[Security Solution] render graph in new tools flyout in Security Solution and Discover#268471
Closed
DennisKo wants to merge 9 commits into
Closed
[Security Solution] render graph in new tools flyout in Security Solution and Discover#268471DennisKo wants to merge 9 commits into
DennisKo wants to merge 9 commits into
Conversation
|
🤖 Jobs for this PR can be triggered through checkboxes. 🚧
ℹ️ To trigger the CI, please tick the checkbox below 👇
|
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
@copilot resolve the merge conflicts in this pull request |
…tion and Discover Add a Graph tools flyout to the Flyout v2 system, mirroring the analyzer migration. The Graph preview surfaces under Visualizations and opens a dedicated tools flyout with the full graph view; both work in Security Solution and in Discover via the OneDiscover bridge.
Drop the unnecessary `as string` cast on EVENT_KIND, remove the trivial iconType useMemo and unused renderingId in the graph preview container, and port the EUID-coverage scenarios from the deleted legacy use_graph_preview test (missing actor/target/event-ids/ timestamp/action, multi-field aggregation, user/host/service/generic EUID source fields). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- git mv use_should_show_graph + use_is_entity_store_v2_available from flyout/shared/hooks/ to flyout_v2/graph/hooks/ (removes the reverse v2->legacy dep from use_graph_preview). - fold entity-mode into the v2 graph_preview_container via a discriminated union; entity_details now consumes the v2 container directly. Delete the legacy shim and its tests. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
DennisKo
force-pushed
the
denniskorsch/graph-tools-flyout
branch
from
6e58c56 to
db8474c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
#251806
#266160
This is a big PR. I've looked into splitting it but it just gets unnecessarily complex IMO. We have 3 big main files:
graph_preview_container.tsx,use_graph_preview.tsandgraph_visualization.tsxwhich make up almost the whole complexity. I think its reviewable :)Code changes
The PR focuses on the graph component, which is an item opened from the GraphPreview component, under the
Visualizationssection in the alert flyout. Current graph is opened in the expanded section of our flyout, but in the new EUI flyout system we will be opening it as a tools flyout.Here are the main changes introduced here:
Graphcomponent (flyout_v2/graph/) that is rendered as a tools flyout viaoverlays.openSystemFlyoutflyout_v2GraphPreviewContainerthat wraps the existing shared graph preview, derives event/timestamp/actor/target params from aDataTableRecord, and triggers the tools flyout via anonShowGraphcallbackuseGraphPreviewwith a hit-based version (flyout_v2/document/hooks/use_graph_preview.ts) that derives all graph parameters from aDataTableRecordinstead ofuseDocumentDetailsContextVisualizationsSection, alongside Session view and AnalyzerEntityStoreEuidApiProviderto the sharedflyoutProvidersstack so EUID-derived actor/target source fields resolve inside system flyout overlays (Security Solution and Discover)The shared graph preview/visualization components and the
useGraphPreviewhook have been consolidated intoflyout_v2/(underflyout_v2/document/andflyout_v2/graph/). The legacy expandable-flyout code paths (flyout/document_details/right/components/visualizations_section.tsxandflyout/document_details/left/components/graph_visualization.tsx) now import these consolidated modules fromflyout_v2/, so the old flyout continues to render the graph the same way when the feature flag is off.useNavigateToGraphVisualizationremains in place to drive the legacy expandable section.Screen.Recording.2026-05-09.at.00.10.23.mov
UI changes
The UI of the current alert/event flyouts (using the expandable flyout framework) in Security Solution should remain unchanged after this PR (when the feature flag is off).
When the feature flag is on, the new flyout shows the graph preview under Visualizations, and clicking the expand control opens the new Graph tools flyout with the full graph investigation view.
The UI of the current document flyout in Discover should remain unchanged after this PR (when the experimental profile is off). With the enhanced security document profile enabled, the Graph preview and tools flyout render under the OneDiscover bridge as well.
How to test
To see the new flyout in Security Solution, add this to your
kibana.dev.ymlfile:To see the new flyout in Discover, add this to your
kibana.dev.ymlfile:What to look for when testing
newFlyoutSystemEnabledfeature flag off)newFlyoutSystemEnabledfeature flag on) when the document has graph data and the entity store v2 is runningCloses #251806
Checklist
release_note:*label is applied per the guidelinesbackport:*labels.