[8.x] [Cloud Security] Bug fix - show origin event's with primar…

…y color instead of danger (#204425) (#204663)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Cloud Security] Bug fix - show origin event's with primary
color instead of danger
(#204425)](#204425)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kfir
Peled","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-17T16:17:05Z","message":"[Cloud
Security] Bug fix - show origin event's with primary color instead of
danger (#204425)\n\n## Summary\r\n\r\nBug
description:\r\n\r\n**Actual:** The node's color is red when exploring
events through\r\nExplore or Timeline.\r\n**The expected** color of
events is
blue.\r\n\r\nBefore:\r\n\r\n\r\n![385007418-f0a6bd7e-dbc9-43ad-99b8-a07bcad85075](https://github.com/user-attachments/assets/7bf198f3-9a32-4d27-84db-3e97b5bf312b)\r\n\r\nAfter:\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/f1a10deb-65f5-43be-a351-6fca34f855cb\r\n\r\n\r\nhttps://github.com/user-attachments/assets/223534f4-09a2-4b41-85bc-c2195dd153ba\r\n\r\n**How
to test this PR:**\r\n\r\n- Enable the feature flag
\r\n\r\n`kibana.dev.yml`:\r\n\r\n```yaml\r\nuiSettings.overrides.securitySolution:enableVisualizationsInFlyout:
true\r\nxpack.securitySolution.enableExperimental:
['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\n- Load mocked
data:\r\n\r\n```bash\r\nnode scripts/es_archiver load
x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit
\\ \r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n
--kibana-url http://elastic:changeme@localhost:5601\r\n\r\nnode
scripts/es_archiver load
x-pack/test/cloud_security_posture_functional/es_archives/security_alerts
\\\r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n
--kibana-url http://elastic:changeme@localhost:5601\r\n```\r\n\r\n- Make
sure you include data from Oct 13 2024. (in the video I use
Last\r\nyear)\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"2c5544cfc87cfa11800e4ab687ab39ec445b2d74","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Cloud
Security","backport:prev-minor","v8.18.0"],"title":"[Cloud Security] Bug
fix - show origin event's with primary color instead of
danger","number":204425,"url":"https://github.com/elastic/kibana/pull/204425","mergeCommit":{"message":"[Cloud
Security] Bug fix - show origin event's with primary color instead of
danger (#204425)\n\n## Summary\r\n\r\nBug
description:\r\n\r\n**Actual:** The node's color is red when exploring
events through\r\nExplore or Timeline.\r\n**The expected** color of
events is
blue.\r\n\r\nBefore:\r\n\r\n\r\n![385007418-f0a6bd7e-dbc9-43ad-99b8-a07bcad85075](https://github.com/user-attachments/assets/7bf198f3-9a32-4d27-84db-3e97b5bf312b)\r\n\r\nAfter:\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/f1a10deb-65f5-43be-a351-6fca34f855cb\r\n\r\n\r\nhttps://github.com/user-attachments/assets/223534f4-09a2-4b41-85bc-c2195dd153ba\r\n\r\n**How
to test this PR:**\r\n\r\n- Enable the feature flag
\r\n\r\n`kibana.dev.yml`:\r\n\r\n```yaml\r\nuiSettings.overrides.securitySolution:enableVisualizationsInFlyout:
true\r\nxpack.securitySolution.enableExperimental:
['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\n- Load mocked
data:\r\n\r\n```bash\r\nnode scripts/es_archiver load
x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit
\\ \r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n
--kibana-url http://elastic:changeme@localhost:5601\r\n\r\nnode
scripts/es_archiver load
x-pack/test/cloud_security_posture_functional/es_archives/security_alerts
\\\r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n
--kibana-url http://elastic:changeme@localhost:5601\r\n```\r\n\r\n- Make
sure you include data from Oct 13 2024. (in the video I use
Last\r\nyear)\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"2c5544cfc87cfa11800e4ab687ab39ec445b2d74"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204425","number":204425,"mergeCommit":{"message":"[Cloud
Security] Bug fix - show origin event's with primary color instead of
danger (#204425)\n\n## Summary\r\n\r\nBug
description:\r\n\r\n**Actual:** The node's color is red when exploring
events through\r\nExplore or Timeline.\r\n**The expected** color of
events is
