[Entity Analytics] Fix user details page for users in the entity store#267728
Merged
ymao1 merged 4 commits intoelastic:mainfrom May 7, 2026
Merged
[Entity Analytics] Fix user details page for users in the entity store#267728ymao1 merged 4 commits intoelastic:mainfrom
ymao1 merged 4 commits intoelastic:mainfrom
Conversation
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
ymao1
commented
May 6, 2026
| export const AuthenticationsQueryTabBody = ({ | ||
| endDate, | ||
| filterQuery, | ||
| identityScopedFilterQuery, |
Contributor
Author
There was a problem hiding this comment.
This was added in https://github.com/elastic/kibana/pull/255428/changes#diff-be9124bc28e612351897e99e682ad87acdcc1bc41203c33df768d10b28478bd4 to override the existing filterQuery. This PR ensures the filterQuery that's passed in is correct:
- when called from the
All Users/page, thefilterQueryfilters for data where user related fields exist + any global filters - when called from the
User Detailspage, thefilterQueryfilters for data using theeuid.dsl.getEuidFilterBasedOnDocumentwhen entity store V2 is enabled and an entity store record exists + any global filters - when called from the
User Detailspage, thefilterQueryfilters for data using the user.name when entity store V2 is not enabled or and entity store record does not exist + any global filters
ymao1
force-pushed
the
fix-user-details-page
branch
from
0137319 to
c7528ee
Compare
ymao1
changed the title
ymao1
added
release_note:skip
ymao1
commented
May 6, 2026
| } | ||
| const lastSeenIso = record.entity?.lifecycle?.last_seen; | ||
| const domainValues = record.user?.domain as string[] | string | undefined; | ||
| const domain = Array.isArray(domainValues) ? domainValues?.[0] ?? '' : domainValues ?? ''; |
Contributor
Author
There was a problem hiding this comment.
This is the primary fix here, where domain is returned from the V2 entity store as a string and this mapping function was returning just the first letter of the domain value. This fixes the mapping function to check if domain is an array or string and return accordingly.
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
NicholasPeretti
approved these changes
May 7, 2026
Contributor
💛 Build succeeded, but was flaky
Failed CI Steps
Test Failures
Metrics [docs]Module Count
Async chunks
Page load bundle
History
cc @ymao1 |
jaredburgettelastic
approved these changes
May 7, 2026
ymao1
added
backport:version
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/25527081037 |
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/25527081036 |
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
May 7, 2026
elastic#267728) ## Summary Similar to elastic#265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276 (cherry picked from commit 3f53f7b)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
May 8, 2026
…y store (#267728) (#268323) # Backport This will backport the following commits from `main` to `9.4`: - [[Entity Analytics] Fix user details page for users in the entity store (#267728)](#267728) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ying Mao","email":"ying.mao@elastic.co"},"sourceCommit":{"committedDate":"2026-05-07T21:13:18Z","message":"[Entity Analytics] Fix user details page for users in the entity store (#267728)\n\n## Summary\n\nSimilar to #265887, the user\ndetails page was using `documentEntityIdentifiers` to generate the\nvarious queries used to populate the page components. For the user\nentity, these identifiers were often incorrect as they returned computed\nfields (like `entity.namespace`) that do not exist in the source event\ndocuments, so the queries would return no data.\n\n> [!NOTE]\n> To limit the size of this PR, only the user details page is addressed.\nThere will be a followup PR for the host details page.\n\n## To Verify\n\n1. Start ES and Kibana with all the V2 feature flags\n2. Verify the entity store is enabled and generate some source data\nusing `yarn start org-data --size medium`\n3. Wait for the entity store to get some entities\n4. Create a detection rule that queries the default security indices and\ngenerates alerts\n5. Manually kick off the risk engine so that some entity store entities\nhave risk scores\n6. Modify the following file so that clicking a user from the All Users\npage navigates to the user details page:\n\n```\n--- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n+++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n@@ -116,7 +116,6 @@ const getUsersColumns = (\n userName={name}\n entityId={user.entityId}\n identityFields={user.identityFields}\n- onClick={onClick}\n />\n```\n\n### Verify No Regressions in Explore Users Page\n7. Navigate to `Explore -> Users` and verify that all the tabs are\ncorrectly populated (Authentications and Anomalies may be empty\ndepending on what test data you have). There should be no regressions on\nthis page from this PR\n\n### Verify User Details page for User in Entity Store is populated\n8. From the `All Users` tab, click on a user to go to the user details\npage\n9. At a minimum, the events tab should have some events. Depending on\nyour source data, you may have data in the Authentications tab. If the\nuser has a risk score, there should be risk score inputs in the User\nRisk tab and alerts shown in the alerts components. Inspecting the\nqueries, the DSL queries should include a EUID DSL filter (without any\nentity.namespace fields in the filter).