[Security solution] Value report data view filtering fix (#241682)

Author: stephmilovic

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/alert_filtering_metric.test.ts

@@ -8,6 +8,7 @@
 import type { EuiThemeComputed } from '@elastic/eui';
 import { getAlertFilteringMetricLensAttributes } from './alert_filtering_metric';
 import type { ExtraOptions } from '../../types';
+import { getAlertIndexFilter } from './helpers';
 
 interface FormulaColumn {
   params: {
@@ -32,10 +33,12 @@ interface MathColumn {
 describe('getAlertFilteringMetricLensAttributes', () => {
   const defaultEuiTheme = {} as EuiThemeComputed;
   const defaultTotalAlerts = 1000;
+  const defaultSignalIndexName = '.alerts-security.alerts-default';
 
   const defaultArgs = {
     euiTheme: defaultEuiTheme,
     totalAlerts: defaultTotalAlerts,
+    signalIndexName: defaultSignalIndexName,
   };
 
   it('returns lens attributes with correct basic structure, datasource, column, and visualization configurations', () => {
@@ -107,19 +110,21 @@ describe('getAlertFilteringMetricLensAttributes', () => {
         type: 'index-pattern',
       },
     ]);
-    const mockFilters = [
+    const mockFilters: ExtraOptions['filters'] = [
       { meta: { alias: 'test filter', disabled: false, negate: false } },
-    ] as ExtraOptions['filters'];
-    expect(getAlertFilteringMetricLensAttributes(defaultArgs).state.filters).toEqual([]);
+    ];
+    expect(getAlertFilteringMetricLensAttributes(defaultArgs).state.filters).toEqual([
+      getAlertIndexFilter(defaultSignalIndexName),
+    ]);
     expect(
       getAlertFilteringMetricLensAttributes({ ...defaultArgs, extraOptions: {} }).state.filters
-    ).toEqual([]);
+    ).toEqual([getAlertIndexFilter(defaultSignalIndexName)]);
     expect(
       getAlertFilteringMetricLensAttributes({
         ...defaultArgs,
         extraOptions: { filters: mockFilters },
       }).state.filters
-    ).toEqual(mockFilters);
+    ).toEqual([getAlertIndexFilter(defaultSignalIndexName), ...mockFilters]);
     const testCases = [500, 0, 1000000];
     testCases.forEach((totalAlerts) => {
       const testResult = getAlertFilteringMetricLensAttributes({ ...defaultArgs, totalAlerts });
@@ -147,6 +152,43 @@ describe('getAlertFilteringMetricLensAttributes', () => {
     };
     expect(
       getAlertFilteringMetricLensAttributes({ ...defaultArgs, extraOptions }).state.filters
-    ).toEqual(extraOptions.filters);
+    ).toEqual([getAlertIndexFilter(defaultSignalIndexName), ...(extraOptions.filters ?? [])]);
+  });
+
+  it('includes alert index filter in filters array', () => {
+    const result = getAlertFilteringMetricLensAttributes(defaultArgs);
+    const expectedFilter = getAlertIndexFilter(defaultSignalIndexName);
+    expect(result.state.filters).toContainEqual(expectedFilter);
+  });
+
+  it('handles different signal index names correctly', () => {
+    const testCases = [
+      '.alerts-security.alerts-default',
+      '.alerts-security.alerts-custom-space',
+      'custom-alerts-index',
+    ];
+
+    testCases.forEach((signalIndexName) => {
+      const result = getAlertFilteringMetricLensAttributes({
+        ...defaultArgs,
+        signalIndexName,
+      });
+      const expectedFilter = getAlertIndexFilter(signalIndexName);
+      expect(result.state.filters).toContainEqual(expectedFilter);
+    });
+  });
+
+  it('combines alert index filter with extra options filters', () => {
+    const mockFilters: ExtraOptions['filters'] = [
+      { meta: { alias: 'extra filter', disabled: false, negate: false } },
+    ];
+    const result = getAlertFilteringMetricLensAttributes({
+      ...defaultArgs,
+      extraOptions: { filters: mockFilters },
+    });
+
+    expect(result.state.filters).toHaveLength(2);
+    expect(result.state.filters[0]).toEqual(getAlertIndexFilter(defaultSignalIndexName));
+    expect(result.state.filters[1]).toEqual(mockFilters[0]);
   });
 });