blue.\r\n\r\nBefore:\r\n\r\n\r\n![385007418-f0a6bd7e-dbc9-43ad-99b8-a07bcad85075](https://github.com/user-attachments/assets/7bf198f3-9a32-4d27-84db-3e97b5bf312b)\r\n\r\nAfter:\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/f1a10deb-65f5-43be-a351-6fca34f855cb\r\n\r\n\r\nhttps://github.com/user-attachments/assets/223534f4-09a2-4b41-85bc-c2195dd153ba\r\n\r\n**How
to test this PR:**\r\n\r\n- Enable the feature flag
\r\n\r\n`kibana.dev.yml`:\r\n\r\n```yaml\r\nuiSettings.overrides.securitySolution:enableVisualizationsInFlyout:
true\r\nxpack.securitySolution.enableExperimental:
['graphVisualizationInFlyoutEnabled']\r\n```\r\n\r\n- Load mocked
data:\r\n\r\n```bash\r\nnode scripts/es_archiver load
x-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit
\\ \r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n
--kibana-url http://elastic:changeme@localhost:5601\r\n\r\nnode
scripts/es_archiver load
x-pack/test/cloud_security_posture_functional/es_archives/security_alerts
\\\r\n --es-url http://elastic:changeme@localhost:9200 \\\r\n
--kibana-url http://elastic:changeme@localhost:5601\r\n```\r\n\r\n- Make
sure you include data from Oct 13 2024. (in the video I use
Last\r\nyear)\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n- [x] [Flaky
Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)
was\r\nused on any tests
changed","sha":"2c5544cfc87cfa11800e4ab687ab39ec445b2d74"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/204611","number":204611,"state":"MERGED","mergeCommit":{"sha":"bed0eaa8eaf18e3507e615c14b59de0ffaaa5e28","message":"[8.x]
[Cloud Security] Bug fix - show origin event&#x27;s with primary color
instead of danger (#204425) (#204611)\n\n# Backport\r\n\r\nThis will
backport the following commits from `main` to `8.x`:\r\n- [[Cloud
Security] Bug fix - show origin event&#x27;s with primary\r\ncolor
instead of
danger\r\n(#204425)](https://github.com/elastic/kibana/pull/204425)\r\n\r\n<!---
Backport version: 9.4.3 -->\r\n\r\n### Questions ?\r\nPlease refer to
the [Backport
tool\r\ndocumentation](https://github.com/sqren/backport)\r\n\r\n<!--BACKPORT
[{\"author\":{\"name\":\"Kfir\r\nPeled\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2024-12-17T16:17:05Z\",\"message\":\"[Cloud\r\nSecurity]
Bug fix - show origin event's with primary color instead of\r\ndanger
(#204425)\\n\\n##
Summary\\r\\n\\r\\nBug\r\ndescription:\\r\\n\\r\\n**Actual:** The node's
color is red when exploring\r\nevents through\\r\\nExplore or
Timeline.\\r\\n**The expected** color of\r\nevents
is\r\nblue.\\r\\n\\r\\nBefore:\\r\\n\\r\\n\\r\\n![385007418-f0a6bd7e-dbc9-43ad-99b8-a07bcad85075](https://github.com/user-attachments/assets/7bf198f3-9a32-4d27-84db-3e97b5bf312b)\\r\\n\\r\\nAfter:\\r\\n\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/f1a10deb-65f5-43be-a351-6fca34f855cb\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/223534f4-09a2-4b41-85bc-c2195dd153ba\\r\\n\\r\\n**How\r\nto
test this PR:**\\r\\n\\r\\n- Enable the feature
flag\r\n\\r\\n\\r\\n`kibana.dev.yml`:\\r\\n\\r\\n```yaml\\r\\nuiSettings.overrides.securitySolution:enableVisualizationsInFlyout:\r\ntrue\\r\\nxpack.securitySolution.enableExperimental:\r\n['graphVisualizationInFlyoutEnabled']\\r\\n```\\r\\n\\r\\n-
Load mocked\r\ndata:\\r\\n\\r\\n```bash\\r\\nnode scripts/es_archiver
load\r\nx-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit\r\n\\\\
\\r\\n --es-url http://elastic:changeme@localhost:9200
\\\\\\r\\n\r\n--kibana-url
http://elastic:changeme@localhost:5601\\r\\n\\r\\nnode\r\nscripts/es_archiver
load\r\nx-pack/test/cloud_security_posture_functional/es_archives/security_alerts\r\n\\\\\\r\\n
--es-url http://elastic:changeme@localhost:9200
\\\\\\r\\n\r\n--kibana-url
http://elastic:changeme@localhost:5601\\r\\n```\\r\\n\\r\\n-
Make\r\nsure you include data from Oct 13 2024. (in the video I
use\r\nLast\\r\\nyear)\\r\\n\\r\\n\\r\\n### Checklist\\r\\n\\r\\n- [x]
[Unit
or\r\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\r\nupdated
or added to match the most common scenarios\\r\\n- [x]
[Flaky\r\nTest\\r\\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)\r\nwas\\r\\nused
on any
tests\r\nchanged\",\"sha\":\"2c5544cfc87cfa11800e4ab687ab39ec445b2d74\",\"branchLabelMapping\":{\"^v9.0.0$\":\"main\",\"^v8.18.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:skip\",\"v9.0.0\",\"Team:Cloud\r\nSecurity\",\"backport:prev-minor\"],\"title\":\"[Cloud
Security] Bug fix -\r\nshow origin event's with primary color instead
of\r\ndanger\",\"number\":204425,\"url\":\"https://github.com/elastic/kibana/pull/204425\",\"mergeCommit\":{\"message\":\"[Cloud\r\nSecurity]