\n\n\nhttps://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78\n\n### Verify No Regressions for User Details page for User not in Entity\nStore\n10. From the Alerts page, find a user that is not in the entity store\nand navigate to their details page. Inspect the queries on this page.\nThey should all use the `user.name` fallback since this user is not in\nthe entity store.\n\n\nhttps://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276","sha":"3f53f7b4bccb463ccef0a36d229de74606a17b65","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Entity Analytics","backport:version","v9.5.0","v9.4.1"],"title":"[Entity Analytics] Fix user details page for users in the entity store","number":267728,"url":"https://github.com/elastic/kibana/pull/267728","mergeCommit":{"message":"[Entity Analytics] Fix user details page for users in the entity store (#267728)\n\n## Summary\n\nSimilar to #265887, the user\ndetails page was using `documentEntityIdentifiers` to generate the\nvarious queries used to populate the page components. For the user\nentity, these identifiers were often incorrect as they returned computed\nfields (like `entity.namespace`) that do not exist in the source event\ndocuments, so the queries would return no data.\n\n> [!NOTE]\n> To limit the size of this PR, only the user details page is addressed.\nThere will be a followup PR for the host details page.\n\n## To Verify\n\n1. Start ES and Kibana with all the V2 feature flags\n2. Verify the entity store is enabled and generate some source data\nusing `yarn start org-data --size medium`\n3. Wait for the entity store to get some entities\n4. Create a detection rule that queries the default security indices and\ngenerates alerts\n5. Manually kick off the risk engine so that some entity store entities\nhave risk scores\n6. Modify the following file so that clicking a user from the All Users\npage navigates to the user details page:\n\n```\n--- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n+++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n@@ -116,7 +116,6 @@ const getUsersColumns = (\n userName={name}\n entityId={user.entityId}\n identityFields={user.identityFields}\n- onClick={onClick}\n />\n```\n\n### Verify No Regressions in Explore Users Page\n7. Navigate to `Explore -> Users` and verify that all the tabs are\ncorrectly populated (Authentications and Anomalies may be empty\ndepending on what test data you have). There should be no regressions on\nthis page from this PR\n\n### Verify User Details page for User in Entity Store is populated\n8. From the `All Users` tab, click on a user to go to the user details\npage\n9. At a minimum, the events tab should have some events. Depending on\nyour source data, you may have data in the Authentications tab. If the\nuser has a risk score, there should be risk score inputs in the User\nRisk tab and alerts shown in the alerts components. Inspecting the\nqueries, the DSL queries should include a EUID DSL filter (without any\nentity.namespace fields in the filter).\n\n\nhttps://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78\n\n### Verify No Regressions for User Details page for User not in Entity\nStore\n10. From the Alerts page, find a user that is not in the entity store\nand navigate to their details page. Inspect the queries on this page.\nThey should all use the `user.name` fallback since this user is not in\nthe entity store.\n\n\nhttps://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276","sha":"3f53f7b4bccb463ccef0a36d229de74606a17b65"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/267728","number":267728,"mergeCommit":{"message":"[Entity Analytics] Fix user details page for users in the entity store (#267728)\n\n## Summary\n\nSimilar to #265887, the user\ndetails page was using `documentEntityIdentifiers` to generate the\nvarious queries used to populate the page components. For the user\nentity, these identifiers were often incorrect as they returned computed\nfields (like `entity.namespace`) that do not exist in the source event\ndocuments, so the queries would return no data.\n\n> [!NOTE]\n> To limit the size of this PR, only the user details page is addressed.\nThere will be a followup PR for the host details page.