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/alert_filtering_metric.ts

@@ -6,18 +6,21 @@
  */
 
 import type { EuiThemeComputed } from '@elastic/eui';
+import { getAlertIndexFilter } from './helpers';
 import type { ExtraOptions, LensAttributes } from '../../types';
 
 export type MyGetLensAttributes = (params: {
   stackByField?: string;
   euiTheme: EuiThemeComputed;
   extraOptions?: ExtraOptions;
   esql?: string;
+  signalIndexName: string;
   totalAlerts: number;
 }) => LensAttributes;
 
 export const getAlertFilteringMetricLensAttributes: MyGetLensAttributes = ({
   extraOptions,
+  signalIndexName,
   totalAlerts,
 }) => {
   return {
@@ -75,7 +78,7 @@ export const getAlertFilteringMetricLensAttributes: MyGetLensAttributes = ({
           },
         },
       },
-      filters: extraOptions?.filters ?? [],
+      filters: [getAlertIndexFilter(signalIndexName), ...(extraOptions?.filters ?? [])],
       internalReferences: [],
       query: { language: 'kuery', query: '_id :*' },
       visualization: {

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/cost_savings_metric.test.ts

@@ -7,9 +7,11 @@
 
 import { getCostSavingsMetricLensAttributes } from './cost_savings_metric';
 import type { EuiThemeComputed } from '@elastic/eui';
+import { getAlertIndexFilter } from './helpers';
 
 describe('getCostSavingsMetricLensAttributes', () => {
   const mockTheme = {} as EuiThemeComputed;
+  const defaultSignalIndexName = '.alerts-security.alerts-default';
   const defaultParams = {
     euiTheme: mockTheme,
     minutesPerAlert: 8,
@@ -18,6 +20,7 @@ describe('getCostSavingsMetricLensAttributes', () => {
     stackByField: undefined,
     esql: undefined,
     backgroundColor: '#00FF00',
+    signalIndexName: defaultSignalIndexName,
   };
 
   it('returns correct lens attributes with formula and filter handling', () => {
@@ -40,12 +43,40 @@ describe('getCostSavingsMetricLensAttributes', () => {
       ...defaultParams,
       extraOptions: { filters },
     });
-    expect(resultWithFilters.state.filters).toBe(filters);
+    expect(resultWithFilters.state.filters).toEqual([
+      getAlertIndexFilter(defaultSignalIndexName),
+      ...filters,
+    ]);
 
     const resultWithoutFilters = getCostSavingsMetricLensAttributes({
       ...defaultParams,
       extraOptions: undefined,
     });
-    expect(resultWithoutFilters.state.filters).toEqual([]);
+    expect(resultWithoutFilters.state.filters).toEqual([
+      getAlertIndexFilter(defaultSignalIndexName),
+    ]);
+  });
+
+  it('includes alert index filter in filters array', () => {
+    const result = getCostSavingsMetricLensAttributes(defaultParams);
+    const expectedFilter = getAlertIndexFilter(defaultSignalIndexName);
+    expect(result.state.filters).toContainEqual(expectedFilter);
+  });
+
+  it('handles different signal index names correctly', () => {
+    const testCases = [
+      '.alerts-security.alerts-default',
+      '.alerts-security.alerts-custom-space',
+      'custom-alerts-index',
+    ];
+
+    testCases.forEach((signalIndexName) => {
+      const result = getCostSavingsMetricLensAttributes({
+        ...defaultParams,
+        signalIndexName,
+      });
+      const expectedFilter = getAlertIndexFilter(signalIndexName);
+      expect(result.state.filters).toContainEqual(expectedFilter);
+    });
   });
 });