Bug fix - show origin event's with primary color instead of\r\ndanger
(#204425)\\n\\n##
Summary\\r\\n\\r\\nBug\r\ndescription:\\r\\n\\r\\n**Actual:** The node's
color is red when exploring\r\nevents through\\r\\nExplore or
Timeline.\\r\\n**The expected** color of\r\nevents
is\r\nblue.\\r\\n\\r\\nBefore:\\r\\n\\r\\n\\r\\n![385007418-f0a6bd7e-dbc9-43ad-99b8-a07bcad85075](https://github.com/user-attachments/assets/7bf198f3-9a32-4d27-84db-3e97b5bf312b)\\r\\n\\r\\nAfter:\\r\\n\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/f1a10deb-65f5-43be-a351-6fca34f855cb\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/223534f4-09a2-4b41-85bc-c2195dd153ba\\r\\n\\r\\n**How\r\nto
test this PR:**\\r\\n\\r\\n- Enable the feature
flag\r\n\\r\\n\\r\\n`kibana.dev.yml`:\\r\\n\\r\\n```yaml\\r\\nuiSettings.overrides.securitySolution:enableVisualizationsInFlyout:\r\ntrue\\r\\nxpack.securitySolution.enableExperimental:\r\n['graphVisualizationInFlyoutEnabled']\\r\\n```\\r\\n\\r\\n-
Load mocked\r\ndata:\\r\\n\\r\\n```bash\\r\\nnode scripts/es_archiver
load\r\nx-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit\r\n\\\\
\\r\\n --es-url http://elastic:changeme@localhost:9200
\\\\\\r\\n\r\n--kibana-url
http://elastic:changeme@localhost:5601\\r\\n\\r\\nnode\r\nscripts/es_archiver
load\r\nx-pack/test/cloud_security_posture_functional/es_archives/security_alerts\r\n\\\\\\r\\n
--es-url http://elastic:changeme@localhost:9200
\\\\\\r\\n\r\n--kibana-url
http://elastic:changeme@localhost:5601\\r\\n```\\r\\n\\r\\n-
Make\r\nsure you include data from Oct 13 2024. (in the video I
use\r\nLast\\r\\nyear)\\r\\n\\r\\n\\r\\n### Checklist\\r\\n\\r\\n- [x]
[Unit
or\r\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\r\nupdated
or added to match the most common scenarios\\r\\n- [x]
[Flaky\r\nTest\\r\\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)\r\nwas\\r\\nused
on any
tests\r\nchanged\",\"sha\":\"2c5544cfc87cfa11800e4ab687ab39ec445b2d74\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[],\"targetPullRequestStates\":[{\"branch\":\"main\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v9.0.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/204425\",\"number\":204425,\"mergeCommit\":{\"message\":\"[Cloud\r\nSecurity]
Bug fix - show origin event's with primary color instead of\r\ndanger
(#204425)\\n\\n##
Summary\\r\\n\\r\\nBug\r\ndescription:\\r\\n\\r\\n**Actual:** The node's
color is red when exploring\r\nevents through\\r\\nExplore or
Timeline.\\r\\n**The expected** color of\r\nevents
is\r\nblue.\\r\\n\\r\\nBefore:\\r\\n\\r\\n\\r\\n![385007418-f0a6bd7e-dbc9-43ad-99b8-a07bcad85075](https://github.com/user-attachments/assets/7bf198f3-9a32-4d27-84db-3e97b5bf312b)\\r\\n\\r\\nAfter:\\r\\n\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/f1a10deb-65f5-43be-a351-6fca34f855cb\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/223534f4-09a2-4b41-85bc-c2195dd153ba\\r\\n\\r\\n**How\r\nto
test this PR:**\\r\\n\\r\\n- Enable the feature
flag\r\n\\r\\n\\r\\n`kibana.dev.yml`:\\r\\n\\r\\n```yaml\\r\\nuiSettings.overrides.securitySolution:enableVisualizationsInFlyout:\r\ntrue\\r\\nxpack.securitySolution.enableExperimental:\r\n['graphVisualizationInFlyoutEnabled']\\r\\n```\\r\\n\\r\\n-
Load mocked\r\ndata:\\r\\n\\r\\n```bash\\r\\nnode scripts/es_archiver
load\r\nx-pack/test/cloud_security_posture_functional/es_archives/logs_gcp_audit\r\n\\\\
\\r\\n --es-url http://elastic:changeme@localhost:9200
\\\\\\r\\n\r\n--kibana-url
http://elastic:changeme@localhost:5601\\r\\n\\r\\nnode\r\nscripts/es_archiver
load\r\nx-pack/test/cloud_security_posture_functional/es_archives/security_alerts\r\n\\\\\\r\\n
--es-url http://elastic:changeme@localhost:9200
\\\\\\r\\n\r\n--kibana-url
http://elastic:changeme@localhost:5601\\r\\n```\\r\\n\\r\\n-
Make\r\nsure you include data from Oct 13 2024. (in the video I
use\r\nLast\\r\\nyear)\\r\\n\\r\\n\\r\\n### Checklist\\r\\n\\r\\n- [x]
[Unit
or\r\nfunctional\\r\\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\\r\\nwere\r\nupdated
or added to match the most common scenarios\\r\\n- [x]
[Flaky\r\nTest\\r\\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1)\r\nwas\\r\\nused
on any
tests\r\nchanged\",\"sha\":\"2c5544cfc87cfa11800e4ab687ab39ec445b2d74\"}}]}]\r\nBACKPORT-->\r\n\r\nCo-authored-by:
Kfir Peled <[email protected]>"}}]}]
BACKPORT-->

