cca1819 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children.ts
@@ -6,6 +6,7 @@
 
 import {
   ResolverRelatedEvents,
+  SafeResolverEvent,
   ResolverTree,
   ResolverEntityIndex,
 } from '../../../../common/endpoint/types';
@@ -58,6 +59,29 @@ export function noAncestorsTwoChildren(): { dataAccessLayer: DataAccessLayer; me
         });
       },
 
+      /**
+       * Return events that have `process.entity_id` that includes `entityID` and that have
+       * a `event.category` that includes `category`.
+       */
+      async eventsWithEntityIDAndCategory(
+        _entityID: string,
+        _category: string,
+        _after: string
+      ): Promise<{
+        events: SafeResolverEvent[];
+        nextEvent: string | null;
+      }> {
+        const events: SafeResolverEvent[] = [];
+        return {
+          events,
+          nextEvent: null,
+        };
+      },
+
+      async event(_eventID: string): Promise<SafeResolverEvent | null> {
+        return null;
+      },
+
       /**
        * Fetch a ResolverTree for a entityID
        */
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
index 86450b25eb1da..f4e803d82ec2a 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_in_index_called_awesome_index.ts
@@ -8,6 +8,7 @@ import {
   ResolverRelatedEvents,
   ResolverTree,
   ResolverEntityIndex,
+  SafeResolverEvent,
 } from '../../../../common/endpoint/types';
 import { mockEndpointEvent } from '../../mocks/endpoint_event';
 import { mockTreeWithNoAncestorsAnd2Children } from '../../mocks/resolver_tree';
@@ -69,6 +70,32 @@ export function noAncestorsTwoChildenInIndexCalledAwesomeIndex(): {
         });
       },
 
+      async eventsWithEntityIDAndCategory(
+        entityID: string,
+        category,
+        _after: string
+      ): Promise<{
+        events: SafeResolverEvent[];
+        nextEvent: string | null;
+      }> {
+        return {
+          events: [
+            mockEndpointEvent({
+              entityID,
+              eventCategory: category,
+            }),
+          ],
+          nextEvent: null,
+        };
+      },
+
+      async event(eventID: string): Promise<SafeResolverEvent | null> {
+        return mockEndpointEvent({
+          entityID: metadata.entityIDs.origin,
+          eventID,
+        });
+      },
+
       /**
        * Fetch a ResolverTree for a entityID
        */
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
index ec773a09ae8e0..dde5b5635adf5 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/no_ancestors_two_children_with_related_events_on_origin.ts
@@ -10,7 +10,9 @@ import {
   ResolverRelatedEvents,
   ResolverTree,
   ResolverEntityIndex,
+  SafeResolverEvent,
 } from '../../../../common/endpoint/types';
+import * as eventModel from '../../../../common/endpoint/models/event';
 
 interface Metadata {
   /**
@@ -56,31 +58,62 @@ export function noAncestorsTwoChildrenWithRelatedEventsOnOrigin(): {
       /**
        * Fetch related events for an entity ID
        */
-      relatedEvents(entityID: string): Promise<ResolverRelatedEvents> {
+      async relatedEvents(entityID: string): Promise<ResolverRelatedEvents> {
         /**
          * Respond with the mocked related events when the origin's related events are fetched.
          **/
         const events = entityID === metadata.entityIDs.origin ? tree.relatedEvents.events : [];
 
-        return Promise.resolve({
+        return {
           entityID,
           events,
           nextEvent: null,
-        });
+        };
+      },
+
+      /**
+       * Any of the origin's related events by category.
+       * `entityID` must match the origin node's `process.entity_id`.
+       * Does not respect the `_after` parameter.
+       */
+      async eventsWithEntityIDAndCategory(
+        entityID: string,
+        category: string,
+        _after: string
+      ): Promise<{ events: SafeResolverEvent[]; nextEvent: string | null }> {
+        const events =
+          entityID === metadata.entityIDs.origin
+            ? tree.relatedEvents.events.filter((event) =>
+                eventModel.eventCategory(event).includes(category)
+              )
+            : [];
+        return {
+          events,
+          nextEvent: null,
+        };
+      },
+
+      /**
+       * Any of the origin's related events by event.id
+       */
+      async event(eventID: string): Promise<SafeResolverEvent | null> {
+        return (
+          tree.relatedEvents.events.find((event) => eventModel.eventID(event) === eventID) ?? null
+        );
       },
 
       /**
        * Fetch a ResolverTree for a entityID
        */
-      resolverTree(): Promise<ResolverTree> {
-        return Promise.resolve(tree);
+      async resolverTree(): Promise<ResolverTree> {
+        return tree;
       },
 
       /**
        * Get entities matching a document.
        */
-      entities(): Promise<ResolverEntityIndex> {
-        return Promise.resolve([{ entity_id: metadata.entityIDs.origin }]);
+      async entities(): Promise<ResolverEntityIndex> {
+        return [{ entity_id: metadata.entityIDs.origin }];
       },
     },
   };
diff --git a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/pausify_mock.ts b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/pausify_mock.ts
index 6a4955b104b8f..a3ec667385470 100644
--- a/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/pausify_mock.ts
+++ b/x-pack/plugins/security_solution/public/resolver/data_access_layer/mocks/pausify_mock.ts
@@ -89,6 +89,7 @@ export function pausifyMock<T>({
       }
     },
     dataAccessLayer: {
+      ...dataAccessLayer,
       /**
        * Fetch related events for an entity ID
        */