[Entity Analytics] Auditing usages of documentEntityIdentifiers in user/host flyout#265887
Merged
ymao1 merged 4 commits intoelastic:mainfrom Apr 29, 2026
Merged
[Entity Analytics] Auditing usages of documentEntityIdentifiers in user/host flyout#265887ymao1 merged 4 commits intoelastic:mainfrom
documentEntityIdentifiers in user/host flyout#265887ymao1 merged 4 commits intoelastic:mainfrom
Conversation
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
ymao1
commented
Apr 27, 2026
| isPreviewMode, | ||
| openDetailsPanel, | ||
| passedFindings, |
Contributor
Author
There was a problem hiding this comment.
This component was only used in the entity_insights component, which calls the useHasMisconfigurations hook but only used the hasMisconfigurationFindings output to determine whether to render this component. I removed the duplicate call to the hook and passed the passedFindings and failedFindings as inputs
ymao1
added
release_note:skip
ymao1
changed the title
documentEntityIdentifiers in user/host flyout
Contributor
Author
|
@elasticmachine run docs-build |
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
Contributor
Author
|
@elasticmachine merge upstream |
opauloh
approved these changes
Apr 29, 2026
Contributor
opauloh
left a comment
opauloh
left a comment
There was a problem hiding this comment.
Cloud Security Posture changes LGTM
agusruidiazgd
approved these changes
Apr 29, 2026
Contributor
agusruidiazgd
left a comment
agusruidiazgd
left a comment
There was a problem hiding this comment.
Desk tested 👌 LGTM
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
cc @ymao1 |
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/25115373185 |
Contributor
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Contributor
Author
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
ymao1
added a commit
that referenced
this pull request
Apr 29, 2026
…s` in user/host flyout (#265887) (#266439) # Backport This will backport the following commits from `main` to `9.4`: - [[Entity Analytics] Auditing usages of `documentEntityIdentifiers` in user/host flyout (#265887)](#265887) <!--- Backport version: 11.0.2 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ying Mao","email":"ying.mao@elastic.co"},"sourceCommit":{"committedDate":"2026-04-29T14:38:06Z","message":"[Entity Analytics] Auditing usages of `documentEntityIdentifiers` in user/host flyout (#265887)\n\n## Summary\n\nThis PR addresses 2 items:\n* Updates the click behavior in the User Risk and Host Risk tabs on the\nUser/Host Explore pages to open in a flyout instead of redirecting to\nthe details page. This tab was missed in the first PR:\nhttps://github.com//pull/265132.\n* Audits usages of `documentEntityIdentifiers` in the User and Host\nright flyouts. These identifiers are generated [here\n(user)](https://github.com/elastic/kibana/blob/1b2ff3f8bb198c259a5155f1bf486f6e4e084078/x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/user_right/index.tsx#L112)\nand [here\n(host)](https://github.com/elastic/kibana/blob/1b2ff3f8bb198c259a5155f1bf486f6e4e084078/x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/host_right/index.tsx#L110)\nand used throughout the flyouts in the EUID\n`getEuidFilterBasedOnDocument` helper function, however, the document\nidentifiers for user are incorrect as they return an `entity.namespace`\nfield that exists in the entity store but does not exist in any source\nlog/alert document. This PR replaces the input to\n`getEuidFilterBasedOnDocument` from the `documentEntityIdentifiers` to\nthe full entity store record to ensure that a correct EUID filter is\ngenerated for queries against source documents.\n\n**User Risk/Host Risk tab click behavior**\n\n\nhttps://github.com/user-attachments/assets/39049641-91b5-457e-a859-4bf2783aae48\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"812ff1b1338bc7434d1bc55835e25b81b823848b","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity Analytics","backport:version","v9.4.0","v9.5.0"],"title":"[Entity Analytics] Auditing usages of `documentEntityIdentifiers` in user/host flyout","number":265887,"url":"https://github.com/elastic/kibana/pull/265887","mergeCommit":{"message":"[Entity Analytics] Auditing usages of `documentEntityIdentifiers` in user/host flyout (#265887)\n\n## Summary\n\nThis PR addresses 2 items:\n* Updates the click behavior in the User Risk and Host Risk tabs on the\nUser/Host Explore pages to open in a flyout instead of redirecting to\nthe details page. This tab was missed in the first PR:\nhttps://github.com//pull/265132.