[Investigations] - Add unified components to eql tab

[michaelolo24]

Summary

This PR introduces the unified table and field list to the correlations tab as seen in the snapshots below.

As of this PR, items that are not working

1. Table row height controls
2. Expandable flyout integration
3. Leading cell actions (pinning, notes, row actions, analyzer, session view)

Changes in this PR:

Sequence Highlighting:

Building block highlighting:

To test:

1. Add xpack.securitySolution.enableExperimental: [unifiedComponentsInTimelineEnabled] to your kibana.dev.yml
2. Generate test data (endpoint data is fine)
3. Go to the correlations tab and enter this query to see default events/alerts that should have no highlighting
   any where true
4. Enter this query to see a generic sequence

sequence
[any where true]
[any where true]

You can also do something like

sequence
[any where host.name=={HOST NAME VALUE HERE}]
[any where true]

7. You can also create a correlation rule using any of the above queries to generate building block alerts, and then query those alerts in the correlations tab as well

[michaelolo24]

A lot of this logic is going to end up being shared between all the tabs so should probably be abstracted...but may not be necessary when the old table is removed

[logeekal]

true, is there a value on lifting this ( till line 145 ) up in Tabs component as mentioned above?

[michaelolo24]

Yea, I want to do that for almost all of the tabs. The only real difference at this point between them is the query being run..

[michaelolo24]

Did a lot of deduping and cleaning up here: e37faca - Let me know if there's anything else you see

[logeekal]

This looks great. Will check it.

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[janmonschke]

@michaelolo24 I noticed that removing a field from the table feels slow:

Screen.Recording.2024-04-17.at.19.41.06.mov

In comparison, this is how it feels like in Discover:

Screen.Recording.2024-04-17.at.19.56.56.mov

[michaelolo24]

@michaelolo24 I noticed that removing a field from the table feels slow:

Screen.Recording.2024-04-17.at.19.41.06.mov
In comparison, this is how it feels like in Discover:

Screen.Recording.2024-04-17.at.19.56.56.mov

Thanks! Yea, I noticed that as well. I think it has something to do with the row rendering, but maybe I'm just making that up. I noticed the same with the query tab with the row renderers, and I believe @logeekal is taking a look. Once this is merged, I'll be circling back to some of the performance, clean up items

[michaelolo24]

/ci

[PhilippeOberti]

When clicking on the expand button on a row, the flyout isn't opening (works fine without the unifiedComponentsInTimelineEnabled feature flag). At first it seemed related to this issue but in this PR the flyout just plain does not open, and in the issue it opens but behind timeline...

Screen.Recording.2024-04-17.at.3.04.29.PM.mov

[PhilippeOberti]

I found a behavior that's most likely rarely going to happen but still annoying. I'm not sure we really have control over this though...:

• click on a field in the left sidebar
• click Visualize
• click cancel

Expected behavior: we would stay in the same spot we were on

Actual behavior: the view goes back to the Query tab

Screen.Recording.2024-04-17.at.3.09.56.PM.mov

[PhilippeOberti]

Changing the value in the custom Cell row height doesn't seem to be doing anything

Screen.Recording.2024-04-17.at.3.15.53.PM.mov

Could be related, but @logeekal it seems that the behavior is similar in the Query tab now. Wasn't this working a few days/weeks ago? Could the addition to the row renderer have broken this?

[PhilippeOberti]

Is the sorting supposed to work? I'm clicking in a bunch of places and nothing seems to be happening...

Screen.Recording.2024-04-17.at.3.45.51.PM.mov

[logeekal]

I noticed that removing a field from the table feels slow:

@janmonschke : As @michaelolo24 also pointed out, it is because of combination of customBodyRender for rowRenders, cellActions , plus some extra updates to redux on our side. I am trying to see how best we can reduce this time.

Will soon raise a PR.

[logeekal]

Thanks for making these changes. Seeing your PR, i remebered, I forgot about building block styling. thanks for getting these done.

