fixed field data sourcing (#177472)

lgestc · web-flow · commit 3ab8e45949ae · 2024-02-22T18:35:46.000+01:00
## Summary This fixes: SDH issue **882** #173627 ### Before the fix Note how the field actually displays an alias instead of the value. This is due some fallback behavior I think. ![highlighted_before](https://github.com/elastic/kibana/assets/11671118/c66ef18f-d0f9-4964-b69f-94bba6d31c60) ### After the fix ![highlighted_after](https://github.com/elastic/kibana/assets/11671118/ee730392-7617-4654-87bc-a8addb7342e2) The missing bit was the actual value to display as it was not passed down correctly from the parent conext ### How to test this? 1. create custom index and populate it with data ``` PUT test POST test/_doc { "user.id": "888", "@timestamp": "2024-02-21T15:20:10.084Z" } ``` 2. create threshold rule looking like this: ![image](https://github.com/elastic/kibana/assets/11671118/07089ba8-e0b9-40f1-8372-15cb8a94e043) 3. actual value that triggered the alert should be rendered in the highlighted fields panel in the flyout
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_highlighted_fields.test.tsx b/x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_highlighted_fields.test.tsx
@@ -7,7 +7,10 @@
 
 import { renderHook } from '@testing-library/react-hooks';
 
-import { mockDataFormattedForFieldBrowser } from '../mocks/mock_data_formatted_for_field_browser';
+import {
+  mockDataFormattedForFieldBrowser,
+  mockDataFormattedForFieldBrowserWithOverridenField,
+} from '../mocks/mock_data_formatted_for_field_browser';
 import { useHighlightedFields } from './use_highlighted_fields';
 import { SENTINEL_ONE_AGENT_ID_FIELD } from '../../../../common/utils/sentinelone_alert_check';
 
@@ -23,6 +26,25 @@ describe('useHighlightedFields', () => {
     });
   });
 
+  it('should return overriden field value when it is present', () => {
+    const hookResult = renderHook(() =>
+      useHighlightedFields({
+        dataFormattedForFieldBrowser: mockDataFormattedForFieldBrowserWithOverridenField,
+      })
+    );
+
+    // NOTE: overrideField is constructed based on specific field from the result set
+    expect(hookResult.result.current).toMatchObject({
+      'kibana.alert.threshold_result.terms.field': {
+        overrideField: {
+          field: 'kibana.alert.threshold_result.terms.value',
+          values: ['overriden value'], // missing value in the override
+        },
+        values: ['original value'],
+      },
+    });
+  });
+
   it('should omit endpoint agent id field if data is not s1 alert', () => {
     const hookResult = renderHook(() =>
       useHighlightedFields({
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_highlighted_fields.ts b/x-pack/plugins/security_solution/public/flyout/document_details/shared/hooks/use_highlighted_fields.ts
@@ -34,7 +34,7 @@ export interface UseHighlightedFieldsResult {
     /**
      * If the field has a custom override
      */
-    overrideField?: string;
+    overrideField?: { field: string; values: string[] };
     /**
      * Values for the field
      */
@@ -114,7 +114,13 @@ export const useHighlightedFields = ({
     return {
       ...acc,
       [field.id]: {
-        ...(field.overrideField && { overrideField: field.overrideField }),
+        ...(field.overrideField && {
+          overrideField: {
+            field: field.overrideField,
+            values:
+              find({ field: field.overrideField }, dataFormattedForFieldBrowser)?.values ?? [],
+          },
+        }),
         values: fieldValues,
       },
     };
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/shared/mocks/mock_data_formatted_for_field_browser.ts b/x-pack/plugins/security_solution/public/flyout/document_details/shared/mocks/mock_data_formatted_for_field_browser.ts
@@ -7,10 +7,15 @@
 
 import type { TimelineEventsDetailsItem } from '@kbn/timelines-plugin/common';
 
