[Entity Analytics] Migrate explore pages (hosts/users) to use EUID

[YulNaumenko]

Summary

This PR migrates Security Solution host and user Explore flows (list pages, detail pages, deep links, and several dependent surfaces) to EUID / entityIdentifiers, so navigation and server queries can target the resolved entity record instead of relying only on display names or legacy keys. It aligns Explore with Entity Analytics / Entity Store identity and continues the broader EUID migration (see also #251179).

Intent: Hosts/Users, drill-downs, and links from alerts, overview, timelines, ML anomalies, and entity flyouts should preserve stable entity identity in the URL and in search-strategy requests where required.

---

What changed

URL routing and host/user detail pages

• Hosts and Users explore entry points (pages/index.tsx, hosts.tsx / users.tsx, tabs) read and propagate entityIdentifiers so detail routes and tab state match entity resolution.
• Host and user detail pages (pages/details/*, helpers.ts + tests, types.ts) build, parse, and pass identifier-aware params (including related tab wiring where applicable).
• Network → host detail navigation is updated so cross-area navigation can carry the same entity context.

Deep links and redirects

• redirect_to_hosts and redirect_to_users accept and serialize entityIdentifiers so bookmarks, external links, and in-app redirects resolve to the correct entity.
• Shared entity_resolution_query_params (and link_to exports) centralize query param building/consumption for entity-aware links.

List containers, tables, and KPIs (Entity Store)

• Host/user table containers use use_all_entity_store_hosts / use_all_entity_store_users and associated query types; listing and drill-down align with entity-store data where appropriate.
• Hosts table and uncommon processes columns pass identifier-aware row payloads (including mock/paginated table updates for tests).
• Lens KPI definitions for hosts/users (metric/area, shared entity_store_v2_*_kpi_lens_shared) and use_lens_attributes / utils support the new entity model; use_risk_score_kpi is adjusted for the new hooks.

Risk score and entity analytics UI

• Host / user risk tab bodies use use_entity_store_risk_score, use_entity_store_risk_score_kpi, and entity_store_host_risk_common / entity_store_user_risk_common.
• risk_details_tab_body updated (with tests) for identifier-aware behavior.
• stat_items / metric_embeddable wired for new KPI/risk embeddables where needed.

Search strategy: types, DSL, tests

• Common API typings updated for host details, related hosts/users, observed user details, first/last seen.
• Server DSL updated for host details, uncommon processes (query + helpers), related hosts/users, observed user details.
• API integration: uncommon_processes trial-tier tests and related_users.dsl.test.ts updated.

Cross-cutting: alerts, overview, timeline, ML, flyouts

• Alerts / detection response paths that link to entities pass entityIdentifiers where targets are Host/User Explore.
• Host/user overview and timeline renderers (e.g. service_name) use entity resolution params in links.
• ML anomalies (e.g. anomaly_table_euid, criteria, host/user anomaly tables, converters) propagate EUID when linking into Explore.
• Entity flyouts and document details (e.g. user_details, host/user right panels, use_observed_user) align with identifier-aware observed/detail fetching.

Server: entity upsert

• sanitize_entity_record_for_upsert (with tests) and upsert_entities_bulk adjusted for consistent serialization with the identifier model.

---

How to test

1. Hosts Explore: Hosts → host detail → switch tabs; refresh and confirm the same entity loads.

Exists in the Entity store:

Not present in Entity store:

2. Users Explore: Same for users / all-users drill-down.

Exists in the Entity store:

Not present in Entity store:

3. Deep links: From alerts, overview, timeline, confirm navigation includes entityIdentifiers and opens the intended profile.
4. Network host pivot: Network details → host; profile matches expectations.
5. Risk / KPI: Where entity-store risk KPIs apply, confirm host/user risk tabs and KPIs still render and filter correctly.
6. CI / local: Run Jest for touched components and updated API integration tests (e.g. uncommon processes, related users DSL).

---

Risk

Risk	Severity	Mitigation
Legacy bookmarks/URLs without entityIdentifiers may behave differently	Medium	Validate backward compatibility / redirects; call out any intentional URL contract change for reviewers.
Large surface (overview, alerts, timeline, ML, flyouts) increases regression risk	Medium	Smoke each link class; rely on updated unit/API tests.
List-page cost if entity-store queries replace lighter paths	Low–Medium	Compare request volume vs baseline if needed.

