elastic · kfirpeled · Aug 10, 2025 · Jun 18, 2025 · Jun 19, 2025 · Jun 22, 2025
@@ -86,6 +86,11 @@ export interface GraphInvestigationProps {
    * The initial state to use for the graph investigation view.
    */
   initialState: {
+    /**
+     * The index patterns to use for the graph investigation view.
+     */
+    indexPatterns?: string[];
+
     /**
      * The data view to use for the graph investigation view.
      */
@@ -145,7 +150,7 @@ type EsQuery = UseFetchGraphDataParams['req']['query']['esQuery'];
  */
 export const GraphInvestigation = memo<GraphInvestigationProps>(
   ({
-    initialState: { dataView, originEventIds, timeRange: initialTimeRange },
+    initialState: { indexPatterns, dataView, originEventIds, timeRange: initialTimeRange },
     showInvestigateInTimeline = false,
     showToggleSearch = false,
     onInvestigateInTimeline,
@@ -211,6 +216,7 @@ export const GraphInvestigation = memo<GraphInvestigationProps>(
       req: {
         query: {
           originEventIds,
+          indexPatterns,
           esQuery,
           start: timeRange.from,
           end: timeRange.to,

@@ -18,4 +18,9 @@ export type {
   EntityNodeViewModel,
   NodeProps,
 } from './types';
-export { isEntityNode, getNodeDocumentMode, hasNodeDocumentsData } from './utils';
+export {
+  isEntityNode,
+  getNodeDocumentMode,
+  hasNodeDocumentsData,
+  getSingleDocumentData,
+} from './utils';
@@ -23,6 +23,18 @@ export const isEntityNode = (node: NodeViewModel) =>
 export const isStackedLabel = (node: NodeViewModel): boolean =>
   !(node.shape === 'label' && Boolean(node.parentId));
 
+/**
+ * Type guard: Returns true if node.documentsData is a non-empty array.
+ * This only narrows node.documentsData to a non-empty array, not to a specific document type.
+ */
+export const hasNodeDocumentsData = (
+  node: NodeViewModel
+): node is NodeViewModel & {
+  documentsData: [NodeDocumentDataViewModel, ...NodeDocumentDataViewModel[]];
+} => {
+  return Array.isArray(node.documentsData) && node.documentsData.length > 0;
+};
+
 /**
  * Returns the node document mode, or 'na' if documentsData is missing or empty.
  * When this function returns a value other than 'na', documentsData is guaranteed to be a non-empty array.
@@ -41,7 +53,7 @@ export const getNodeDocumentMode = (
   }
 
   // Single alert contains both event's document data and alert's document data.
-  if (node.documentsData.find((doc) => doc.type === 'alert') && node.documentsData.length < 2) {
+  if (node.documentsData.find((doc) => doc.type === 'alert') && node.documentsData.length <= 2) {
     return 'single-alert';
   } else if (node.documentsData.length === 1 && node.documentsData[0].type === 'event') {
     return 'single-event';
@@ -57,14 +69,24 @@ export const getNodeDocumentMode = (
 };
 
 /**
- * Type guard: Returns true if node.documentsData is a non-empty array.
- * This only narrows node.documentsData to a non-empty array, not to a specific document type.
+ * Returns the single document data for a node if it is in single-* mode.
+ * If the node is not in one of these modes, or if it has no documentsData, it returns undefined.
  */
-export function hasNodeDocumentsData(node: NodeViewModel): node is NodeViewModel & {
-  documentsData: [NodeDocumentDataViewModel, ...NodeDocumentDataViewModel[]];
-} {
-  return Array.isArray(node.documentsData) && node.documentsData.length > 0;
-}
+export const getSingleDocumentData = (
+  node: NodeViewModel
+): NodeDocumentDataViewModel | undefined => {
+  const mode = getNodeDocumentMode(node);
+  if (!hasNodeDocumentsData(node) || (mode !== 'single-alert' && mode !== 'single-event')) {
+    return undefined;
+  }
+
+  // For single-alert we might have both event and alert documents. We prefer to return the alert document if it exists.
+  const documentData =
+    node.documentsData.find((doc) => doc.type === 'alert') ??
+    node.documentsData.find((doc) => doc.type === 'event');
+
+  return documentData;
+};
 
 const FETCH_GRAPH_FAILED_TEXT = i18n.translate(
   'securitySolutionPackages.csp.graph.investigation.errorFetchingGraphData',

@@ -228,8 +228,10 @@ describe('fetchGraph', () => {
       `WITH targetEntityName = entity.name, targetEntityType = entity.type, targetSourceIndex = entity.source`
     );
 