Co-authored-by: Kfir Peled <[email protected]>

x-pack/platform/packages/shared/kbn-cloud-security-posture/common/schema/graph/v1.ts

@@ -12,7 +12,9 @@ export const graphRequestSchema = schema.object({
   nodesLimit: schema.maybe(schema.number()),
   showUnknownTarget: schema.maybe(schema.boolean()),
   query: schema.object({
-    eventIds: schema.arrayOf(schema.string()),
+    originEventIds: schema.arrayOf(
+      schema.object({ id: schema.string(), isAlert: schema.boolean() })
+    ),
     // TODO: use zod for range validation instead of config schema
     start: schema.oneOf([schema.number(), schema.string()]),
     end: schema.oneOf([schema.number(), schema.string()]),

x-pack/solutions/security/packages/kbn-cloud-security-posture/graph/src/components/graph_investigation/graph_investigation.tsx

@@ -126,21 +126,46 @@ const useGraphPopovers = (
 };
 
 interface GraphInvestigationProps {
-  dataView: DataView;
-  eventIds: string[];
-  timestamp: string | null;
+  /**
+   * The initial state to use for the graph investigation view.
+   */
+  initialState: {
+    /**
+     * The data view to use for the graph investigation view.
+     */
+    dataView: DataView;
+
+    /**
+     * The origin events for the graph investigation view.
+     */
+    originEventIds: Array<{
+      /**
+       * The ID of the origin event.
+       */
+      id: string;
+
+      /**
+       * A flag indicating whether the origin event is an alert or not.
+       */
+      isAlert: boolean;
+    }>;
+
+    /**
+     * The initial timerange for the graph investigation view.
+     */
+    timeRange: TimeRange;
+  };
 }
 
