[Security Solution] Enable entity previews in document details flyout

[christineweng]

Summary

This PR enables entity flyout in the alert flyout where host/user name is displayed. The entity flyout is rendered as a preview on top of the summary (right) panel. At the bottom of preview, there is a footer that let users open entity flyout as usual, which allows for expand/collapse functionality.

How to test:

• Enable feature flag entityAlertPreviewEnabled
• Generate some alerts and open alert flyout
• The following places should open host/user flyout as a preview
  • Summary panel (right)-> Investigation -> host and user names
  • Summary panel (right) -> Insights -> host and user names in entities
  • Details panel (left) -> Insights -> Entities -> the host and user names in the header, plus the related users and hosts in the table below
  • Details panel (left) -> Insights -> Prevalence -> host and user name

Screen.Recording.2024-06-24.at.8.22.19.PM.mov

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Unit or functional tests were updated or added to match the most common scenarios

[christineweng]

/ci

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[PhilippeOberti]

The flow looks great! Let's verify with @paulewing later today to make sure that's exactly what he wants. I see little value in keeping the Entities tab under Insights in our expanded section of the alert flyout now... But maybe that's something that can be removed in a separate PR!

[machadoum]

Hey Christine, this feature is awesome! Thank you! 👏 👏 👏

I have some minor concerns. Here are they:

• The icon |< suggests that something will open when clicked. Could you verify with a designer if we can remove this icon inside the preview panel?

• The inspect icon is disabled inside the preview panel

• On my local env the header is missing some fields which show up on your video. Did I do something wrong?

• 'Fist seen' and 'last seen' are empty inside the preview panel.

Screen.Recording.2024-06-25.at.10.49.32.-.2.mov

[christineweng]

Hey @machadoum many thanks for the prompt review!

Hey Christine, this feature is awesome! Thank you! 👏 👏 👏

I have some minor concerns. Here are they:

• The icon |< suggests that something will open when clicked. Could you verify with a designer if we can remove this icon inside the preview panel?

Good point. This is one of the things I want to bring up with design and PM, but unfortunately they are both out until Thursday, so depending on their input, I will update the icons.

Update: talked to Paul and I'm removing the icon

• The inspect icon is disabled inside the preview panel

Fixed

• On my local env the header is missing some fields which show up on your video. Did I do something wrong?
• 'Fist seen' and 'last seen' are empty inside the preview panel.

both are showing up on my local... first/last seen come from the observed host/user data. so I suspect the scopeId can limit the indices (i.e. on alerts page, you can only see host information from alert index, but the host can be in logs*)

kibana/x-pack/plugins/security_solution/public/flyout/entity_details/user_right/index.tsx

Line 70 in 0d802cb

const observedUser = useObservedUser(userName, scopeId);

kibana/x-pack/plugins/security_solution/public/flyout/entity_details/user_right/header.tsx

Lines 41 to 44 in 0d802cb

	const lastSeenDate = useMemo(
	() =>
	max(
	[observedUser.lastSeen.date, entraTimestamp, oktaTimestamp].map((el) => el && new Date(el))

I expanded the scope to pickup both alert and logs, which should help... if you encounter this again, could you share the data with me?

[PhilippeOberti]

awesome work! I left a small comment.

Also during testing opening a preview panel (like host and user) when another preview is already open doesn't work. The new panel doesn't replace the currently opened one. I'm guessing this is expected and should be fixed with this other PR?

[christineweng]

/ci

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: b738a45
• Storybooks Preview

Failed CI Steps

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	5532	5534	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	14.1MB	14.1MB	+29.5KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	83.4KB	83.4KB	+29.0B

History

• 💛 Build #217778 was flaky ba2afa4
• 💛 Build #217548 was flaky 7d80e51

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @christineweng

[machadoum]

LGTM!

Thank you! 🔥 🔥 🔥 🚀