[Security Solution] Discover Security Profile Changes + Event timeline redirection

.github/CODEOWNERS

@@ -2396,6 +2396,9 @@ x-pack/solutions/security/plugins/security_solution/public/asset_inventory @elas
 
 x-pack/test/security_solution_api_integration/test_suites/siem_migrations @elastic/security-threat-hunting
 
+/x-pack/test_serverless/functional/test_suites/security/ftr/discover @elastic/security-threat-hunting
+x-pack/test_serverless/functional/test_suites/security/config.context_awareness.ts @elastic/security-threat-hunting
+
 ## Security Solution Threat Hunting areas - Threat Hunting Investigations
 
 /x-pack/solutions/security/plugins/security_solution/common/api/tags @elastic/security-threat-hunting-investigations

src/platform/plugins/shared/discover/public/context_awareness/profile_providers/register_profile_providers.ts

@@ -29,6 +29,7 @@ import { createTracesDataSourceProfileProvider } from './observability/traces_da
 import { createDeprecationLogsDataSourceProfileProvider } from './common/deprecation_logs';
 import { createClassicNavRootProfileProvider } from './common/classic_nav_root_profile';
 import { createObservabilityDocumentProfileProviders } from './observability/observability_profile_providers';
+import { createSecurityDocumentProfileProvider } from './security/security_document_profile';
 
 /**
  * Register profile providers for root, data source, and document contexts to the profile profile services
@@ -158,5 +159,6 @@ const createDataSourceProfileProviders = (providerServices: ProfileProviderServi
  */
 const createDocumentProfileProviders = (providerServices: ProfileProviderServices) => [
   createExampleDocumentProfileProvider(),
+  createSecurityDocumentProfileProvider(providerServices),
   ...createObservabilityDocumentProfileProviders(providerServices),
 ];

src/platform/plugins/shared/discover/public/context_awareness/profile_providers/security/accessors/get_default_app_state.test.ts

@@ -0,0 +1,60 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { createDefaultSecuritySolutionAppStateGetter } from './get_default_app_state';
+
+describe('createDefaultSecuritySolutionAppStateGetter', () => {
+  it('should return default app state without security solution specific columns and breakdown field if there is no index match', () => {
+    const getDefaultAppState = createDefaultSecuritySolutionAppStateGetter();
+
+    const params = {
+      dataView: {
+        getIndexPattern: () => 'logs-*',
+      },
+    };
+
+    const prevAppState = { someKey: 'someValue' };
+    const prevAppStateGetter = () => prevAppState;
+    // @ts-expect-error - params should be compatible with the expected type
+    const appState = getDefaultAppState(prevAppStateGetter)(params);
+
+    expect(Object.keys(appState)).toMatchObject(['someKey']);
+  });
+
+  it('should return default app state with security solution specific columns and breakdown field if there is index match', () => {
+    const getDefaultAppState = createDefaultSecuritySolutionAppStateGetter();
+
+    const params = {
+      dataView: {
+        getIndexPattern: () => '.alerts-security.alerts-*',
+      },
+    };
+
+    const prevAppState = { someKey: 'someValue' };
+    const prevAppStateGetter = () => prevAppState;
+    // @ts-expect-error - params should be compatible with the expected type
+    const appState = getDefaultAppState(prevAppStateGetter)(params);
+
+    expect(appState).toEqual({
+      ...prevAppState,
+      breakdownField: 'kibana.alert.workflow_status',
+      columns: [
+        { name: '@timestamp', width: 218 },
+        { name: 'kibana.alert.workflow_status' },
+        { name: 'message', width: 360 },
+        { name: 'event.category' },
+        { name: 'event.action' },
+        { name: 'host.name' },
+        { name: 'source.ip' },
+        { name: 'destination.ip' },
+        { name: 'user.name' },
+      ],
+    });
+  });
+});

src/platform/plugins/shared/discover/public/context_awareness/profile_providers/security/accessors/get_default_app_state.ts

