[8.12] [Security Solution] Alert flyout - update document id in analy…

…zer preview and same ancestry (#174651) (#174972)

# Backport

This will backport the following commits from `main` to `8.12`:
- [[Security Solution] Alert flyout - update document id in analyzer
preview and same ancestry
(#174651)](#174651)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"christineweng","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-01-16T21:30:32Z","message":"[Security
Solution] Alert flyout - update document id in analyzer preview and same
ancestry (#174651)\n\n## Summary\r\n\r\nAddress:
https://github.com/elastic/kibana/issues/169373\r\n\r\nThis PR updates
the use of `kibana.alert.ancestor.id` to `_id`\r\n(available in flyout
context as `eventId`) in analyzer preview and\r\nalerts by ancestry.
This change allows upgrade from 7.x kibana to 8.10+\r\nto utilize
analyzer preview.\r\n\r\nNo UI change introduced.\r\n\r\n**How to
test**\r\n- Analyzer preview should match that of prior to the
change\r\n- Alert by ancestry in correlations overview (right section)
and\r\ncorrelations tab (left section -> Insights) should match that of
prior\r\nto the change\r\n- Analyzer preview should match the analyzer
viewer in alerts table\r\n\r\n\r\n### Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"f288919b144dbfc2e99a3ff689ddfc0707c89379","branchLabelMapping":{"^v8.13.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat
Hunting","Team:Threat
Hunting:Investigations","v8.12.1","v8.13.0"],"title":"[Security
Solution] Alert flyout - update document id in analyzer preview and same
ancestry","number":174651,"url":"https://github.com/elastic/kibana/pull/174651","mergeCommit":{"message":"[Security
Solution] Alert flyout - update document id in analyzer preview and same
ancestry (#174651)\n\n## Summary\r\n\r\nAddress:
https://github.com/elastic/kibana/issues/169373\r\n\r\nThis PR updates
the use of `kibana.alert.ancestor.id` to `_id`\r\n(available in flyout
context as `eventId`) in analyzer preview and\r\nalerts by ancestry.
This change allows upgrade from 7.x kibana to 8.10+\r\nto utilize
analyzer preview.\r\n\r\nNo UI change introduced.\r\n\r\n**How to
test**\r\n- Analyzer preview should match that of prior to the
change\r\n- Alert by ancestry in correlations overview (right section)
and\r\ncorrelations tab (left section -> Insights) should match that of
prior\r\nto the change\r\n- Analyzer preview should match the analyzer
viewer in alerts table\r\n\r\n\r\n### Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"f288919b144dbfc2e99a3ff689ddfc0707c89379"}},"sourceBranch":"main","suggestedTargetBranches":["8.12"],"targetPullRequestStates":[{"branch":"8.12","label":"v8.12.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.13.0","branchLabelMappingKey":"^v8.13.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/174651","number":174651,"mergeCommit":{"message":"[Security
Solution] Alert flyout - update document id in analyzer preview and same
ancestry (#174651)\n\n## Summary\r\n\r\nAddress:
https://github.com/elastic/kibana/issues/169373\r\n\r\nThis PR updates
the use of `kibana.alert.ancestor.id` to `_id`\r\n(available in flyout
context as `eventId`) in analyzer preview and\r\nalerts by ancestry.
This change allows upgrade from 7.x kibana to 8.10+\r\nto utilize
analyzer preview.\r\n\r\nNo UI change introduced.\r\n\r\n**How to
test**\r\n- Analyzer preview should match that of prior to the
change\r\n- Alert by ancestry in correlations overview (right section)
and\r\ncorrelations tab (left section -> Insights) should match that of
prior\r\nto the change\r\n- Analyzer preview should match the analyzer
viewer in alerts table\r\n\r\n\r\n### Checklist\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios","sha":"f288919b144dbfc2e99a3ff689ddfc0707c89379"}}]}]
BACKPORT-->

Co-authored-by: christineweng <[email protected]>

x-pack/plugins/security_solution/public/flyout/document_details/left/components/correlations_details.test.tsx