 /**
  * Graph investigation view allows the user to expand nodes and view related entities.
  */
 export const GraphInvestigation: React.FC<GraphInvestigationProps> = memo(
-  ({ dataView, eventIds, timestamp = new Date().toISOString() }: GraphInvestigationProps) => {
+  ({
+    initialState: { dataView, originEventIds, timeRange: initialTimeRange },
+  }: GraphInvestigationProps) => {
     const [searchFilters, setSearchFilters] = useState<Filter[]>(() => []);
-    const [timeRange, setTimeRange] = useState<TimeRange>({
-      from: `${timestamp}||-30m`,
-      to: `${timestamp}||+30m`,
-    });
+    const [timeRange, setTimeRange] = useState<TimeRange>(initialTimeRange);
 
     const {
       services: { uiSettings },
@@ -153,7 +178,7 @@ export const GraphInvestigation: React.FC<GraphInvestigationProps> = memo(
           [...searchFilters],
           getEsQueryConfig(uiSettings as Parameters<typeof getEsQueryConfig>[0])
         ),
-      [searchFilters, dataView, uiSettings]
+      [dataView, searchFilters, uiSettings]
     );
 
     const { nodeExpandPopover, openPopoverCallback } = useGraphPopovers(
@@ -166,7 +191,7 @@ export const GraphInvestigation: React.FC<GraphInvestigationProps> = memo(
     const { data, refresh, isFetching } = useFetchGraphData({
       req: {
         query: {
-          eventIds,
+          originEventIds,
           esQuery: query,
           start: timeRange.from,
           end: timeRange.to,

x-pack/solutions/security/packages/kbn-cloud-security-posture/graph/src/hooks/use_fetch_graph_data.test.tsx

@@ -33,7 +33,7 @@ describe('useFetchGraphData', () => {
       return useFetchGraphData({
         req: {
           query: {
-            eventIds: [],
+            originEventIds: [],
             start: '2021-09-01T00:00:00.000Z',
             end: '2021-09-01T23:59:59.999Z',
           },
@@ -52,7 +52,7 @@ describe('useFetchGraphData', () => {
       return useFetchGraphData({
         req: {
           query: {
-            eventIds: [],
+            originEventIds: [],
             start: '2021-09-01T00:00:00.000Z',
             end: '2021-09-01T23:59:59.999Z',
           },
@@ -75,7 +75,7 @@ describe('useFetchGraphData', () => {
       return useFetchGraphData({
         req: {
           query: {
-            eventIds: [],
+            originEventIds: [],
             start: '2021-09-01T00:00:00.000Z',
             end: '2021-09-01T23:59:59.999Z',
           },
@@ -98,7 +98,7 @@ describe('useFetchGraphData', () => {
       return useFetchGraphData({
         req: {
           query: {
-            eventIds: [],
+            originEventIds: [],
             start: '2021-09-01T00:00:00.000Z',
             end: '2021-09-01T23:59:59.999Z',
           },

x-pack/solutions/security/packages/kbn-cloud-security-posture/graph/src/hooks/use_fetch_graph_data.ts

@@ -81,13 +81,13 @@ export const useFetchGraphData = ({
   options,
 }: UseFetchGraphDataParams): UseFetchGraphDataResult => {
   const queryClient = useQueryClient();
-  const { esQuery, eventIds, start, end } = req.query;
+  const { esQuery, originEventIds, start, end } = req.query;
   const {
     services: { http },
   } = useKibana();
   const QUERY_KEY = useMemo(
-    () => ['useFetchGraphData', eventIds, start, end, esQuery],
-    [end, esQuery, eventIds, start]
+    () => ['useFetchGraphData', originEventIds, start, end, esQuery],
+    [end, esQuery, originEventIds, start]
   );
 
   const { isLoading, isError, data, isFetching } = useQuery<GraphResponse>(

x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/route.ts

@@ -43,7 +43,7 @@ export const defineGraphRoute = (router: CspRouter) =>
         const cspContext = await context.csp;
 
