[Cloud Security] Show related alert's when fetching CDR graph (elastic#224783)

## Summary

Closes elastic#221037 , shows alerts on the graph by querying both the logs and
the alerts indices

- [x] Graph API - new optional `indexPatterns` parameters to switch data
views (not in use in the UI atm). Defaults to
`.alerts-security.alerts-<spaceId>, logs-*`
- [x] Visualize loaded alerts that are identified with alerts in graph
preview and graph investigation

~Depends on elastic#224483
`actor` and `target` are not part of ECS yet. And to ease our
development process we wish to push forward with this feature in mind.
This feature supports both cases when alert's index mappings contains
definition for `actor` and `target`, and also when its not.

In this PR, we add mappings of `actor` and `target` to the es_archive of
the alerts. This way we are able to test the functionality of this
feature instead of being blocked by
elastic#224483.


<details>
<summary>Video 🎥  </summary>


https://github.com/user-attachments/assets/bcc86214-6e88-46f3-a990-300bbdc28125

</details>


<details>
<summary>Screenshots 📸 </summary>

**Before (ignore label alignments - screenshot is from a local
environment)**

![Screenshot 2025-06-29 at 19 33
00](https://github.com/user-attachments/assets/39b014ce-6b70-44cc-a486-906d39c205fe)


**After (another event is identified with alert - marking it as such and
expands the _alert_ details)**

![Screenshot 2025-06-29 at 19 32
30](https://github.com/user-attachments/assets/824d1d6f-9c17-4c4a-a8a7-18e65b89dbb2)

**Before network page - preview**

![Screenshot 2025-06-29 at 19 40
59](https://github.com/user-attachments/assets/50716acc-b2bd-4d42-93e0-eb31cfa6fe9c)

**After network page - preview identifies if event contains alert**

![Screenshot 2025-06-29 at 19 40
29](https://github.com/user-attachments/assets/531cec9f-2fb3-4a90-9cc1-1a73684f3612)


</details>

### How to test locally

1. Edit `kibana.dev.yml` and add:

```yml
uiSettings.overrides.securitySolution:enableGraphVisualization: true
```

2. Start elasticsearch and kibana locally
3. To add mock data run the following:

```bash
node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \
 --es-url http://elastic:changeme@localhost:9200 \
 --kibana-url http://elastic:changeme@localhost:5601

node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/security_alerts_modified_mappings \
 --es-url http://elastic:changeme@localhost:9200 \
 --kibana-url http://elastic:changeme@localhost:5601

```

3. Open `Alerts` page in kibana. Update the date-picker to include data
from a year ago. Then check one of the alerts details opening the
right-side flyout and find the "Graph preview" section in it.
4. Expand graph to show related alerts
5. Enable Asset Inventory in the `Inventory` page (if you don't see the
page enable the feature flag in the advanced settings)
6. Add entities mock data

```
node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store \
 --es-url http://elastic:changeme@localhost:9200 \
 --kibana-url http://elastic:changeme@localhost:5601
```
7. Open `Alerts` page in kibana. Check that the graph shows the admin
entity with it's label

### Checklist

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

Author: kfirpeled

x-pack/solutions/security/packages/kbn-cloud-security-posture/graph/src/components/graph_investigation/graph_investigation.tsx

@@ -86,6 +86,11 @@ export interface GraphInvestigationProps {
    * The initial state to use for the graph investigation view.
    */
   initialState: {
+    /**
+     * The index patterns to use for the graph investigation view.
+     */
+    indexPatterns?: string[];
+
     /**
      * The data view to use for the graph investigation view.
      */
@@ -145,7 +150,7 @@ type EsQuery = UseFetchGraphDataParams['req']['query']['esQuery'];
  */
 export const GraphInvestigation = memo<GraphInvestigationProps>(
   ({
-    initialState: { dataView, originEventIds, timeRange: initialTimeRange },
+    initialState: { indexPatterns, dataView, originEventIds, timeRange: initialTimeRange },
     showInvestigateInTimeline = false,
     showToggleSearch = false,
     onInvestigateInTimeline,
@@ -211,6 +216,7 @@ export const GraphInvestigation = memo<GraphInvestigationProps>(
       req: {
         query: {
           originEventIds,
+          indexPatterns,
           esQuery,
           start: timeRange.from,
           end: timeRange.to,

x-pack/solutions/security/packages/kbn-cloud-security-posture/graph/src/components/index.ts