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/cost_savings_metric.ts

@@ -6,6 +6,7 @@
  */
 
 import type { EuiThemeComputed } from '@elastic/eui';
+import { getAlertIndexFilter } from './helpers';
 import type { ExtraOptions, LensAttributes } from '../../types';
 
 export type MyGetLensAttributes = (params: {
@@ -16,13 +17,15 @@ export type MyGetLensAttributes = (params: {
   backgroundColor: string;
   minutesPerAlert: number;
   analystHourlyRate: number;
+  signalIndexName: string;
 }) => LensAttributes;
 
 export const getCostSavingsMetricLensAttributes: MyGetLensAttributes = ({
   analystHourlyRate,
   backgroundColor,
   extraOptions,
   minutesPerAlert,
+  signalIndexName,
 }) => {
   return {
     description: '',
@@ -97,7 +100,7 @@ export const getCostSavingsMetricLensAttributes: MyGetLensAttributes = ({
           },
         },
       },
-      filters: extraOptions?.filters ?? [],
+      filters: [getAlertIndexFilter(signalIndexName), ...(extraOptions?.filters ?? [])],
       internalReferences: [],
       query: { language: 'kuery', query: '' },
       visualization: {

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/cost_savings_trend_area.test.ts

@@ -7,16 +7,19 @@
 
 import { getCostSavingsTrendAreaLensAttributes } from './cost_savings_trend_area';
 import type { EuiThemeComputed } from '@elastic/eui';
+import { getAlertIndexFilter } from './helpers';
 
 describe('getCostSavingsTrendAreaLensAttributes', () => {
   const mockTheme = {} as EuiThemeComputed;
+  const defaultSignalIndexName = '.alerts-security.alerts-default';
   const defaultParams = {
     euiTheme: mockTheme,
     minutesPerAlert: 8,
     analystHourlyRate: 75,
     extraOptions: undefined,
     stackByField: undefined,
     esql: undefined,
+    signalIndexName: defaultSignalIndexName,
   };
 
   it('includes the correct formula in the cost column', () => {
@@ -38,15 +41,38 @@ describe('getCostSavingsTrendAreaLensAttributes', () => {
       ...defaultParams,
       extraOptions: { filters },
     });
-    expect(result.state.filters).toBe(filters);
+    expect(result.state.filters).toEqual([getAlertIndexFilter(defaultSignalIndexName), ...filters]);
   });
 
-  it('defaults filters to empty array if extraOptions is not provided', () => {
+  it('includes alert index filter even when extraOptions is not provided', () => {
     const result = getCostSavingsTrendAreaLensAttributes({
       ...defaultParams,
       extraOptions: undefined,
     });
-    expect(result.state.filters).toEqual([]);
+    expect(result.state.filters).toEqual([getAlertIndexFilter(defaultSignalIndexName)]);
+  });
+
+  it('includes alert index filter in filters array', () => {
+    const result = getCostSavingsTrendAreaLensAttributes(defaultParams);
+    const expectedFilter = getAlertIndexFilter(defaultSignalIndexName);
+    expect(result.state.filters).toContainEqual(expectedFilter);
+  });
+
+  it('handles different signal index names correctly', () => {
+    const testCases = [
+      '.alerts-security.alerts-default',
+      '.alerts-security.alerts-custom-space',
+      'custom-alerts-index',
+    ];
+
+    testCases.forEach((signalIndexName) => {
+      const result = getCostSavingsTrendAreaLensAttributes({
+        ...defaultParams,
+        signalIndexName,
+      });
+      const expectedFilter = getAlertIndexFilter(signalIndexName);
+      expect(result.state.filters).toContainEqual(expectedFilter);
+    });
   });
 