@@ -67,7 +67,7 @@ describe('CorrelationsDetails', () => {
   it('renders all sections', () => {
     jest
       .mocked(useShowRelatedAlertsByAncestry)
-      .mockReturnValue({ show: true, documentId: 'documentId', indices: ['index1'] });
+      .mockReturnValue({ show: true, indices: ['index1'] });
     jest
       .mocked(useShowRelatedAlertsBySameSourceEvent)
       .mockReturnValue({ show: true, originalEventId: 'originalEventId' });
@@ -115,7 +115,7 @@ describe('CorrelationsDetails', () => {
   it('should render no section and show error message if show values are false', () => {
     jest
       .mocked(useShowRelatedAlertsByAncestry)
-      .mockReturnValue({ show: false, documentId: 'documentId', indices: ['index1'] });
+      .mockReturnValue({ show: false, indices: ['index1'] });
     jest
       .mocked(useShowRelatedAlertsBySameSourceEvent)
       .mockReturnValue({ show: false, originalEventId: 'originalEventId' });

x-pack/plugins/security_solution/public/flyout/document_details/left/components/correlations_details.tsx

@@ -30,11 +30,7 @@ export const CorrelationsDetails: React.FC = () => {
   const { dataAsNestedObject, dataFormattedForFieldBrowser, eventId, getFieldsData, scopeId } =
     useLeftPanelContext();
 
-  const {
-    show: showAlertsByAncestry,
-    documentId,
-    indices,
-  } = useShowRelatedAlertsByAncestry({
+  const { show: showAlertsByAncestry, indices } = useShowRelatedAlertsByAncestry({
     getFieldsData,
     dataAsNestedObject,
     dataFormattedForFieldBrowser,
@@ -86,14 +82,9 @@ export const CorrelationsDetails: React.FC = () => {
               <RelatedAlertsBySession entityId={entityId} scopeId={scopeId} eventId={eventId} />
             </EuiFlexItem>
           )}
-          {showAlertsByAncestry && documentId && indices && (
+          {showAlertsByAncestry && indices && (
             <EuiFlexItem>
-              <RelatedAlertsByAncestry
-                documentId={documentId}
-                indices={indices}
-                scopeId={scopeId}
-                eventId={eventId}
-              />
+              <RelatedAlertsByAncestry indices={indices} scopeId={scopeId} documentId={eventId} />
             </EuiFlexItem>
           )}
         </EuiFlexGroup>

x-pack/plugins/security_solution/public/flyout/document_details/left/components/related_alerts_by_ancestry.test.tsx

@@ -27,7 +27,6 @@ jest.mock('../hooks/use_paginated_alerts');
 const documentId = 'documentId';
 const indices = ['index1'];
 const scopeId = 'scopeId';
-const eventId = 'eventId';
 
 const TOGGLE_ICON = EXPANDABLE_PANEL_TOGGLE_ICON_TEST_ID(
   CORRELATIONS_DETAILS_BY_ANCESTRY_SECTION_TEST_ID
@@ -42,12 +41,7 @@ const TITLE_TEXT = EXPANDABLE_PANEL_HEADER_TITLE_TEXT_TEST_ID(
 const renderRelatedAlertsByAncestry = () =>
   render(
     <TestProviders>
-      <RelatedAlertsByAncestry
-        documentId={documentId}
-        indices={indices}
-        scopeId={scopeId}
-        eventId={eventId}
-      />
+      <RelatedAlertsByAncestry documentId={documentId} indices={indices} scopeId={scopeId} />
     </TestProviders>
   );
 

x-pack/plugins/security_solution/public/flyout/document_details/left/components/related_alerts_by_ancestry.tsx

@@ -13,7 +13,7 @@ import { CORRELATIONS_DETAILS_BY_ANCESTRY_SECTION_TEST_ID } from './test_ids';
 
 export interface RelatedAlertsByAncestryProps {
   /**
-   * Value of the kibana.alert.ancestors.id field
+   * Id of the document
    */
   documentId: string;
   /**
@@ -24,10 +24,6 @@ export interface RelatedAlertsByAncestryProps {
    * Maintain backwards compatibility // TODO remove when possible
    */
   scopeId: string;
-  /**
-   * Id of the document
-   */
-  eventId: string;
 }
 