@@ -18,4 +18,9 @@ export type {
   EntityNodeViewModel,
   NodeProps,
 } from './types';
-export { isEntityNode, getNodeDocumentMode, hasNodeDocumentsData } from './utils';
+export {
+  isEntityNode,
+  getNodeDocumentMode,
+  hasNodeDocumentsData,
+  getSingleDocumentData,
+} from './utils';

x-pack/solutions/security/packages/kbn-cloud-security-posture/graph/src/components/utils.ts

@@ -23,6 +23,18 @@ export const isEntityNode = (node: NodeViewModel) =>
 export const isStackedLabel = (node: NodeViewModel): boolean =>
   !(node.shape === 'label' && Boolean(node.parentId));
 
+/**
+ * Type guard: Returns true if node.documentsData is a non-empty array.
+ * This only narrows node.documentsData to a non-empty array, not to a specific document type.
+ */
+export const hasNodeDocumentsData = (
+  node: NodeViewModel
+): node is NodeViewModel & {
+  documentsData: [NodeDocumentDataViewModel, ...NodeDocumentDataViewModel[]];
+} => {
+  return Array.isArray(node.documentsData) && node.documentsData.length > 0;
+};
+
 /**
  * Returns the node document mode, or 'na' if documentsData is missing or empty.
  * When this function returns a value other than 'na', documentsData is guaranteed to be a non-empty array.
@@ -41,7 +53,7 @@ export const getNodeDocumentMode = (
   }
 
   // Single alert contains both event's document data and alert's document data.
-  if (node.documentsData.find((doc) => doc.type === 'alert') && node.documentsData.length < 2) {
+  if (node.documentsData.find((doc) => doc.type === 'alert') && node.documentsData.length <= 2) {
     return 'single-alert';
   } else if (node.documentsData.length === 1 && node.documentsData[0].type === 'event') {
     return 'single-event';
@@ -57,14 +69,24 @@ export const getNodeDocumentMode = (
 };
 
 /**
- * Type guard: Returns true if node.documentsData is a non-empty array.
- * This only narrows node.documentsData to a non-empty array, not to a specific document type.
+ * Returns the single document data for a node if it is in single-* mode.
+ * If the node is not in one of these modes, or if it has no documentsData, it returns undefined.
  */
-export function hasNodeDocumentsData(node: NodeViewModel): node is NodeViewModel & {
-  documentsData: [NodeDocumentDataViewModel, ...NodeDocumentDataViewModel[]];
-} {
-  return Array.isArray(node.documentsData) && node.documentsData.length > 0;
-}
+export const getSingleDocumentData = (
+  node: NodeViewModel
+): NodeDocumentDataViewModel | undefined => {
+  const mode = getNodeDocumentMode(node);
+  if (!hasNodeDocumentsData(node) || (mode !== 'single-alert' && mode !== 'single-event')) {
+    return undefined;
+  }
+
+  // For single-alert we might have both event and alert documents. We prefer to return the alert document if it exists.
+  const documentData =
+    node.documentsData.find((doc) => doc.type === 'alert') ??
+    node.documentsData.find((doc) => doc.type === 'event');
+
+  return documentData;
+};
 
 const FETCH_GRAPH_FAILED_TEXT = i18n.translate(
   'securitySolutionPackages.csp.graph.investigation.errorFetchingGraphData',

x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_graph.test.ts

@@ -228,8 +228,10 @@ describe('fetchGraph', () => {
       `WITH targetEntityName = entity.name, targetEntityType = entity.type, targetSourceIndex = entity.source`
     );
 