\n* Audits usages of `documentEntityIdentifiers` in the User and Host\nright flyouts. These identifiers are generated [here\n(user)](https://github.com/elastic/kibana/blob/1b2ff3f8bb198c259a5155f1bf486f6e4e084078/x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/user_right/index.tsx#L112)\nand [here\n(host)](https://github.com/elastic/kibana/blob/1b2ff3f8bb198c259a5155f1bf486f6e4e084078/x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/host_right/index.tsx#L110)\nand used throughout the flyouts in the EUID\n`getEuidFilterBasedOnDocument` helper function, however, the document\nidentifiers for user are incorrect as they return an `entity.namespace`\nfield that exists in the entity store but does not exist in any source\nlog/alert document. This PR replaces the input to\n`getEuidFilterBasedOnDocument` from the `documentEntityIdentifiers` to\nthe full entity store record to ensure that a correct EUID filter is\ngenerated for queries against source documents.\n\n**User Risk/Host Risk tab click behavior**\n\n\nhttps://github.com/user-attachments/assets/39049641-91b5-457e-a859-4bf2783aae48\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"812ff1b1338bc7434d1bc55835e25b81b823848b"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/265887","number":265887,"mergeCommit":{"message":"[Entity Analytics] Auditing usages of `documentEntityIdentifiers` in user/host flyout (#265887)\n\n## Summary\n\nThis PR addresses 2 items:\n* Updates the click behavior in the User Risk and Host Risk tabs on the\nUser/Host Explore pages to open in a flyout instead of redirecting to\nthe details page. This tab was missed in the first PR:\nhttps://github.com//pull/265132.\n* Audits usages of `documentEntityIdentifiers` in the User and Host\nright flyouts. These identifiers are generated [here\n(user)](https://github.com/elastic/kibana/blob/1b2ff3f8bb198c259a5155f1bf486f6e4e084078/x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/user_right/index.tsx#L112)\nand [here\n(host)](https://github.com/elastic/kibana/blob/1b2ff3f8bb198c259a5155f1bf486f6e4e084078/x-pack/solutions/security/plugins/security_solution/public/flyout/entity_details/host_right/index.tsx#L110)\nand used throughout the flyouts in the EUID\n`getEuidFilterBasedOnDocument` helper function, however, the document\nidentifiers for user are incorrect as they return an `entity.namespace`\nfield that exists in the entity store but does not exist in any source\nlog/alert document. This PR replaces the input to\n`getEuidFilterBasedOnDocument` from the `documentEntityIdentifiers` to\nthe full entity store record to ensure that a correct EUID filter is\ngenerated for queries against source documents.\n\n**User Risk/Host Risk tab click behavior**\n\n\nhttps://github.com/user-attachments/assets/39049641-91b5-457e-a859-4bf2783aae48\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"812ff1b1338bc7434d1bc55835e25b81b823848b"}}]}] BACKPORT-->
ymao1
added a commit
that referenced
this pull request
May 7, 2026
#267728) ## Summary Similar to #265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
May 7, 2026
elastic#267728) ## Summary Similar to elastic#265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276 (cherry picked from commit 3f53f7b)
kibanamachine
added a commit
that referenced
this pull request
May 8, 2026
…y store (#267728) (#268323) # Backport This will backport the following commits from `main` to `9.4`: - [[Entity Analytics] Fix user details page for users in the entity store (#267728)](#267728) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ying Mao","email":"ying.mao@elastic.co"},"sourceCommit":{"committedDate":"2026-05-07T21:13:18Z","message":"[Entity Analytics] Fix user details page for users in the entity store (#267728)\n\n## Summary\n\nSimilar to #265887, the user\ndetails page was using `documentEntityIdentifiers` to generate the\nvarious queries used to populate the page components. For the user\nentity, these identifiers were often incorrect as they returned computed\nfields (like `entity.namespace`) that do not exist in the source event\ndocuments, so the queries would return no data.\n\n> [!NOTE]\n> To limit the size of this PR, only the user details page is addressed.\nThere will be a followup PR for the host details page.