   it('returns a LensAttributes object with required properties', () => {

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/cost_savings_trend_area.ts

@@ -6,6 +6,7 @@
  */
 
 import type { EuiThemeComputed } from '@elastic/eui';
+import { getAlertIndexFilter } from './helpers';
 import type { ExtraOptions, LensAttributes } from '../../types';
 
 const xColumn0 = 'cost_columnX0';
@@ -20,12 +21,14 @@ export type MyGetLensAttributes = (params: {
   esql?: string;
   minutesPerAlert: number;
   analystHourlyRate: number;
+  signalIndexName: string;
 }) => LensAttributes;
 
 export const getCostSavingsTrendAreaLensAttributes: MyGetLensAttributes = ({
   analystHourlyRate,
   extraOptions,
   minutesPerAlert,
+  signalIndexName,
 }) => {
   return {
     description: '',
@@ -128,7 +131,7 @@ export const getCostSavingsTrendAreaLensAttributes: MyGetLensAttributes = ({
           },
         },
       },
-      filters: extraOptions?.filters ?? [],
+      filters: [getAlertIndexFilter(signalIndexName), ...(extraOptions?.filters ?? [])],
       internalReferences: [],
       query: {
         language: 'kuery',

x-pack/solutions/security/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/ai/helpers.test.ts

@@ -0,0 +1,84 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { getAlertIndexFilter } from './helpers';
+
+describe('getAlertIndexFilter', () => {
+  const defaultSignalIndexName = '.alerts-security.alerts-default';
+  const defaultIndexPatternId = 'indexpattern-datasource-layer-unifiedHistogram';
+
+  it('returns correct filter structure with default parameters', () => {
+    const result = getAlertIndexFilter(defaultSignalIndexName);
+
+    expect(result).toEqual({
+      meta: {
+        disabled: false,
+        negate: false,
+        alias: null,
+        index: defaultIndexPatternId,
+        key: '_index',
+        field: '_index',
+        params: {
+          query: defaultSignalIndexName,
+        },
+        type: 'phrase',
+      },
+      query: {
+        match_phrase: {
+          _index: defaultSignalIndexName,
+        },
+      },
+      $state: {
+        store: 'appState',
+      },
+    });
+  });
+
+  it('returns correct filter structure with custom indexPatternId', () => {
+    const customIndexPatternId = 'custom-index-pattern-id';
+    const result = getAlertIndexFilter(defaultSignalIndexName, customIndexPatternId);
+
+    expect(result.meta.index).toBe(customIndexPatternId);
+    expect(result.meta.params.query).toBe(defaultSignalIndexName);
+    expect(result.query.match_phrase._index).toBe(defaultSignalIndexName);
+  });
+
+  it('handles different signal index names correctly', () => {
+    const testCases = [
+      '.alerts-security.alerts-default',
+      '.alerts-security.alerts-custom-space',
+      '.alerts-security.alerts-space-123',
+      'custom-alerts-index',
+    ];
+
+    testCases.forEach((signalIndexName) => {
+      const result = getAlertIndexFilter(signalIndexName);
+
+      expect(result.meta.params.query).toBe(signalIndexName);
+      expect(result.query.match_phrase._index).toBe(signalIndexName);
+      expect(result.meta.key).toBe('_index');
+      expect(result.meta.field).toBe('_index');
+    });
+  });
+
+  it('maintains consistent filter properties across different inputs', () => {
+    const result = getAlertIndexFilter(defaultSignalIndexName);
+
+    expect(result.meta.disabled).toBe(false);
+    expect(result.meta.negate).toBe(false);
+    expect(result.meta.alias).toBe(null);
+    expect(result.meta.type).toBe('phrase');
+    expect(result.$state.store).toBe('appState');
+  });
+
+  it('handles empty string signal index name', () => {
+    const result = getAlertIndexFilter('');
+
+    expect(result.meta.params.query).toBe('');
+    expect(result.query.match_phrase._index).toBe('');
+  });
+});