-    expect(query).not.toContain(`actorsDocData = VALUES(actorDocData)`);
-    expect(query).not.toContain(`targetsDocData = VALUES(targetDocData)`);
+    expect(query).toContain(`EVAL actorDocData = TO_STRING(null)`);
+    expect(query).toContain(`EVAL targetDocData = TO_STRING(null)`);
+    expect(query).toContain(`actorsDocData = VALUES(actorDocData)`);
+    expect(query).toContain(`targetsDocData = VALUES(targetDocData)`);
     expect(result).toEqual([{ id: 'dummy' }]);
   });
 

x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_graph.ts

@@ -20,7 +20,7 @@ interface BuildEsqlQueryParams {
   originEventIds: OriginEventId[];
   originAlertIds: OriginEventId[];
   isEnrichPolicyExists: boolean;
-  enrichPolicyName: string;
+  spaceId: string;
   alertsMappingsIncluded: boolean;
 }
 
@@ -46,6 +46,7 @@ export const fetchGraph = async ({
   esQuery?: EsQuery;
 }): Promise<EsqlToRecords<GraphEdge>> => {
   const originAlertIds = originEventIds.filter((originEventId) => originEventId.isAlert);
+
   // FROM clause currently doesn't support parameters, Therefore, we validate the index patterns to prevent injection attacks.
   // Regex to match invalid characters in index patterns: upper case characters, \, /, ?, ", <, >, |, (space), #, or ,
   indexPatterns.forEach((indexPattern, idx) => {
@@ -68,7 +69,7 @@ export const fetchGraph = async ({
     originEventIds,
     originAlertIds,
     isEnrichPolicyExists,
-    enrichPolicyName: getEnrichPolicyId(spaceId),
+    spaceId,
     alertsMappingsIncluded,
   });
 
@@ -162,54 +163,20 @@ const buildEsqlQuery = ({
   originEventIds,
   originAlertIds,
   isEnrichPolicyExists,
-  enrichPolicyName,
+  spaceId,
   alertsMappingsIncluded,
 }: BuildEsqlQueryParams): string => {
   const SECURITY_ALERTS_PARTIAL_IDENTIFIER = '.alerts-security.alerts-';
+  const enrichPolicyName = getEnrichPolicyId(spaceId);
 