\n\n## To Verify\n\n1. Start ES and Kibana with all the V2 feature flags\n2. Verify the entity store is enabled and generate some source data\nusing `yarn start org-data --size medium`\n3. Wait for the entity store to get some entities\n4. Create a detection rule that queries the default security indices and\ngenerates alerts\n5. Manually kick off the risk engine so that some entity store entities\nhave risk scores\n6. Modify the following file so that clicking a user from the All Users\npage navigates to the user details page:\n\n```\n--- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n+++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n@@ -116,7 +116,6 @@ const getUsersColumns = (\n userName={name}\n entityId={user.entityId}\n identityFields={user.identityFields}\n- onClick={onClick}\n />\n```\n\n### Verify No Regressions in Explore Users Page\n7. Navigate to `Explore -> Users` and verify that all the tabs are\ncorrectly populated (Authentications and Anomalies may be empty\ndepending on what test data you have). There should be no regressions on\nthis page from this PR\n\n### Verify User Details page for User in Entity Store is populated\n8. From the `All Users` tab, click on a user to go to the user details\npage\n9. At a minimum, the events tab should have some events. Depending on\nyour source data, you may have data in the Authentications tab. If the\nuser has a risk score, there should be risk score inputs in the User\nRisk tab and alerts shown in the alerts components. Inspecting the\nqueries, the DSL queries should include a EUID DSL filter (without any\nentity.namespace fields in the filter).\n\n\nhttps://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78\n\n### Verify No Regressions for User Details page for User not in Entity\nStore\n10. From the Alerts page, find a user that is not in the entity store\nand navigate to their details page. Inspect the queries on this page.\nThey should all use the `user.name` fallback since this user is not in\nthe entity store.\n\n\nhttps://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276","sha":"3f53f7b4bccb463ccef0a36d229de74606a17b65","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity Analytics","backport:version","v9.5.0","v9.4.1"],"title":"[Entity Analytics] Fix user details page for users in the entity store","number":267728,"url":"https://github.com/elastic/kibana/pull/267728","mergeCommit":{"message":"[Entity Analytics] Fix user details page for users in the entity store (#267728)\n\n## Summary\n\nSimilar to #265887, the user\ndetails page was using `documentEntityIdentifiers` to generate the\nvarious queries used to populate the page components. For the user\nentity, these identifiers were often incorrect as they returned computed\nfields (like `entity.namespace`) that do not exist in the source event\ndocuments, so the queries would return no data.\n\n> [!NOTE]\n> To limit the size of this PR, only the user details page is addressed.\nThere will be a followup PR for the host details page.\n\n## To Verify\n\n1. Start ES and Kibana with all the V2 feature flags\n2. Verify the entity store is enabled and generate some source data\nusing `yarn start org-data --size medium`\n3. Wait for the entity store to get some entities\n4. Create a detection rule that queries the default security indices and\ngenerates alerts\n5. Manually kick off the risk engine so that some entity store entities\nhave risk scores\n6. Modify the following file so that clicking a user from the All Users\npage navigates to the user details page:\n\n```\n--- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n+++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n@@ -116,7 +116,6 @@ const getUsersColumns = (\n userName={name}\n entityId={user.entityId}\n identityFields={user.identityFields}\n- onClick={onClick}\n />\n```\n\n### Verify No Regressions in Explore Users Page\n7. Navigate to `Explore -> Users` and verify that all the tabs are\ncorrectly populated (Authentications and Anomalies may be empty\ndepending on what test data you have). There should be no regressions on\nthis page from this PR\n\n### Verify User Details page for User in Entity Store is populated\n8. From the `All Users` tab, click on a user to go to the user details\npage\n9. At a minimum, the events tab should have some events. Depending on\nyour source data, you may have data in the Authentications tab. If the\nuser has a risk score, there should be risk score inputs in the User\nRisk tab and alerts shown in the alerts components. Inspecting the\nqueries, the DSL queries should include a EUID DSL filter (without any\nentity.namespace fields in the filter).