Mutate Graph filters from flyout actions

[albertoblaz]

Summary

Closes #239954.

PRs involved:

1. Reorganize popover files #249622
2. Pin individual entities in graph #251299
3. Mutate Graph filters from flyout actions #250105 <-- This PR

Key Changes

1. New Actions Buttons for Grouped Items
2. Filter State Management with FilterStore
3. Refactored Popover Item Generation
4. Clickable Item Titles

Screenshots

Actions in graph node - enabled actions (entity available in Entity Store)

Actions in flyout - disabled entity relationships action

Actions in graph node - disabled actions (entity unavailable)

How to test

1. Deploy a local env using the following command:
   node scripts/es snapshot --license trial -E path.data=../default -E reindex.remote.whitelist=kfir-graph-viz-wip-ba715e.es.eu-west-1.aws.qa.elastic.cloud:443 -E xpack.security.authc.api_key.enabled=true
2. run kibana using yarn start
3. Go to Advanced settings and make suresecuritySolution:enableGraphVisualization and securitySolution:enableAssetInventory features are toggled on.
4. Got to Security -> inventory -> click on 'Enable Asset Inventory'.
5. Load events and entities data:

node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/logs_gcp_audit --es-url http://elastic:changeme@localhost:9200 --kibana-url http://elastic:changeme@localhost:5601

node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/entity_store_v2 --es-url http://elastic:changeme@localhost:9200 --kibana-url http://elastic:changeme@localhost:5601

6. Navigate to Security -> Explore -> User
   extend the time range to 2-3 years and check how the events and rendered, few examples:

7. Toggle the graph searchbar (blue primary button at the top-right corner within the graph).

8. Click popover items i.e. "Show actions done to this entity" from single nodes in the graph. Verify filters update properly and graph re-renders

9. Click on "show entity details" / "show event details" from grouped nodes in the graph. Flyout must open on the right-side, then click the 3-dots button on a grouped item. The same popover as in graph nodes must open. Try clicking any of the popover items. Verify filters update and graph re-renders.

10. For testing the "Show entity relationships" option: Try one event by typing in the search bar event.id: "rel-hierarchy-event-id-ftr-12345" and check the graph. Click show entity relationships and actions of different nodes and validate that everything is rendered and works correctly.

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• Flaky Test Runner was used on any tests changed
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
• Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Risk of breaking filters in graph investigation after major refactor.

[albertoblaz]

Everything under graph_grouped_node_preview_panel/ is meant to be rendered in a flyout context. So we don't need the tiny pub-sub we had before. We can invoke the Flyout API right away. Benefits of this:

• Established pattern in other flyout panels
• Simplifies the code
• Reduces complexity in GraphVisualization, which in future, should just reuse and render GraphInvestigation
• Co-locates button and correct preview panel i.e. opens entity preview from entity and button and event/alert previews from event button

[albertoblaz]

This whole file is a combination of:

• A filters store that acts as a single source of truth for graph filters
• A pub-sub channel that listens to events produced from:
  • the new buttons in flyout i.e. entity_actions_button.tsx and event_actions_button.tsx
  • the hooks in graph i.e. use_entity_node_expand_popover.ts and use_label_node_expand_popover.ts

Then, use_graph_filters.ts observes mutations in filters and re-renders the entire graph.

[albertoblaz]

Moved this file and its tests to be co-located with filter functionality added. They were mixed with non-related stuff in graph_investigation/ folder.

I kept this file since it contains only pure functions to add, remove or check filters. filter_store.ts mutates state using these functions

[albertoblaz]

Since we might have multiple graph instances in Kibana, each graph has access to its own filter store instance through the scopeId. This prevents from cross-publishing or cross-listening to events from other graphs

[albertoblaz]

This is the recommended way to observe and get in sync a non-React-based store and React rendering, preventing from concurrency issues at rendering time.

[albertoblaz]

getEntityExpandItems gives us a single source of truth for popover items. Each item is rendered in an opt-in way via the shouldRender prop.

getEntityExpandItems is also invoked from the graph hooks but in different conditions (graph can render single or grouped nodes while flyout only renders single items). To keep it simple, the function provides with enough callbacks and boolean arguments

[albertoblaz]

We're duplicating now these banner configs that already exist in x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/preview/constants.ts. Reason is, obviously, they live in a separate package. In an ideal world, this could be common config across packages. Let me know if I should tackle it now

[albertoblaz]

This used to be the tiny pub-sub to open entity/event/alert previews when clicking on the grouped-item title. Replaced with a direct Flyout API call

[elasticmachine]

Pinging @elastic/contextual-security-apps (Team:Cloud Security)

[albertoblaz]

@elasticmachine run docs-build

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 6736fd0
• Storybooks Preview
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-250105-6736fd00cb6e

Failed CI Steps

• Jest Tests #8

Test Failures

• [job] [logs] Jest Tests #8 / Header QueryTabHeader should render the immutable timeline call out with correct message

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	8795	8800	+5

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/cloud-security-posture-graph	58	57	-1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.1MB	11.1MB	+7.0KB

Unknown metric groups

API count

id	before	after	diff
@kbn/cloud-security-posture-graph	91	89	-2

ESLint disabled line counts

id	before	after	diff
@kbn/cloud-security-posture-graph	30	31	+1
securitySolution	717	716	-1
total			-0

Total ESLint disabled count

id	before	after	diff
@kbn/cloud-security-posture-graph	32	33	+1
securitySolution	822	821	-1
total			-0

History

• 💔 Build #385264 failed 8ba2a2a
• 💔 Build #385145 failed bccb5a6

cc @albertoblaz

[kfirpeled]

While testing it, few questions comes to my mind:

1. When we show related events, we don't separate/pin the entity. Worth checking with design whether to keep it consistent with show actions done on this entity or by this entity
2. We don't show Show entity details option on the preview flyout of grouped entities. I'd expect to show it disabled when it is not available. To keep it consistent. wdyt?

Issues found:

1. Show entity details not working

Screen.Recording.2026-03-01.at.15.11.25.mov