 /**
@@ -37,7 +33,6 @@ export const RelatedAlertsByAncestry: React.VFC<RelatedAlertsByAncestryProps> =
   documentId,
   indices,
   scopeId,
-  eventId,
 }) => {
   const { loading, error, data, dataCount } = useFetchRelatedAlertsByAncestry({
     documentId,
@@ -61,7 +56,7 @@ export const RelatedAlertsByAncestry: React.VFC<RelatedAlertsByAncestryProps> =
       loading={loading}
       alertIds={data}
       scopeId={scopeId}
-      eventId={eventId}
+      eventId={documentId}
       noItemsMessage={
         <FormattedMessage
           id="xpack.securitySolution.flyout.left.insights.correlations.ancestryAlertsNoDataDescription"

x-pack/plugins/security_solution/public/flyout/document_details/right/components/analyzer_preview.test.tsx

@@ -53,13 +53,13 @@ describe('<AnalyzerPreview />', () => {
 
     expect(mockUseAlertPrevalenceFromProcessTree).toHaveBeenCalledWith({
       isActiveTimeline: false,
-      documentId: 'ancestors-id',
+      documentId: 'eventId',
       indices: ['rule-indices'],
     });
     expect(wrapper.getByTestId(ANALYZER_PREVIEW_TEST_ID)).toBeInTheDocument();
   });
 
-  it('shows error message when documentid and index are not present', () => {
+  it('shows error message when index is not present', () => {
     mockUseAlertPrevalenceFromProcessTree.mockReturnValue({
       loading: false,
       error: false,
@@ -82,7 +82,7 @@ describe('<AnalyzerPreview />', () => {
 
     expect(mockUseAlertPrevalenceFromProcessTree).toHaveBeenCalledWith({
       isActiveTimeline: false,
-      documentId: '',
+      documentId: 'eventId',
       indices: [],
     });
 

x-pack/plugins/security_solution/public/flyout/document_details/right/components/analyzer_preview.tsx

@@ -11,7 +11,7 @@ import { i18n } from '@kbn/i18n';
 import { FormattedMessage } from '@kbn/i18n-react';
 import { ANALYZER_PREVIEW_TEST_ID, ANALYZER_PREVIEW_LOADING_TEST_ID } from './test_ids';
 import { getTreeNodes } from '../utils/analyzer_helpers';
-import { ANCESTOR_ID, RULE_INDICES } from '../../shared/constants/field_names';
+import { RULE_INDICES } from '../../shared/constants/field_names';
 import { useRightPanelContext } from '../context';
 import { useAlertPrevalenceFromProcessTree } from '../../../../common/containers/alerts/use_alert_prevalence_from_process_tree';
 import type { StatsNode } from '../../../../common/containers/alerts/use_alert_prevalence_from_process_tree';
@@ -33,18 +33,14 @@ interface Cache {
  */
 export const AnalyzerPreview: React.FC = () => {
   const [cache, setCache] = useState<Partial<Cache>>({});
-  const { dataFormattedForFieldBrowser: data, scopeId } = useRightPanelContext();
-
-  const documentId = find({ category: 'kibana', field: ANCESTOR_ID }, data);
-  const processDocumentId =
-    documentId && Array.isArray(documentId.values) ? documentId.values[0] : '';
+  const { dataFormattedForFieldBrowser: data, scopeId, eventId } = useRightPanelContext();
 
   const index = find({ category: 'kibana', field: RULE_INDICES }, data);
   const indices = index?.values ?? [];
 
   const { statsNodes, loading, error } = useAlertPrevalenceFromProcessTree({
     isActiveTimeline: isActiveTimeline(scopeId),
-    documentId: processDocumentId,
+    documentId: eventId,
     indices,
   });
 
@@ -59,7 +55,7 @@ export const AnalyzerPreview: React.FC = () => {
     [cache.statsNodes]
   );
 