         const { nodesLimit, showUnknownTarget = false } = request.body;
-        const { eventIds, start, end, esQuery } = request.body.query as GraphRequest['query'];
+        const { originEventIds, start, end, esQuery } = request.body.query as GraphRequest['query'];
         const spaceId = (await cspContext.spaces?.spacesService?.getActiveSpace(request))?.id;
 
         try {
@@ -53,7 +53,7 @@ export const defineGraphRoute = (router: CspRouter) =>
               esClient: cspContext.esClient,
             },
             query: {
-              eventIds,
+              originEventIds,
               spaceId,
               start,
               end,

x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/v1.ts

@@ -33,7 +33,8 @@ interface GraphEdge {
   action: string;
   targetIds: string[] | string;
   eventOutcome: string;
-  isAlert: boolean;
+  isOrigin: boolean;
+  isOriginAlert: boolean;
 }
 
 interface LabelEdges {
@@ -46,10 +47,15 @@ interface GraphContextServices {
   esClient: IScopedClusterClient;
 }
 
+interface OriginEventId {
+  id: string;
+  isAlert: boolean;
+}
+
 interface GetGraphParams {
   services: GraphContextServices;
   query: {
-    eventIds: string[];
+    originEventIds: OriginEventId[];
     spaceId?: string;
     start: string | number;
     end: string | number;
@@ -61,19 +67,21 @@ interface GetGraphParams {
 
 export const getGraph = async ({
   services: { esClient, logger },
-  query: { eventIds, spaceId = 'default', start, end, esQuery },
+  query: { originEventIds, spaceId = 'default', start, end, esQuery },
   showUnknownTarget,
   nodesLimit,
 }: GetGraphParams): Promise<Pick<GraphResponse, 'nodes' | 'edges' | 'messages'>> => {
-  logger.trace(`Fetching graph for [eventIds: ${eventIds.join(', ')}] in [spaceId: ${spaceId}]`);
+  logger.trace(
+    `Fetching graph for [originEventIds: ${originEventIds.join(', ')}] in [spaceId: ${spaceId}]`
+  );
 
   const results = await fetchGraph({
     esClient,
     showUnknownTarget,
     logger,
     start,
     end,
-    eventIds,
+    originEventIds,
     esQuery,
   });
 
@@ -132,23 +140,29 @@ const fetchGraph = async ({
   logger,
   start,
   end,
-  eventIds,
+  originEventIds,
   showUnknownTarget,
   esQuery,
 }: {
   esClient: IScopedClusterClient;
   logger: Logger;
   start: string | number;
   end: string | number;
-  eventIds: string[];
+  originEventIds: OriginEventId[];
   showUnknownTarget: boolean;
   esQuery?: EsQuery;
 }): Promise<EsqlToRecords<GraphEdge>> => {
+  const originAlertIds = originEventIds.filter((originEventId) => originEventId.isAlert);
   const query = `from logs-*
 | WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
-| EVAL isAlert = ${
-    eventIds.length > 0
-      ? `event.id in (${eventIds.map((_id, idx) => `?al_id${idx}`).join(', ')})`
+| EVAL isOrigin = ${
+    originEventIds.length > 0
+      ? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
+      : 'false'
+  }
+| EVAL isOriginAlert = isOrigin AND ${
+    originAlertIds.length > 0
+      ? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
       : 'false'
   }
 | STATS badge = COUNT(*),
@@ -159,19 +173,26 @@ const fetchGraph = async ({
       action = event.action,
       targetIds = target.entity.id,
       eventOutcome = event.outcome,
-      isAlert
+      isOrigin,
+      isOriginAlert
 | LIMIT 1000
-| SORT isAlert DESC`;
+| SORT isOrigin DESC`;
 
   logger.trace(`Executing query [${query}]`);
 
+  const eventIds = originEventIds.map((originEventId) => originEventId.id);
   return await esClient.asCurrentUser.helpers
     .esql({
       columnar: false,
       filter: buildDslFilter(eventIds, showUnknownTarget, start, end, esQuery),
       query,
       // @ts-ignore - types are not up to date
-      params: [...eventIds.map((id, idx) => ({ [`al_id${idx}`]: id }))],
+      params: [
+        ...originEventIds.map((originEventId, idx) => ({ [`og_id${idx}`]: originEventId.id })),
+        ...originEventIds
+          .filter((originEventId) => originEventId.isAlert)
+          .map((originEventId, idx) => ({ [`og_alrt_id${idx}`]: originEventId.id })),
+      ],
     })
     .toRecords<GraphEdge>();
 };
@@ -238,7 +259,7 @@ const createNodes = (records: GraphEdge[], context: Omit<ParseContext, 'edgesMap
       break;
     }
 