-    expect(query).not.toContain(`actorsDocData = VALUES(actorDocData)`);
-    expect(query).not.toContain(`targetsDocData = VALUES(targetDocData)`);
+    expect(query).toContain(`EVAL actorDocData = TO_STRING(null)`);
+    expect(query).toContain(`EVAL targetDocData = TO_STRING(null)`);
+    expect(query).toContain(`actorsDocData = VALUES(actorDocData)`);
+    expect(query).toContain(`targetsDocData = VALUES(targetDocData)`);
     expect(result).toEqual([{ id: 'dummy' }]);
   });
 

@@ -20,7 +20,7 @@ interface BuildEsqlQueryParams {
   originEventIds: OriginEventId[];
   originAlertIds: OriginEventId[];
   isEnrichPolicyExists: boolean;
-  enrichPolicyName: string;
+  spaceId: string;
   alertsMappingsIncluded: boolean;
 }
 
@@ -46,6 +46,7 @@ export const fetchGraph = async ({
   esQuery?: EsQuery;
 }): Promise<EsqlToRecords<GraphEdge>> => {
   const originAlertIds = originEventIds.filter((originEventId) => originEventId.isAlert);
+
   // FROM clause currently doesn't support parameters, Therefore, we validate the index patterns to prevent injection attacks.
   // Regex to match invalid characters in index patterns: upper case characters, \, /, ?, ", <, >, |, (space), #, or ,
   indexPatterns.forEach((indexPattern, idx) => {
@@ -68,7 +69,7 @@ export const fetchGraph = async ({
     originEventIds,
     originAlertIds,
     isEnrichPolicyExists,
-    enrichPolicyName: getEnrichPolicyId(spaceId),
+    spaceId,
     alertsMappingsIncluded,
   });
 
@@ -162,54 +163,20 @@ const buildEsqlQuery = ({
   originEventIds,
   originAlertIds,
   isEnrichPolicyExists,
-  enrichPolicyName,
+  spaceId,
   alertsMappingsIncluded,
 }: BuildEsqlQueryParams): string => {
   const SECURITY_ALERTS_PARTIAL_IDENTIFIER = '.alerts-security.alerts-';
+  const enrichPolicyName = getEnrichPolicyId(spaceId);
 