\n\n\nhttps://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78\n\n### Verify No Regressions for User Details page for User not in Entity\nStore\n10. From the Alerts page, find a user that is not in the entity store\nand navigate to their details page. Inspect the queries on this page.\nThey should all use the `user.name` fallback since this user is not in\nthe entity store.\n\n\nhttps://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276","sha":"3f53f7b4bccb463ccef0a36d229de74606a17b65"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/267728","number":267728,"mergeCommit":{"message":"[Entity Analytics] Fix user details page for users in the entity store (#267728)\n\n## Summary\n\nSimilar to #265887, the user\ndetails page was using `documentEntityIdentifiers` to generate the\nvarious queries used to populate the page components. For the user\nentity, these identifiers were often incorrect as they returned computed\nfields (like `entity.namespace`) that do not exist in the source event\ndocuments, so the queries would return no data.\n\n> [!NOTE]\n> To limit the size of this PR, only the user details page is addressed.\nThere will be a followup PR for the host details page.\n\n## To Verify\n\n1. Start ES and Kibana with all the V2 feature flags\n2. Verify the entity store is enabled and generate some source data\nusing `yarn start org-data --size medium`\n3. Wait for the entity store to get some entities\n4. Create a detection rule that queries the default security indices and\ngenerates alerts\n5. Manually kick off the risk engine so that some entity store entities\nhave risk scores\n6. Modify the following file so that clicking a user from the All Users\npage navigates to the user details page:\n\n```\n--- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n+++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n@@ -116,7 +116,6 @@ const getUsersColumns = (\n userName={name}\n entityId={user.entityId}\n identityFields={user.identityFields}\n- onClick={onClick}\n />\n```\n\n### Verify No Regressions in Explore Users Page\n7. Navigate to `Explore -> Users` and verify that all the tabs are\ncorrectly populated (Authentications and Anomalies may be empty\ndepending on what test data you have). There should be no regressions on\nthis page from this PR\n\n### Verify User Details page for User in Entity Store is populated\n8. From the `All Users` tab, click on a user to go to the user details\npage\n9. At a minimum, the events tab should have some events. Depending on\nyour source data, you may have data in the Authentications tab. If the\nuser has a risk score, there should be risk score inputs in the User\nRisk tab and alerts shown in the alerts components. Inspecting the\nqueries, the DSL queries should include a EUID DSL filter (without any\nentity.namespace fields in the filter).\n\n\nhttps://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78\n\n### Verify No Regressions for User Details page for User not in Entity\nStore\n10. From the Alerts page, find a user that is not in the entity store\nand navigate to their details page. Inspect the queries on this page.\nThey should all use the `user.name` fallback since this user is not in\nthe entity store.\n\n\nhttps://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276","sha":"3f53f7b4bccb463ccef0a36d229de74606a17b65"}},{"branch":"9.4","label":"v9.4.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ying Mao <ying.mao@elastic.co>
romulets
pushed a commit
to romulets/kibana
that referenced
this pull request
May 8, 2026
elastic#267728) ## Summary Similar to elastic#265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276
mgadewoll
pushed a commit
to mgadewoll/kibana
that referenced
this pull request
May 8, 2026
elastic#267728) ## Summary Similar to elastic#265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses 2 items:
documentEntityIdentifiersin the User and Host right flyouts. These identifiers are generated here (user) and here (host) and used throughout the flyouts in the EUIDgetEuidFilterBasedOnDocumenthelper function, however, the document identifiers for user are incorrect as they return anentity.namespacefield that exists in the entity store but does not exist in any source log/alert document. This PR replaces the input togetEuidFilterBasedOnDocumentfrom thedocumentEntityIdentifiersto the full entity store record to ensure that a correct EUID filter is generated for queries against source documents.User Risk/Host Risk tab click behavior
Screen.Recording.2026-04-28.at.9.12.58.AM.mov