-    const { ips, hosts, users, actorIds, action, targetIds, isAlert, eventOutcome } = record;
+    const { ips, hosts, users, actorIds, action, targetIds, isOriginAlert, eventOutcome } = record;
     const actorIdsArray = castArray(actorIds);
     const targetIdsArray = castArray(targetIds);
     const unknownTargets: string[] = [];
@@ -257,7 +278,7 @@ const createNodes = (records: GraphEdge[], context: Omit<ParseContext, 'edgesMap
         nodesMap[id] = {
           id,
           label: unknownTargets.includes(id) ? 'Unknown' : undefined,
-          color: isAlert ? 'danger' : 'primary',
+          color: isOriginAlert ? 'danger' : 'primary',
           ...determineEntityNodeShape(
             id,
             castArray(ips ?? []),
@@ -280,7 +301,7 @@ const createNodes = (records: GraphEdge[], context: Omit<ParseContext, 'edgesMap
         const labelNode: LabelNodeDataModel = {
           id: edgeId + `label(${action})outcome(${eventOutcome})`,
           label: action,
-          color: isAlert ? 'danger' : eventOutcome === 'failed' ? 'warning' : 'primary',
+          color: isOriginAlert ? 'danger' : eventOutcome === 'failed' ? 'warning' : 'primary',
           shape: 'label',
         };
 

x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/graph_visualization.tsx

@@ -29,12 +29,20 @@ export const GraphVisualization: React.FC = memo(() => {
   const dataView = useGetScopedSourcererDataView({
     sourcererScope: SourcererScopeName.default,
   });
-  const { getFieldsData, dataAsNestedObject } = useDocumentDetailsContext();
-  const { eventIds, timestamp } = useGraphPreview({
+  const { getFieldsData, dataAsNestedObject, dataFormattedForFieldBrowser } =
+    useDocumentDetailsContext();
+  const {
+    eventIds,
+    timestamp = new Date().toISOString(),
+    isAlert,
+  } = useGraphPreview({
     getFieldsData,
     ecsData: dataAsNestedObject,
+    dataFormattedForFieldBrowser,
   });
 
+  const originEventIds = eventIds.map((id) => ({ id, isAlert }));
+
   return (
     <div
       data-test-subj={GRAPH_VISUALIZATION_TEST_ID}
@@ -46,7 +54,16 @@ export const GraphVisualization: React.FC = memo(() => {
     >
       {dataView && (
         <React.Suspense fallback={<EuiLoadingSpinner />}>
-          <GraphInvestigationLazy dataView={dataView} eventIds={eventIds} timestamp={timestamp} />
+          <GraphInvestigationLazy
+            initialState={{
+              dataView,
+              originEventIds,
+              timeRange: {
+                from: `${timestamp}||-30m`,
+                to: `${timestamp}||+30m`,
+              },
+            }}
+          />
         </React.Suspense>
       )}
     </div>

x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/tabs/visualize_tab.tsx

@@ -88,7 +88,8 @@ const graphVisualizationButton: EuiButtonGroupOptionProps = {
  * Visualize view displayed in the document details expandable flyout left section
  */
 export const VisualizeTab = memo(() => {
-  const { scopeId, getFieldsData, dataAsNestedObject } = useDocumentDetailsContext();
+  const { scopeId, getFieldsData, dataAsNestedObject, dataFormattedForFieldBrowser } =
+    useDocumentDetailsContext();
   const { openPreviewPanel } = useExpandableFlyoutApi();
   const panels = useExpandableFlyoutState();
   const [activeVisualizationId, setActiveVisualizationId] = useState(
@@ -123,6 +124,7 @@ export const VisualizeTab = memo(() => {
   const { hasGraphRepresentation } = useGraphPreview({
     getFieldsData,
     ecsData: dataAsNestedObject,
+    dataFormattedForFieldBrowser,
   });
 
   const isGraphFeatureEnabled = useIsExperimentalFeatureEnabled(