@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { RootProfileProvider } from '../../../profiles';
+import { ALERTS_INDEX_PATTERN } from '../constants';
+
+export const createDefaultSecuritySolutionAppStateGetter: () => RootProfileProvider['profile']['getDefaultAppState'] =
+  () => (prev) => (params) => {
+    const { dataView } = params;
+    const appState = { ...prev(params) };
+    if (!dataView.getIndexPattern().includes(ALERTS_INDEX_PATTERN)) {
+      return appState;
+    }
+    return {
+      ...appState,
+      breakdownField: 'kibana.alert.workflow_status',
+      columns: [
+        {
+          name: '@timestamp',
+          width: 218,
+        },
+        {
+          name: 'kibana.alert.workflow_status',
+        },
+        {
+          name: 'message',
+          width: 360,
+        },
+        {
+          name: 'event.category',
+        },
+        {
+          name: 'event.action',
+        },
+        {
+          name: 'host.name',
+        },
+        {
+          name: 'source.ip',
+        },
+        {
+          name: 'destination.ip',
+        },
+        {
+          name: 'user.name',
+        },
+      ],
+    };
+  };

src/platform/plugins/shared/discover/public/context_awareness/profile_providers/security/accessors/get_row_indicator.test.ts

@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import type { DataTableRecord } from '@kbn/discover-utils';
+import { getAlertEventRowIndicator } from './get_row_indicator';
+import type { EuiThemeComputed } from '@elastic/eui';
+
+describe('getAlertEventRowIndicator', () => {
+  it('should return the correct color and label for an event row', () => {
+    const row = {
+      flattened: {
+        'event.kind': 'event',
+      },
+    } as unknown as DataTableRecord;
+
+    const euiTheme = {
+      colors: {
+        backgroundLightText: 'backgroundLightText',
+      },
+    } as const as EuiThemeComputed;
+
+    const result = getAlertEventRowIndicator(row, euiTheme);
+
+    expect(result).toEqual({
+      color: 'backgroundLightText',
+      label: 'event',
+    });
+  });
+
+  it('should return the correct color and label for an alert row', () => {
+    const row = {
+      flattened: {
+        'event.kind': 'signal',
+      },
+    } as unknown as DataTableRecord;
+
+    const euiTheme = {
+      colors: {
+        backgroundLightText: 'backgroundLightText',
+        warning: 'warning',
+      },
+    } as const as EuiThemeComputed;
+
+    const result = getAlertEventRowIndicator(row, euiTheme);
+
+    expect(result).toEqual({
+      color: 'warning',
+      label: 'alert',
+    });
+  });
+});

src/platform/plugins/shared/discover/public/context_awareness/profile_providers/security/accessors/get_row_indicator.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { getFieldValue } from '@kbn/discover-utils';
+import type { UnifiedDataTableProps } from '@kbn/unified-data-table';
+
+export const getAlertEventRowIndicator: NonNullable<UnifiedDataTableProps['getRowIndicator']> = (
+  row,
+  euiTheme
+) => {
+  let eventColor = euiTheme.colors.backgroundLightText;
+  let rowLabel = 'event';
+
+  if (getFieldValue(row, 'event.kind') === 'signal') {
+    eventColor = euiTheme.colors.warning;
+    rowLabel = 'alert';
+  }
+
+  return {
+    color: eventColor,
+    label: rowLabel,
+  };
+};

src/platform/plugins/shared/discover/public/context_awareness/profile_providers/security/components/alert_event_overview.test.tsx

