[AI4DSOC] Change the Cases page to use the AI for SOC alerts table by PhilippeOberti · Pull Request #218742 · elastic/kibana

PhilippeOberti · 2025-04-21T19:26:19Z

Summary

While testing, we realized that the Cases alerts tab was showing the DetectionEngineAlertsTable and the normal alert details flyout, even in the AI4DSOC tier. This PR updates the logic to show the correct alerts table and the correct alert details flyout depending on the tier:

AI4DSOC will show the same table and flyout as the ones shown in the Alert summary page
the other tiers will continue showing the same table and flyout we show today under the Alerts page or any other pages (DetectionEngineAlertsTable)

Switching the table allows us to tackle at once all the other related issues:

wrong flyout was being shown
too many row actions were being shown
wrong default columns, and wrong cell renderers

Notes

The approach is not ideal. We shouldn't have to check for the following

const AIForSOC = capabilities[SECURITY_FEATURE_ID].configurations;

in the code, but because of time constraints, this was the best approach.
A ticket has been opened to make sure we come back to this and implement the check the correct way later.

Current (wrong) behavior

Screen.Recording.2025-04-21.at.2.14.29.PM.mov

New behavior

Screen.Recording.2025-04-21.at.2.25.31.PM.mov

How to test

This needs to be ran in Serverless:

yarn es serverless --projectType security
yarn serverless-security --no-base-path

You also need to enable the AI for SOC tier, by adding the following to your serverless.security.dev.yaml file:

xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'ai_soc', product_tier: 'search_ai_lake' },
  ]

Checklist

Unit or functional tests were updated or added to match the most common scenarios

Relates to https://github.com/elastic/security-team/issues/11973

elasticmachine · 2025-04-21T19:27:31Z

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

x-pack/solutions/security/plugins/security_solution/public/cases/pages/index.tsx

.../solutions/security/plugins/security_solution/public/cases/components/ai_for_soc/wrapper.tsx

…-fix'

...tions/security/plugins/security_solution/public/cases/components/ai_for_soc/wrapper.test.tsx

…-fix'

...ck/solutions/security/plugins/security_solution/public/cases/components/ai_for_soc/table.tsx

kapral18

LGTM, thanks for changes

elasticmachine · 2025-04-21T23:40:39Z

💚 Build Succeeded

Buildkite Build
Commit: 8cf3e54

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
`securitySolution`	7271	7273	+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	9.0MB	9.0MB	+2.1KB

History

💔 Build #294703 failed a1fac92

…lastic#218742) ## Summary While testing, we realized that the Cases alerts tab was showing the `DetectionEngineAlertsTable` and the normal alert details flyout, even in the AI4DSOC tier. This PR updates the logic to show the correct alerts table and the correct alert details flyout depending on the tier: - AI4DSOC will show the same table and flyout as the ones shown in the Alert summary page - the other tiers will continue showing the same table and flyout we show today under the Alerts page or any other pages (`DetectionEngineAlertsTable`) Switching the table allows us to tackle at once all the other related issues: - wrong flyout was being shown - too many row actions were being shown - wrong default columns, and wrong cell renderers ### Notes The approach is not ideal. We shouldn't have to check for the following ```typescript const AIForSOC = capabilities[SECURITY_FEATURE_ID].configurations; ``` in the code, but because of time constraints, this was the best approach. [A ticket](elastic#218741) has been opened to make sure we come back to this and implement the check the correct way later. Current (wrong) behavior https://github.com/user-attachments/assets/5d769f45-26d9-4631-af95-de38b0797ff9 New behavior https://github.com/user-attachments/assets/1f9a2e4d-50b7-40e6-8efa-1a0cfdbf5c9a ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11973 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

