[CTI] Adds Threat Intel Tab to Alert Summary Flyout

[ecezalp]

Summary

Updates Threat Summary & Threat Details features to match the updated designs.

no threat - summary

no threat - threat intel

threat - summary

threat - threat intel

Notes

Relates to elastic/security-team#961 - confidence field is passing through with no additional engineering as you can see from the last attached image above.

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• Any UI touched in this PR is usable by keyboard only (learn more about keyboard accessibility)
• Any UI touched in this PR does not create any new axe failures (run axe in browser: FF, Chrome)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This renders correctly on smaller devices using a responsive layout. (You can test this in your browser)
• This was checked for cross-browser compatibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[ecezalp]

@elasticmachine merge upstream

[rylnd]

RE labels: I think you want auto-backport instead of backport, and release_note-wise I would qualify this as either enhancement or maybe even skip, since #95604 was already a feature

[ecezalp]

latest changes

• updated design
• minor cleanups

[rylnd]

This is looking fantastic! We just need to add the first_seen sorting on details and fix up a few minor UI things.

With this refactor it definitely feels like we're doing too much client-side data manipulation (independent of the JSON.parse 😅 ); it's likely not a huge performance concern as it's one alert, but the code is pretty hard to follow right now. I left some thoughts/pointers, but as always I'm happy to either a) pair on it together or b) be told I'm wrong 😄

[rylnd]

nit: I think isEmpty would work here:

Suggested change

	!threatDetailsRows[0] || threatDetailsRows[0].length === 0 ? (
	isEmpty(threatDetailsRows[0]) ? (

[rylnd]

Please use EuiLink here, that'll add the "external link" indicator that you see elsewhere.

[rylnd]

Ditto here with EuiLink

[rylnd]

More magic strings, we'll need to consolidate those once the row renderer is merged 👍

[rylnd]

Is this going to work with both light and dark themes? We may want to pull a semantic color from the theme itself.

[rylnd]

nit:

Suggested change

	const StyledDiv = styled.div`
	const FlexDiv = styled.div`

[rylnd]

I would try to give more semantic names to these styled components you're creating; a Styled prefix doesn't tell someone looking at this code why it has the given CSS.

[rylnd]

Check out the docLinks service for a more robust way to build this URI. I think docLinks.links.filebeat.base might be it?

[rylnd]

My first impression is that this hook is doing a lot 😅 , and it's only used in one place. The only state I see that makes it hook-worthy is the cached computations, is that correct?

If nothing else, we should try to decompose this to make it more reusable/recomposable if we do see this being used in the future. If we can abstract these data-manipulation pieces out into pure functions, then the hook is just a little logic and a few simple uses of useMemo.

However this shakes out, some kind of tests around this would be nice as documentation to further support/encourage reuse, as well.

[rylnd]

This forEach within the reduce seems indicative of us doing something unnecessary; is it perhaps that we're having to undo part of what getDataFromSourceHits does above?

At a high level, this seems like what we need, data-manipulation-wise:

const summaryFields = ['threat.indicator.matched.atomic', 'etc.'];
const indicatorJSON = data.find(field === 'threat.indicator');
const indicatorFields = data.filter(isIndicatorField);
const threatSummaryRows = buildThreatSummaryRows(summaryFields, indicatorFieldsFields);
const threatDetailsRows = buildThreatDetailsRows(indicatorJSON, ALL_INDICATOR_FIELDS).sort('first_seen', 'desc');

[pgayvallet]

Got a review request, but it seems that no changes are impacting core files. Do you want review on something specific, or were the changes triggering the review reverted?

[ecezalp]

Got a review request, but it seems that no changes are impacting core files. Do you want review on something specific, or were the changes triggering the review reverted?

hey @pgayvallet, I have removed the small change I had made, so there should be nothing here for you.

I do have a question for you though! So my change used to be the addition of a link to docLinks. This failed check_published_api_changes step of the build. In the logs, there were some instructions to fix the error

warn To accept these changes run `node scripts/check_published_api_changes.js --accept` and then:
      	 1. Commit the updated documentation and API review file '/dev/shm/workspace/parallel/12/kibana/src/core/public/public.api.md' 
      	 2. Describe the change in your PR including whether it's a major, minor or patch

so I was wondering - if I were to add a new link in the future, once I run the script mentioned above, what exactly the commit message would be? Would it just be a major / minor / patch according to the release I would be targeting (for instance, minor for 7.13 in this change?) or is there a separate versioning I am not aware of? Would be happy to know.

[rylnd]

LGTM! Excellent work.

[rylnd]

nit:

Suggested change

	export const FIRSTSEEN = 'first_seen';
	export const FIRST_SEEN = 'first_seen';

Not worth waiting for another build, though.

[ecezalp]

_ seemed to indicate nesting level - leaving as is now, I can update in a later commit

[rylnd]

👍

[rylnd]

nit: I think if you reoriented this as SORTED_THREAT_SUMMARY_FIELDS.map().filter() you wouldn't need the 'insert at index' logic below.

[ecezalp]

updated

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 5716b58
• Storybooks Preview

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	2217	2222	+5

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	7.3MB	7.4MB	+38.5KB

History

• 💛 Build #120683 was flaky 0499e28
• 💔 Build #120658 failed 455243f
• 💚 Build #120558 succeeded 067f90a
• 💚 Build #120165 succeeded fcefc94
• 💚 Build #119989 succeeded f518062

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.