-/**
- * Mock an array of fields for an alert
- */
-export const mockDataFormattedForFieldBrowser: TimelineEventsDetailsItem[] = [
+export const ruleTypeField: TimelineEventsDetailsItem = {
+  category: 'kibana',
+  field: 'kibana.alert.rule.type',
+  values: ['query'],
+  originalValue: ['query'],
+  isObjectArray: false,
+};
+
+export const baseFields: TimelineEventsDetailsItem[] = [
   {
     category: 'base',
     field: '@timestamp',
@@ -60,13 +65,6 @@ export const mockDataFormattedForFieldBrowser: TimelineEventsDetailsItem[] = [
     originalValue: ['rule-parameters-index'],
     isObjectArray: false,
   },
-  {
-    category: 'kibana',
-    field: 'kibana.alert.rule.type',
-    values: ['query'],
-    originalValue: ['query'],
-    isObjectArray: false,
-  },
   {
     category: 'kibana',
     field: 'kibana.alert.rule.uuid',
@@ -89,3 +87,28 @@ export const mockDataFormattedForFieldBrowser: TimelineEventsDetailsItem[] = [
     isObjectArray: false,
   },
 ];
+
+/**
+ * Mock an array of fields for an alert
+ */
+export const mockDataFormattedForFieldBrowser: TimelineEventsDetailsItem[] = [
+  ruleTypeField,
+  ...baseFields,
+];
+
+export const mockDataFormattedForFieldBrowserWithOverridenField = [
+  { ...ruleTypeField, values: ['threshold'], originalValue: ['threshold'] },
+  {
+    category: 'base',
+    field: 'kibana.alert.threshold_result.terms.field',
+    values: ['original value'],
+    isObjectArray: false,
+  },
+  {
+    category: 'base',
+    field: 'kibana.alert.threshold_result.terms.value',
+    values: ['overriden value'],
+    isObjectArray: false,
+  },
+  ...baseFields,
+];
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/shared/utils/highlighted_fields_helpers.test.ts b/x-pack/plugins/security_solution/public/flyout/document_details/shared/utils/highlighted_fields_helpers.test.ts
@@ -33,10 +33,10 @@ describe('convertHighlightedFieldsToTableRow', () => {
     ]);
   });
 
-  it('should convert take override name over default name', () => {
+  it('should convert take override name over default name and use original values if not present in the override', () => {
     const highlightedFields = {
       'host.name': {
-        overrideField: 'host.name-override',
+        overrideField: { field: 'host.name-override', values: [] },
         values: ['host-1'],
       },
     };
@@ -53,6 +53,27 @@ describe('convertHighlightedFieldsToTableRow', () => {
       },
     ]);
   });
+
+  it('should convert take override name over default name and use provided values', () => {
+    const highlightedFields = {
+      'host.name': {
+        overrideField: { field: 'host.name-override', values: ['value override!'] },
+        values: ['host-1'],
+      },
+    };
+    expect(convertHighlightedFieldsToTableRow(highlightedFields, scopeId, isPreview)).toEqual([
+      {
+        field: 'host.name-override',
+        description: {
+          field: 'host.name-override',
+          originalField: 'host.name',
+          values: ['value override!'],
+          scopeId: 'scopeId',
+          isPreview,
+        },
+      },
+    ]);
+  });
 });
 
 describe('convertHighlightedFieldsToPrevalenceFilters', () => {
diff --git a/x-pack/plugins/security_solution/public/flyout/document_details/shared/utils/highlighted_fields_helpers.ts b/x-pack/plugins/security_solution/public/flyout/document_details/shared/utils/highlighted_fields_helpers.ts
@@ -21,9 +21,12 @@ export const convertHighlightedFieldsToTableRow = (
 ): HighlightedFieldsTableRow[] => {
   const fieldNames = Object.keys(highlightedFields);
   return fieldNames.map((fieldName) => {
-    const values = highlightedFields[fieldName].values;
-    const overrideFieldName = highlightedFields[fieldName].overrideField;
+    const overrideFieldName = highlightedFields[fieldName].overrideField?.field;
+    const overrideFieldValues = highlightedFields[fieldName].overrideField?.values;
     const field = overrideFieldName ? overrideFieldName : fieldName;
+    const values = overrideFieldValues?.length
+      ? overrideFieldValues
+      : highlightedFields[fieldName].values;
 
     return {
       field,