-  const showAnalyzerTree = documentId && index && items && items.length > 0 && !error;
+  const showAnalyzerTree = eventId && index && items && items.length > 0 && !error;
 
   return loading ? (
     <EuiSkeletonText

x-pack/plugins/security_solution/public/flyout/document_details/right/components/correlations_overview.test.tsx

@@ -102,7 +102,7 @@ describe('<CorrelationsOverview />', () => {
   it('should show component with all rows in expandable panel', () => {
     jest
       .mocked(useShowRelatedAlertsByAncestry)
-      .mockReturnValue({ show: true, documentId: 'documentId', indices: ['index1'] });
+      .mockReturnValue({ show: true, indices: ['index1'] });
     jest
       .mocked(useShowRelatedAlertsBySameSourceEvent)
       .mockReturnValue({ show: true, originalEventId: 'originalEventId' });
@@ -145,7 +145,7 @@ describe('<CorrelationsOverview />', () => {
   it('should hide rows and show error message if show values are false', () => {
     jest
       .mocked(useShowRelatedAlertsByAncestry)
-      .mockReturnValue({ show: false, documentId: 'documentId', indices: ['index1'] });
+      .mockReturnValue({ show: false, indices: ['index1'] });
     jest
       .mocked(useShowRelatedAlertsBySameSourceEvent)
       .mockReturnValue({ show: false, originalEventId: 'originalEventId' });

x-pack/plugins/security_solution/public/flyout/document_details/right/components/correlations_overview.tsx

@@ -56,11 +56,7 @@ export const CorrelationsOverview: React.FC = () => {
     });
   }, [eventId, openLeftPanel, indexName, scopeId]);
 
-  const {
-    show: showAlertsByAncestry,
-    documentId,
-    indices,
-  } = useShowRelatedAlertsByAncestry({
+  const { show: showAlertsByAncestry, indices } = useShowRelatedAlertsByAncestry({
     getFieldsData,
     dataAsNestedObject,
     dataFormattedForFieldBrowser,
@@ -115,8 +111,8 @@ export const CorrelationsOverview: React.FC = () => {
           {showAlertsBySession && entityId && (
             <RelatedAlertsBySession entityId={entityId} scopeId={scopeId} />
           )}
-          {showAlertsByAncestry && documentId && indices && (
-            <RelatedAlertsByAncestry documentId={documentId} indices={indices} scopeId={scopeId} />
+          {showAlertsByAncestry && indices && (
+            <RelatedAlertsByAncestry documentId={eventId} indices={indices} scopeId={scopeId} />
           )}
         </EuiFlexGroup>
       ) : (

x-pack/plugins/security_solution/public/flyout/document_details/right/components/related_alerts_by_ancestry.tsx

@@ -15,7 +15,7 @@ const ICON = 'warning';
 
 export interface RelatedAlertsByAncestryProps {
   /**
-   * Value of the kibana.alert.ancestors.id field
+   * Id of the document
    */
   documentId: string;
   /**

x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_fetch_related_alerts_by_ancestry.ts

@@ -11,7 +11,7 @@ import { isActiveTimeline } from '../../../../helpers';
 
 export interface UseFetchRelatedAlertsByAncestryParams {
   /**
-   * Value of the kibana.alert.ancestors.id field
+   * Id of the document
    */
   documentId: string;
   /**

x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_show_related_alerts_by_ancestry.test.tsx

@@ -16,6 +16,7 @@ import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_ex
 import { licenseService } from '../../../../common/hooks/use_license';
 import { mockDataFormattedForFieldBrowser } from '../mocks/mock_data_formatted_for_field_browser';
 import { mockDataAsNestedObject } from '../mocks/mock_data_as_nested_object';
+import { useIsInvestigateInResolverActionEnabled } from '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver';
 
 jest.mock('../../../../common/hooks/use_experimental_features');
 jest.mock('../../../../common/hooks/use_license', () => {
@@ -29,6 +30,9 @@ jest.mock('../../../../common/hooks/use_license', () => {
     },
   };
 });
+jest.mock(
+  '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver'
+);
 const licenseServiceMock = licenseService as jest.Mocked<typeof licenseService>;
 
 const dataAsNestedObject = mockDataAsNestedObject;
@@ -40,8 +44,9 @@ describe('useShowRelatedAlertsByAncestry', () => {
     UseShowRelatedAlertsByAncestryResult
   >;
 