---

Release notes

release_note:skip — internal Entity Analytics / routing alignment unless PM/docs request a user-facing note.

---

Related

• [Entity Analytics] Migrate explore pages to use EUID #251179 (closed; work split)
• [Entity Analytics] Migrate flyouts to use EUID / entityIdentifiers #255429 (adjacent flyout EUID work, if applicable)

[elasticmachine]

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

[hop-dev]

To keep behaviour predictable, I believe we should align this with what we did in the flyout PR
#255429. The fallback should either be the pure legacy behaviour (just user.name / host.name), or we could use the euid Api to generate a fallback query that somehow respects the euid ranking logic, but legacy behaviour would be simpler IMO

[hop-dev]

@YulNaumenko When the entity isn't in the store, I believe this takes all the identity fields from the URL and creates an AND query (e.g., user.name: "alice" AND user.domain: "local") is that right?

The old approach and the flyout fall back to just querying the name directly (user.name: "alice") right?

I think we can bypass getIdentityFieldsPageFilters here and just return getUsersDetailsPageFilters(detailName) instead to match the flyout?

[YulNaumenko]

it is consistent with flyout where euid for filtering fields.
user.name and host.name are used when entity store v2 is disabled.

[hop-dev]

🚀

[michaelolo24]

do we care about the same undefined check we have on line 168 here?

[michaelolo24]

Is it possible to just memo this, or does the prop change that frequently?

[michaelolo24]

Security solution codeowners

[michaelolo24]

Thanks for making the changes. Tested the host and user explore views and the host and use flyouts with the feature flag enabled and disabled and everything I took a look at seems to be working as expected 👍🏾

[PhilippeOberti]

I left a few comments, most of them minor. There are a couple of things I'm a bit worried about though:

• a lot of the files modified are under the ml folder that does not have a codeowner. I do not have that knowledge to review that code. I believe we should ping the team that does, to be safe
• when I load the application locally, I can't access any pages in Security Solution. I've tried twice, both time with a full yarn kbn reset then bootstrap and download ES again... Not sure what's happening?

[PhilippeOberti]

Just fyi, I know this is just coded added, but this method is almost exactly the same the one on the redicrect_to_user file called getTabsOnUsersDetailsUrl

[PhilippeOberti]

I just realized (not related to this PR) that this whole /x-pack/solutions/security/plugins/security_solution/public/common/components/ml folder doesn't have codeowners. I wonder if it should be @elastic/security-detection-rule-management like the /x-pack/solutions/security/plugins/security_solution/public/common/components/ml_popover folder right below it?

[PhilippeOberti]

How can we verify this change? I'm a bit concerned because that would be applied in many many places? How to ensure we're not introducing a regression here?

[YulNaumenko]

Added tests.

[PhilippeOberti]

I might have missed this in the PR review, does this change mean that we're changing urls? Do we handle previous urls correctly?

[PhilippeOberti]

@YulNaumenko I was finally able to make my local work.
When I go to the Explore page (like hosts), I get tons of errors in the console. This does not seem expected?

And this is the UI

[YulNaumenko]

@YulNaumenko I was finally able to make my local work. When I go to the Explore page (like hosts), I get tons of errors in the console. This does not seem expected?

And this is the UI

I cannot reproduce it.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: cb035e9

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	9301	9316	+15

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.6MB	11.6MB	+41.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	121.2KB	121.2KB	-1.0B

Unknown metric groups

ESLint disabled line counts

id	before	after	diff
securitySolution	746	748	+2

Total ESLint disabled count

id	before	after	diff
securitySolution	851	853	+2

History

• 💔 Build #420975 failed ed19830
• 💚 Build #420201 succeeded aac51cb
• 💚 Build #420117 succeeded 48e86cc
• 💔 Build #419191 failed a019eb6
• 💔 Build #418938 failed 41986f8

cc @YulNaumenko

[PhilippeOberti]

Thank you for this other huge effort!