Additionally, I see that flyout is not opening in Correlation tab only.

eql_code_review.mp4

[logeekal]

Since, all tabs are rendered together. Do you think it makes sense to lift this up in tabs component?

All tabs such as query, EQL anyway take columns as one of the prop.

[michaelolo24]

Yep, done

[logeekal]

true, is there a value on lifting this ( till line 145 ) up in Tabs component as mentioned above?

[michaelolo24]

@PhilippeOberti

When clicking on the expand button on a row, the flyout isn't opening (works fine without the unifiedComponentsInTimelineEnabled feature flag). At first it seemed related to this issue but in this PR the flyout just plain does not open, and in the issue it opens but behind timeline...

The query tab property was hardcoded, updated it here

Is the sorting supposed to work? I'm clicking in a bunch of places and nothing seems to be happening...

No, sorting is not supposed to work for the EQL tab as it would mess up the sequence listing for an EQL query. I forgot to check whether the NO_SORT would disable the actual buttons themselves, but it didn't, needed to plumb this through:

For:

I found a behavior that's most likely rarely going to happen but still annoying. I'm not sure we really have control over this though...:

Changing the value in the custom Cell row height doesn't seem to be doing anything

I added them to our clean up tasks here

[michaelolo24]

Thanks for making these changes. Seeing your PR, i remebered, I forgot about building block styling. thanks for getting these done.

Additionally, I see that flyout is not opening in Correlation tab only.

@logeekal see my response to @PhilippeOberti about the same 😄

[michaelolo24]

Couldn't decide whether I wanted this behind a memoized const and just pass those two values instead of duplicating them. I can go either way...

[logeekal]

+1 for having it in useMemo. Lot of things going on in timeline and that might recreate header everytime.

Which values are you talking about?

[PhilippeOberti]

@michaelolo24 only item that I see missing right now is the fact that despite the fact that have the expandableTimelineFlyoutEnabled feature flag in my kibana.yml file, I do not see the expandable flyout open when clicking on a row. The old flyout shows up...

[PhilippeOberti]

left a few small comments about clean up and adding some unit tests maybe? Biggest thing left I think is my comment related to the expandable flyout not showing up even with the expandableTimelineFlyoutEnabled enabled

[PhilippeOberti]

wouldn't we want to unit test this new component?

[michaelolo24]

yep, adding! 👍🏾

[michaelolo24]

@michaelolo24 only item that I see missing right now is the fact that despite the fact that have the expandableTimelineFlyoutEnabled feature flag in my kibana.yml file, I do not see the expandable flyout open when clicking on a row. The old flyout shows up...

Yea, the logic for that wasn't here anymore, I added it in this PR: 8fb5199

Going to work on adding tests, but just wanted to get this there so you can take a look!

[PhilippeOberti]

@michaelolo24 only item that I see missing right now is the fact that despite the fact that have the expandableTimelineFlyoutEnabled feature flag in my kibana.yml file, I do not see the expandable flyout open when clicking on a row. The old flyout shows up...

Yea, the logic for that wasn't here anymore, I added it in this PR: 8fb5199

Going to work on adding tests, but just wanted to get this their so you can take a look!

verified! Thanks for adding this. Soon we'll have the onClose logic working

[logeekal]

Changing the value in the custom Cell row height doesn't seem to be doing anything

@PhilippeOberti , this behaviour seems to be related to renderCustomBody. I will take this one up.

[logeekal]

only item that I see missing right now is the fact that despite the fact that have the expandableTimelineFlyoutEnabled feature flag in my kibana.yml file, I do not see the expandable flyout open when clicking on a row. The old flyout shows up...

Yea, the logic for that wasn't here anymore, I added it in this PR: 8fb5199

Thank @michaelolo24 for adding changes for new expandable flyout.

Actually after my discussion with @PhilippeOberti , I did the related changes but I kept it aside as a patch as my original PR was already big.

Now that you have already added the code for expandable flyout, I am attaching my patch which also includes handling flyout closure ( new hook : x-pack/plugins/security_solution/public/timelines/components/timeline/unified_components/hooks/use_unified_timeline_expandable_flyout.tsx ) . You can either choose to include it or we can also do that it follow up PR because scope of your PR is increasing :D. I guess new expandable flyout should have been separated PR anyways.