-  it('should return false if getFieldsData returns null', () => {
+  it('should return false if Process Entity Info is not available', () => {
     (useIsExperimentalFeatureEnabled as jest.Mock).mockReturnValue(true);
+    (useIsInvestigateInResolverActionEnabled as jest.Mock).mockReturnValue(false);
     licenseServiceMock.isPlatinumPlus.mockReturnValue(true);
     const getFieldsData = () => null;
     hookResult = renderHook(() =>
@@ -69,7 +74,6 @@ describe('useShowRelatedAlertsByAncestry', () => {
 
     expect(hookResult.result.current).toEqual({
       show: false,
-      documentId: 'value',
       indices: ['rule-parameters-index'],
     });
   });
@@ -88,26 +92,6 @@ describe('useShowRelatedAlertsByAncestry', () => {
 
     expect(hookResult.result.current).toEqual({
       show: false,
-      documentId: 'value',
-      indices: ['rule-parameters-index'],
-    });
-  });
-
-  it('should return true if getFieldsData has the correct fields', () => {
-    (useIsExperimentalFeatureEnabled as jest.Mock).mockReturnValue(true);
-    licenseServiceMock.isPlatinumPlus.mockReturnValue(true);
-    const getFieldsData = () => 'value';
-    hookResult = renderHook(() =>
-      useShowRelatedAlertsByAncestry({
-        getFieldsData,
-        dataAsNestedObject,
-        dataFormattedForFieldBrowser,
-      })
-    );
-
-    expect(hookResult.result.current).toEqual({
-      show: true,
-      documentId: 'value',
       indices: ['rule-parameters-index'],
     });
   });

x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_show_related_alerts_by_ancestry.ts

@@ -13,8 +13,7 @@ import type { GetFieldsData } from '../../../../common/hooks/use_get_fields_data
 import { useIsInvestigateInResolverActionEnabled } from '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver';
 import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features';
 import { useLicense } from '../../../../common/hooks/use_license';
-import { getField } from '../utils';
-import { ANCESTOR_ID, RULE_PARAMETERS_INDEX } from '../constants/field_names';
+import { RULE_PARAMETERS_INDEX } from '../constants/field_names';
 
 export interface UseShowRelatedAlertsByAncestryParams {
   /**
@@ -36,10 +35,6 @@ export interface UseShowRelatedAlertsByAncestryResult {
    * Returns true if the user has at least platinum privilege, and if the document has ancestry data
    */
   show: boolean;
-  /**
-   * Value of the kibana.alert.ancestors.id field
-   */
-  documentId?: string;
   /**
    * Values of the kibana.alert.rule.parameters.index field
    */
@@ -59,8 +54,6 @@ export const useShowRelatedAlertsByAncestry = ({
   );
   const hasProcessEntityInfo = useIsInvestigateInResolverActionEnabled(dataAsNestedObject);
 
-  const originalDocumentId = getField(getFieldsData(ANCESTOR_ID));
-
   // can't use getFieldsData here as the kibana.alert.rule.parameters is different and can be nested
   const originalDocumentIndex = useMemo(
     () => find({ category: 'kibana', field: RULE_PARAMETERS_INDEX }, dataFormattedForFieldBrowser),
@@ -72,13 +65,11 @@ export const useShowRelatedAlertsByAncestry = ({
   const show =
     isRelatedAlertsByProcessAncestryEnabled &&
     hasProcessEntityInfo &&
-    originalDocumentId != null &&
     originalDocumentIndex != null &&
     hasAtLeastPlatinum;
 
   return {
     show,
-    ...(originalDocumentId && { documentId: originalDocumentId }),
     ...(originalDocumentIndex &&
       originalDocumentIndex.values && { indices: originalDocumentIndex.values }),
   };