@@ -0,0 +1,146 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import React from 'react';
+import { fireEvent, render, screen } from '@testing-library/react';
+import { AlertEventOverview } from './alert_event_overview';
+import type { DataTableRecord } from '@kbn/discover-utils';
+import { dataViewMock } from '@kbn/discover-utils/src/__mocks__';
+import { EcsFlat } from '@elastic/ecs';
+import { useDiscoverServices } from '../../../../hooks/use_discover_services';
+import { encode } from '@kbn/rison';
+import { URLSearchParams } from 'url';
+
+jest.mock('../../../../hooks/use_discover_services');
+
+const TEST_TIMELINE_URL = 'test-timeline-url';
+
+const mockGetUrlForApp = jest.fn().mockReturnValue(TEST_TIMELINE_URL);
+
+const mockDiscoverServices = {
+  application: {
+    getUrlForApp: mockGetUrlForApp,
+  },
+};
+
+const mockRow = {
+  'kibana.alert.reason': 'test-reason',
+  'kibana.alert.rule.description': 'test-description',
+  'event.kind': 'signal',
+  _id: 'test-id',
+  '@timestamp': '2021-08-02T14:00:00.000Z',
+  'kibana.alert.url': 'test-url',
+};
+
+const mockHit = {
+  flattened: mockRow,
+} as unknown as DataTableRecord;
+
+const mockDataView = dataViewMock;
+
+describe('AlertEventOverview', () => {
+  beforeEach(() => {
+    (useDiscoverServices as jest.Mock).mockReturnValue(mockDiscoverServices);
+  });
+  describe('expandable sections', () => {
+    test('should return the expandable sections correctly', () => {
+      render(<AlertEventOverview hit={mockHit} dataView={mockDataView} />);
+      expect(screen.getByTestId('expandableHeader-About')).toBeVisible();
+      expect(screen.getByTestId('expandableContent-About')).toBeVisible();
+
+      fireEvent.click(screen.getByTestId('expandableHeader-About'));
+      expect(screen.getByTestId('expandableContent-About')).not.toBeVisible();
+    });
+
+    test('should show expected sections', () => {
+      render(<AlertEventOverview hit={mockHit} dataView={mockDataView} />);
+      expect(screen.getByTestId('expandableHeader-About')).toBeVisible();
+
+      expect(screen.getByTestId('expandableHeader-Description')).toBeVisible();
+      expect(screen.getByTestId('expandableContent-Description')).toHaveTextContent(
+        'test-description'
+      );
+
+      expect(screen.getByTestId('expandableHeader-Reason')).toBeVisible();
+      expect(screen.getByTestId('expandableContent-Reason')).toHaveTextContent('test-reason');
+
+      expect(screen.getByTestId('exploreSecurity')).toBeVisible();
+
+      expect(screen.getByTestId('exploreSecurity').getAttribute('href')).toBe('test-url');
+    });
+  });
+
+  describe('data', () => {
+    test('should return Ecs description for different event types correctly', () => {
+      const localMockHit = {
+        flattened: {
+          ...mockRow,
+          'event.category': 'process',
+        },
+      } as unknown as DataTableRecord;
+
+      render(<AlertEventOverview hit={localMockHit} dataView={mockDataView} />);
+
+      expect(screen.getByTestId('expandableContent-About')).toHaveTextContent(
+        EcsFlat['event.category'].allowed_values.find((i) => i.name === 'process')
+          ?.description as string
+      );
+    });
+
+    test('should display timeline redirect url correctly', () => {
+      const localMockHit = {
+        flattened: {
+          ...mockRow,
+          'event.kind': 'event',
+          'event.category': 'process',
+        },
+      } as unknown as DataTableRecord;
+      render(<AlertEventOverview hit={localMockHit} dataView={mockDataView} />);
+      const expectedURLJSON = {
+        timeline: encode({
+          activeTab: 'query',
+          isOpen: true,
+          query: {
+            expression: '_id: test-id',
+            kind: 'kuery',
+          },
+        }),
+
+        timeRange: encode({
+          timeline: {
+            timerange: {
+              from: mockRow['@timestamp'],
+              to: mockRow['@timestamp'],
+              kind: 'absolute',
+              linkTo: false,
+            },
+          },
+        }),
+
+        timelineFlyout: encode({
+          right: {
+            id: 'document-details-right',
+            params: {
+              id: 'test-id',
+              scopeId: 'timeline-1',
+            },
+          },
+        }),
+      };
+
+      const searchParams = new URLSearchParams(
+        `timeline=${expectedURLJSON.timeline}&timerange=${expectedURLJSON.timeRange}&timelineFlyout=${expectedURLJSON.timelineFlyout}`
+      );
+
+      expect(screen.getByTestId('exploreSecurity').getAttribute('href')).toBe(
+        `test-timeline-url?${searchParams}`
+      );
+    });
+  });
+});