…lastic#218742) ## Summary While testing, we realized that the Cases alerts tab was showing the `DetectionEngineAlertsTable` and the normal alert details flyout, even in the AI4DSOC tier. This PR updates the logic to show the correct alerts table and the correct alert details flyout depending on the tier: - AI4DSOC will show the same table and flyout as the ones shown in the Alert summary page - the other tiers will continue showing the same table and flyout we show today under the Alerts page or any other pages (`DetectionEngineAlertsTable`) Switching the table allows us to tackle at once all the other related issues: - wrong flyout was being shown - too many row actions were being shown - wrong default columns, and wrong cell renderers ### Notes The approach is not ideal. We shouldn't have to check for the following ```typescript const AIForSOC = capabilities[SECURITY_FEATURE_ID].configurations; ``` in the code, but because of time constraints, this was the best approach. [A ticket](elastic#218741) has been opened to make sure we come back to this and implement the check the correct way later. Current (wrong) behavior https://github.com/user-attachments/assets/5d769f45-26d9-4631-af95-de38b0797ff9 New behavior https://github.com/user-attachments/assets/1f9a2e4d-50b7-40e6-8efa-1a0cfdbf5c9a ## How to test This needs to be ran in Serverless: - `yarn es serverless --projectType security` - `yarn serverless-security --no-base-path` You also need to enable the AI for SOC tier, by adding the following to your `serverless.security.dev.yaml` file: ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, ] ``` ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Relates to elastic/security-team#11973 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 9a66ec9)

…) (#222074) # Backport This will backport the following commits from `main` to `8.19`: - [[AI4DSOC] Alert summary page routing and initialization (#214889)](#214889) - [[AI4DSOC] Alert summary landing page (#215246)](#215246) - [[AI4DSOC] Alert summary dataview (#215265)](#215265) - [[AI4DSOC] Alert summary KQL bar [#215586]](#215586) - [[AI4DSOC] Alert summary KPI charts [#215585]](#215585) - [[AI4DSOR] Alert summary integrations section [#215266]](#215266) - [[AI4DSOC] Fix issue with filtering by integrations [#216574]](#216574) - [[AI4DSOC] Alert summary table setup [#216744]](#216744) - [Alerty summary table flyout setup [#217421]](#217421) - [[AI4DSOC] Alert summary alert actions in table and flyout [#217696]](#217696) - [[AI4DSOC] Alert summary table custom cell renderers [#217124]](#217124) - [[AI4DSOC] Alert summary table and flyout ai assistant [#217744]](#217744) - [[AI4DSOC] Alert summary page performance improvements [#218632]](#218632) - [[AI4DSOC] Change the Attack Discovery page to use the AI for SOC alerts table [#218736]](#218736) - [[AI4DSOC] Change the Cases page to use the AI for SOC alerts table [#218742]](#218742) - [[AI4DSOC] Fix spacing issue on alert summary landing page integration card [#218868]](#218868) - [[AI4DSOC][ResponseOps] Fix alerts table not handling undefined maintenanceWindow capability [#218999]](#218999) - [[AI4DSOC] Fix link to the new integrations page [#219030]](#219030) - [[AI4DSOC] Disable CellActions and PreviewLinks on the Attack discovery page [#219033]](#219033) - [[AI4DSOC] Add cell renderer for datetime fields to the alert summary table [#219126]](#219126) - [[AI4DSOC] Remove Assistant icon from row action in alert summary table [#219141]](#219141) - [[AI4DSOC] Add checkboxes to the alert summary table [#219169]](#219169) - [[Security Solution][AI4DSOC] Fix table not applying alert tags for Attack discovery and Cases pages in AI4DSOC [#219410]](#219410) - [[AI4DSOC] Fix logic that renders the group title when grouping by integrations [#219430]](#219430) - [[AI4DSOC] Alert summary table truncates long values and display the field/value pair in tooltip [#219438]](#219438) - [[Security Solution] Fix alerts table potentially not applying alert assignees [#219460]](#219460) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

[AI4DSOC] Change the Cases page to use the AI for SOC alerts table

5374172

PhilippeOberti requested a review from a team as a code owner April 21, 2025 19:26

PhilippeOberti added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team:Threat Hunting:Investigations Security Solution Threat Hunting Investigations Team v9.1.0 labels Apr 21, 2025