-  const originEventClause =
-    originEventIds.length > 0
-      ? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
-      : 'false';
-
-  const originAlertClause =
-    originAlertIds.length > 0
-      ? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
-      : 'false';
-
-  const formattedIndexPatterns = indexPatterns
+  const query = `FROM ${indexPatterns
     .filter((indexPattern) => indexPattern.length > 0)
-    .join(',');
-
-  if (isEnrichPolicyExists) {
-    return `FROM ${formattedIndexPatterns} METADATA _id, _index
-
-| ENRICH ${enrichPolicyName} ON actor.entity.id WITH actorEntityName = entity.name, actorEntityType = entity.type
-| ENRICH ${enrichPolicyName} ON target.entity.id WITH targetEntityName = entity.name, targetEntityType = entity.type
-
+    .join(',')} METADATA _id, _index
 | WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
-// Origin event and alerts allow us to identify the start position of graph traversal
-| EVAL isOrigin = ${originEventClause}
-| EVAL isOriginAlert = isOrigin AND ${originAlertClause}
-
-// We format it as JSON string, the best alternative so far. Tried to use tuple using MV_APPEND
-// but it flattens the data and we lose the structure
-// Aggregate document's data for popover expansion and metadata enhancements
-| EVAL isAlert = _index LIKE "*${SECURITY_ALERTS_PARTIAL_IDENTIFIER}*"
-| EVAL docType = CASE (isAlert, "${DOCUMENT_TYPE_ALERT}", "${DOCUMENT_TYPE_EVENT}")
-| EVAL docData = CONCAT("{",
-    "\\"id\\":\\"", _id, "\\"",
-    ",\\"type\\":\\"", docType, "\\"",
-    ",\\"index\\":\\"", _index, "\\"",
-  "}")
-    ${
-      alertsMappingsIncluded
-        ? `CASE (isAlert, CONCAT(",\\"alert\\":", "{",
-      "\\"ruleName\\":\\"", kibana.alert.rule.name, "\\"",
-    "}"), ""),`
-        : ''
-    }
-
+${
+  isEnrichPolicyExists
+    ? `| ENRICH ${enrichPolicyName} ON actor.entity.id WITH actorEntityName = entity.name, actorEntityType = entity.type
+| ENRICH ${enrichPolicyName} ON target.entity.id WITH targetEntityName = entity.name, targetEntityType = entity.type
 // Contact actor and target entities data
 | EVAL actorDocData = CONCAT("{",
     "\\"id\\":\\"", actor.entity.id, "\\"",
@@ -226,56 +193,51 @@ const buildEsqlQuery = ({
       "\\"name\\":\\"", targetEntityName, "\\"",
       ",\\"type\\":\\"", targetEntityType, "\\"",
     "}",
-  "}")
-
-| STATS badge = COUNT(*),
-  docs = VALUES(docData),
-  actorsDocData = VALUES(actorDocData),
-  targetsDocData = VALUES(targetDocData),
-  isAlert = MV_MAX(VALUES(isAlert))
-    BY actorIds = actor.entity.id,
-      action = event.action,
-      targetIds = target.entity.id,
-      isOrigin,
-      isOriginAlert
-
-| LIMIT 1000
-| SORT isOrigin DESC, action`;
-  } else {
-    // Query WITHOUT entity enrichment - simpler case
-    return `FROM ${formattedIndexPatterns} METADATA _id, _index
-
-| WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
+  "}")`
+    : `| EVAL actorDocData = TO_STRING(null)
+| EVAL targetDocData = TO_STRING(null)`
+}
 // Origin event and alerts allow us to identify the start position of graph traversal
-| EVAL isOrigin = ${originEventClause}
-| EVAL isOriginAlert = isOrigin AND ${originAlertClause}
-
-// Aggregate document's data for popover expansion and metadata enhancements
+| EVAL isOrigin = ${
+    originEventIds.length > 0
+      ? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
+      : 'false'
+  }
+| EVAL isOriginAlert = isOrigin AND ${
+    originAlertIds.length > 0
+      ? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
+      : 'false'
+  }
 | EVAL isAlert = _index LIKE "*${SECURITY_ALERTS_PARTIAL_IDENTIFIER}*"
+// Aggregate document's data for popover expansion and metadata enhancements
+// We format it as JSON string, the best alternative so far. Tried to use tuple using MV_APPEND
+// but it flattens the data and we lose the structure
 | EVAL docType = CASE (isAlert, "${DOCUMENT_TYPE_ALERT}", "${DOCUMENT_TYPE_EVENT}")
 | EVAL docData = CONCAT("{",
     "\\"id\\":\\"", _id, "\\"",
     ",\\"type\\":\\"", docType, "\\"",
     ",\\"index\\":\\"", _index, "\\"",
-  "}")
     ${
+      // ESQL complains about missing field's mapping when we don't fetch from alerts index
       alertsMappingsIncluded
         ? `CASE (isAlert, CONCAT(",\\"alert\\":", "{",
       "\\"ruleName\\":\\"", kibana.alert.rule.name, "\\"",
     "}"), ""),`
         : ''
     }
-
+  "}")
 | STATS badge = COUNT(*),
   docs = VALUES(docData),
+  actorsDocData = VALUES(actorDocData),
+  targetsDocData = VALUES(targetDocData),
   isAlert = MV_MAX(VALUES(isAlert))
     BY actorIds = actor.entity.id,
       action = event.action,
       targetIds = target.entity.id,
       isOrigin,
       isOriginAlert
-
 | LIMIT 1000
-| SORT isOrigin DESC, action`;
-  }
+| SORT isOrigin DESC, action, actorIds`;
+
+  return query;
 };

x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/v1.test.ts

@@ -92,7 +92,7 @@ describe('getGraph', () => {
 
     expect(fetchGraph).toHaveBeenCalledWith(
       expect.objectContaining({
-        indexPatterns: ['logs-*'],
+        indexPatterns: [`.alerts-security.alerts-defaultSpace`, 'logs-*'],
       })
     );
   });

x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/v1.ts

@@ -36,7 +36,7 @@ export const getGraph = async ({
   showUnknownTarget,
   nodesLimit,
 }: GetGraphParams): Promise<Pick<GraphResponse, 'nodes' | 'edges' | 'messages'>> => {
-  indexPatterns = indexPatterns ?? ['logs-*'];
+  indexPatterns = indexPatterns ?? [`.alerts-security.alerts-${spaceId}`, 'logs-*'];
 
   logger.trace(
     `Fetching graph for [originEventIds: ${originEventIds.join(