\n\n## To Verify\n\n1. Start ES and Kibana with all the V2 feature flags\n2. Verify the entity store is enabled and generate some source data\nusing `yarn start org-data --size medium`\n3. Wait for the entity store to get some entities\n4. Create a detection rule that queries the default security indices and\ngenerates alerts\n5. Manually kick off the risk engine so that some entity store entities\nhave risk scores\n6. Modify the following file so that clicking a user from the All Users\npage navigates to the user details page:\n\n```\n--- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n+++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx\n@@ -116,7 +116,6 @@ const getUsersColumns = (\n userName={name}\n entityId={user.entityId}\n identityFields={user.identityFields}\n- onClick={onClick}\n />\n```\n\n### Verify No Regressions in Explore Users Page\n7. Navigate to `Explore -> Users` and verify that all the tabs are\ncorrectly populated (Authentications and Anomalies may be empty\ndepending on what test data you have). There should be no regressions on\nthis page from this PR\n\n### Verify User Details page for User in Entity Store is populated\n8. From the `All Users` tab, click on a user to go to the user details\npage\n9. At a minimum, the events tab should have some events. Depending on\nyour source data, you may have data in the Authentications tab. If the\nuser has a risk score, there should be risk score inputs in the User\nRisk tab and alerts shown in the alerts components. Inspecting the\nqueries, the DSL queries should include a EUID DSL filter (without any\nentity.namespace fields in the filter).\n\n\nhttps://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78\n\n### Verify No Regressions for User Details page for User not in Entity\nStore\n10. From the Alerts page, find a user that is not in the entity store\nand navigate to their details page. Inspect the queries on this page.\nThey should all use the `user.name` fallback since this user is not in\nthe entity store.\n\n\nhttps://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276","sha":"3f53f7b4bccb463ccef0a36d229de74606a17b65"}},{"branch":"9.4","label":"v9.4.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Ying Mao <ying.mao@elastic.co>
romulets
pushed a commit
to romulets/kibana
that referenced
this pull request
May 8, 2026
elastic#267728) ## Summary Similar to elastic#265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276
mgadewoll
pushed a commit
to mgadewoll/kibana
that referenced
this pull request
May 8, 2026
elastic#267728) ## Summary Similar to elastic#265887, the user details page was using `documentEntityIdentifiers` to generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (like `entity.namespace`) that do not exist in the source event documents, so the queries would return no data. > [!NOTE] > To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page. ## To Verify 1. Start ES and Kibana with all the V2 feature flags 2. Verify the entity store is enabled and generate some source data using `yarn start org-data --size medium` 3. Wait for the entity store to get some entities 4. Create a detection rule that queries the default security indices and generates alerts 5. Manually kick off the risk engine so that some entity store entities have risk scores 6. Modify the following file so that clicking a user from the All Users page navigates to the user details page: ``` --- a/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/users/components/all_users/index.tsx @@ -116,7 +116,6 @@ const getUsersColumns = ( userName={name} entityId={user.entityId} identityFields={user.identityFields} - onClick={onClick} /> ``` ### Verify No Regressions in Explore Users Page 7. Navigate to `Explore -> Users` and verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PR ### Verify User Details page for User in Entity Store is populated 8. From the `All Users` tab, click on a user to go to the user details page 9. At a minimum, the events tab should have some events. Depending on your source data, you may have data in the Authentications tab. If the user has a risk score, there should be risk score inputs in the User Risk tab and alerts shown in the alerts components. Inspecting the queries, the DSL queries should include a EUID DSL filter (without any entity.namespace fields in the filter). https://github.com/user-attachments/assets/5484ff73-1c7f-427b-be57-8c5467e04a78 ### Verify No Regressions for User Details page for User not in Entity Store 10. From the Alerts page, find a user that is not in the entity store and navigate to their details page. Inspect the queries on this page. They should all use the `user.name` fallback since this user is not in the entity store. https://github.com/user-attachments/assets/e65332f2-3953-4c1c-924c-cc3feb95d276
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Similar to #265887, the user details page was using
documentEntityIdentifiersto generate the various queries used to populate the page components. For the user entity, these identifiers were often incorrect as they returned computed fields (likeentity.namespace) that do not exist in the source event documents, so the queries would return no data.Note
To limit the size of this PR, only the user details page is addressed. There will be a followup PR for the host details page.
To Verify
yarn start org-data --size mediumVerify No Regressions in Explore Users Page
Explore -> Usersand verify that all the tabs are correctly populated (Authentications and Anomalies may be empty depending on what test data you have). There should be no regressions on this page from this PRVerify User Details page for User in Entity Store is populated
All Userstab, click on a user to go to the user details pageScreen.Recording.2026-05-06.at.2.24.45.PM.mov
Verify No Regressions for User Details page for User not in Entity Store
user.namefallback since this user is not in the entity store.Screen.Recording.2026-05-06.at.2.34.01.PM.mov