It resolves the problem when user closed the flyout, the expand-event icon does not change back.

Here is the Patch for Expandable flyout

Note: I am happy to add it as well in case you are busy.

[michaelolo24]

only item that I see missing right now is the fact that despite the fact that have the expandableTimelineFlyoutEnabled feature flag in my kibana.yml file, I do not see the expandable flyout open when clicking on a row. The old flyout shows up...

Yea, the logic for that wasn't here anymore, I added it in this PR: 8fb5199

Thank @michaelolo24 for adding changes for new expandable flyout.

Actually after my discussion with @PhilippeOberti , I did the related changes but I kept it aside as a patch as my original PR was already big.

Now that you have already added the code for expandable flyout, I am attaching my patch which also includes handling flyout closure ( new hook : x-pack/plugins/security_solution/public/timelines/components/timeline/unified_components/hooks/use_unified_timeline_expandable_flyout.tsx ) . You can either choose to include it or we can also do that it follow up PR because scope of your PR is increasing :D. I guess new expandable flyout should have been separated PR anyways.

It resolves the problem when user closed the flyout, the expand-event icon does not change back.

Here is the Patch for Expandable flyout

Note: I am happy to add it as well in case you are busy.

@logeekal and @PhilippeOberti let's make the introduction of the new expandable flyout it's own PR, potentially after Kevin merges his PR for the row actions. I think we should use the default detail expand action the unified data table provides over the one that is in our leadingControlColumns, but that decision will affect this implementation. I'm going to revert the flyout changes in my PR that I mentioned here. @logeekal would you mind opening a PR with your patch for testing purposes? We can take a look at @PhilippeOberti 's changes there as well once it's merged 😄

[logeekal]

I think we should use the default detail expand action the unified data table provides over the one that is in our leadingControlColumns,

Agreed. 💯

would you mind opening a PR with your patch for testing purposes?

Will do.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 5e306c7

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	5451	5454	+3

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	14.6MB	14.7MB	+67.6KB

History

• 💔 Build #204748 failed aded1b5
• 💔 Build #204737 failed 8fb5199
• 💔 Build #204703 failed 0aa5bb5
• 💔 Build #204682 failed 71b497c
• 💔 Build #204677 failed e37faca

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[logeekal]

Desk Testing went great 🚀 . Only one small issue as mentioned below. Looking through code now.

[logeekal]

I think because of this both building block and non-buildingblock events are getting highlighted by a left yellow border in both query and correlation tabs. Is this expected?

[michaelolo24]

Nope, just alerts, not regular events. Regular events have the gray border (that's also how it currently is if you check on main)

[logeekal]

Code looks clean ✨ ✨ . Approving but I have small comments/questions below.

[logeekal]

I am curious what is local columns here?

[michaelolo24]

Columns that are passed in to the hook, which are in turn passed to the consuming components. If I remember correctly, it's primarily to allow for external customization of the columns

[logeekal]

Sorry for this screw up 😅 🙏

[michaelolo24]

Lol, all good. 😄

[logeekal]

For my knowledge, what is diff between nonRawEvent and rawEvent.

[michaelolo24]

rawEvent is a generic event, whereas nonRawEvent is a catch all for a modified event, which the only one I know of right now is an alert/signal

[PhilippeOberti]

@PhilippeOberti

When clicking on the expand button on a row, the flyout isn't opening (works fine without the unifiedComponentsInTimelineEnabled feature flag). At first it seemed related to this issue but in this PR the flyout just plain does not open, and in the issue it opens but behind timeline...

The query tab property was hardcoded, updated it here

@michaelolo24 This is still broken for me. If you don't want to fix it in this PR let's add it to the list in your list of cleanup tasks (link to my original comment for reference)

[PhilippeOberti]

LGTM! It seems that we're tracking everything that still need to be fixed and we'll do follow up PRs.