-  const originEventClause =
-    originEventIds.length > 0
-      ? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
-      : 'false';
-
-  const originAlertClause =
-    originAlertIds.length > 0
-      ? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
-      : 'false';
-
-  const formattedIndexPatterns = indexPatterns
+  const query = `FROM ${indexPatterns
     .filter((indexPattern) => indexPattern.length > 0)
-    .join(',');
-
-  if (isEnrichPolicyExists) {
-    return `FROM ${formattedIndexPatterns} METADATA _id, _index
-
-| ENRICH ${enrichPolicyName} ON actor.entity.id WITH actorEntityName = entity.name, actorEntityType = entity.type
-| ENRICH ${enrichPolicyName} ON target.entity.id WITH targetEntityName = entity.name, targetEntityType = entity.type
-
+    .join(',')} METADATA _id, _index
 | WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
-// Origin event and alerts allow us to identify the start position of graph traversal
-| EVAL isOrigin = ${originEventClause}
-| EVAL isOriginAlert = isOrigin AND ${originAlertClause}
-
-// We format it as JSON string, the best alternative so far. Tried to use tuple using MV_APPEND
-// but it flattens the data and we lose the structure
-// Aggregate document's data for popover expansion and metadata enhancements
-| EVAL isAlert = _index LIKE "*${SECURITY_ALERTS_PARTIAL_IDENTIFIER}*"
-| EVAL docType = CASE (isAlert, "${DOCUMENT_TYPE_ALERT}", "${DOCUMENT_TYPE_EVENT}")
-| EVAL docData = CONCAT("{",
-    "\\"id\\":\\"", _id, "\\"",
-    ",\\"type\\":\\"", docType, "\\"",
-    ",\\"index\\":\\"", _index, "\\"",
-  "}")
-    ${
-      alertsMappingsIncluded
-        ? `CASE (isAlert, CONCAT(",\\"alert\\":", "{",
-      "\\"ruleName\\":\\"", kibana.alert.rule.name, "\\"",
-    "}"), ""),`
-        : ''
-    }
-
+${
+  isEnrichPolicyExists
+    ? `| ENRICH ${enrichPolicyName} ON actor.entity.id WITH actorEntityName = entity.name, actorEntityType = entity.type
+| ENRICH ${enrichPolicyName} ON target.entity.id WITH targetEntityName = entity.name, targetEntityType = entity.type
 // Contact actor and target entities data
 | EVAL actorDocData = CONCAT("{",
     "\\"id\\":\\"", actor.entity.id, "\\"",
@@ -226,56 +193,51 @@ const buildEsqlQuery = ({
       "\\"name\\":\\"", targetEntityName, "\\"",
       ",\\"type\\":\\"", targetEntityType, "\\"",
     "}",
-  "}")
-
-| STATS badge = COUNT(*),
-  docs = VALUES(docData),
-  actorsDocData = VALUES(actorDocData),
-  targetsDocData = VALUES(targetDocData),
-  isAlert = MV_MAX(VALUES(isAlert))
-    BY actorIds = actor.entity.id,
-      action = event.action,
-      targetIds = target.entity.id,
-      isOrigin,
-      isOriginAlert
-
-| LIMIT 1000
-| SORT isOrigin DESC, action`;
-  } else {
-    // Query WITHOUT entity enrichment - simpler case
-    return `FROM ${formattedIndexPatterns} METADATA _id, _index
-
-| WHERE event.action IS NOT NULL AND actor.entity.id IS NOT NULL
+  "}")`
+    : `| EVAL actorDocData = TO_STRING(null)
+| EVAL targetDocData = TO_STRING(null)`
+}
 // Origin event and alerts allow us to identify the start position of graph traversal
-| EVAL isOrigin = ${originEventClause}
-| EVAL isOriginAlert = isOrigin AND ${originAlertClause}
-
-// Aggregate document's data for popover expansion and metadata enhancements
+| EVAL isOrigin = ${
+    originEventIds.length > 0
+      ? `event.id in (${originEventIds.map((_id, idx) => `?og_id${idx}`).join(', ')})`
+      : 'false'
+  }
+| EVAL isOriginAlert = isOrigin AND ${
+    originAlertIds.length > 0
+      ? `event.id in (${originAlertIds.map((_id, idx) => `?og_alrt_id${idx}`).join(', ')})`
+      : 'false'
+  }
 | EVAL isAlert = _index LIKE "*${SECURITY_ALERTS_PARTIAL_IDENTIFIER}*"
+// Aggregate document's data for popover expansion and metadata enhancements
+// We format it as JSON string, the best alternative so far. Tried to use tuple using MV_APPEND
+// but it flattens the data and we lose the structure
 | EVAL docType = CASE (isAlert, "${DOCUMENT_TYPE_ALERT}", "${DOCUMENT_TYPE_EVENT}")
 | EVAL docData = CONCAT("{",
     "\\"id\\":\\"", _id, "\\"",
     ",\\"type\\":\\"", docType, "\\"",
     ",\\"index\\":\\"", _index, "\\"",
-  "}")
     ${
+      // ESQL complains about missing field's mapping when we don't fetch from alerts index
       alertsMappingsIncluded
         ? `CASE (isAlert, CONCAT(",\\"alert\\":", "{",
       "\\"ruleName\\":\\"", kibana.alert.rule.name, "\\"",
     "}"), ""),`
         : ''
     }
-
+  "}")
 | STATS badge = COUNT(*),
   docs = VALUES(docData),
+  actorsDocData = VALUES(actorDocData),
+  targetsDocData = VALUES(targetDocData),
   isAlert = MV_MAX(VALUES(isAlert))
     BY actorIds = actor.entity.id,
       action = event.action,
       targetIds = target.entity.id,
       isOrigin,
       isOriginAlert
-
 | LIMIT 1000
-| SORT isOrigin DESC, action`;
-  }
+| SORT isOrigin DESC, action, actorIds`;
+
+  return query;
 };
@@ -92,7 +92,7 @@ describe('getGraph', () => {
 
     expect(fetchGraph).toHaveBeenCalledWith(
       expect.objectContaining({
-        indexPatterns: ['logs-*'],
+        indexPatterns: [`.alerts-security.alerts-defaultSpace`, 'logs-*'],
       })
     );
   });

@@ -36,7 +36,7 @@ export const getGraph = async ({
   showUnknownTarget,
   nodesLimit,
 }: GetGraphParams): Promise<Pick<GraphResponse, 'nodes' | 'edges' | 'messages'>> => {
-  indexPatterns = indexPatterns ?? ['logs-*'];
+  indexPatterns = indexPatterns ?? [`.alerts-security.alerts-${spaceId}`, 'logs-*'];
 
   logger.trace(
     `Fetching graph for [originEventIds: ${originEventIds.join(