From 955e0a653477b3db226ccf674953e3f6e15a4c7a Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Fri, 21 Feb 2025 11:49:45 +1100
Subject: [PATCH] [8.x] [Security Solution] Fix analyzer no data message in
 flyout when analyzer is not enabled (#211981) (#211989)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Fix analyzer no data message in flyout when
analyzer is not enabled
(#211981)](https://github.com/elastic/kibana/pull/211981)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT
[{"author":{"name":"christineweng","email":"18648970+christineweng@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-02-20T23:00:20Z","message":"[Security
Solution] Fix analyzer no data message in flyout when analyzer is not
enabled (#211981)\n\n## Summary\n\nWhen an alert does not have analyzer
enabled (i.e. no data), the\nanalyzer graph showed \"error loading
data\". This PR added checks if\nanalyzer should be present and added no
data message, this is consistent\nwith the analyzer preview.\n\n<img
width=\"1412\"
alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/11f905ba-c017-4847-98cd-5b773f5e9df7\"\n/>\n\n\n\n###
Checklist\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"70ece1055fe2623f1821a9ac8081cb0bef058566","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:Threat
Hunting:Investigations","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security
Solution] Fix analyzer no data message in flyout when analyzer is not
enabled","number":211981,"url":"https://github.com/elastic/kibana/pull/211981","mergeCommit":{"message":"[Security
Solution] Fix analyzer no data message in flyout when analyzer is not
enabled (#211981)\n\n## Summary\n\nWhen an alert does not have analyzer
enabled (i.e. no data), the\nanalyzer graph showed \"error loading
data\". This PR added checks if\nanalyzer should be present and added no
data message, this is consistent\nwith the analyzer preview.\n\n<img
width=\"1412\"
alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/11f905ba-c017-4847-98cd-5b773f5e9df7\"\n/>\n\n\n\n###
Checklist\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"70ece1055fe2623f1821a9ac8081cb0bef058566"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/211981","number":211981,"mergeCommit":{"message":"[Security
Solution] Fix analyzer no data message in flyout when analyzer is not
enabled (#211981)\n\n## Summary\n\nWhen an alert does not have analyzer
enabled (i.e. no data), the\nanalyzer graph showed \"error loading
data\". This PR added checks if\nanalyzer should be present and added no
data message, this is consistent\nwith the analyzer preview.\n\n<img
width=\"1412\"
alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/11f905ba-c017-4847-98cd-5b773f5e9df7\"\n/>\n\n\n\n###
Checklist\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"70ece1055fe2623f1821a9ac8081cb0bef058566"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: christineweng <18648970+christineweng@users.noreply.github.com>
---
 .../translations/translations/fr-FR.json      |  1 -
 .../translations/translations/ja-JP.json      |  1 -
 .../translations/translations/zh-CN.json      |  1 -
 .../left/components/analyze_graph.test.tsx    | 28 ++++++++++
 .../left/components/analyze_graph.tsx         | 13 ++++-
 .../components/analyzer_preview_container.tsx | 53 +++++++++++--------
 6 files changed, 69 insertions(+), 28 deletions(-)

diff --git a/x-pack/platform/plugins/private/translations/translations/fr-FR.json b/x-pack/platform/plugins/private/translations/translations/fr-FR.json
index dfb1b22e878d1..db7f61ec74965 100644
--- a/x-pack/platform/plugins/private/translations/translations/fr-FR.json
+++ b/x-pack/platform/plugins/private/translations/translations/fr-FR.json
@@ -40618,7 +40618,6 @@
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.analyzerPreviewTitle": "Aperçu de l'analyseur",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.errorDescription": "Une erreur empêche l'analyse de cette alerte.",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.loadingAriaLabel": "aperçu de l'analyseur",
-    "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataDescription": "Vous pouvez uniquement visualiser les événements déclenchés par les hôtes configurés avec l'intégration Elastic Defend ou les données {sysmon} provenant de {winlogbeat}. Pour en savoir plus, consultez {link}.",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataLinkText": "Visualiser l'analyseur d'événement",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.treeViewAriaLabel": "Aperçu de l'analyseur",
     "xpack.securitySolution.flyout.right.visualizations.assignees.popoverTooltip": "Assigner une alerte",
diff --git a/x-pack/platform/plugins/private/translations/translations/ja-JP.json b/x-pack/platform/plugins/private/translations/translations/ja-JP.json
index 7858228f01626..8c956def6e92c 100644
--- a/x-pack/platform/plugins/private/translations/translations/ja-JP.json
+++ b/x-pack/platform/plugins/private/translations/translations/ja-JP.json
@@ -40474,7 +40474,6 @@
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.analyzerPreviewTitle": "アナライザープレビュー",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.errorDescription": "エラーが発生したため、このアラートを分析できません。",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.loadingAriaLabel": "アナライザープレビュー",
-    "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataDescription": "Elastic Defend統合で構成されたホストまたは{winlogbeat}の{sysmon}データによってトリガーされたイベントのみを可視化できます。詳細については、{link}を参照してください。",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataLinkText": "ビジュアルイベントアナライザー",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.treeViewAriaLabel": "アナライザープレビュー",
     "xpack.securitySolution.flyout.right.visualizations.assignees.popoverTooltip": "アラートの割り当て",
diff --git a/x-pack/platform/plugins/private/translations/translations/zh-CN.json b/x-pack/platform/plugins/private/translations/translations/zh-CN.json
index 80fd1b8d3f8ab..cb003b703502f 100644
--- a/x-pack/platform/plugins/private/translations/translations/zh-CN.json
+++ b/x-pack/platform/plugins/private/translations/translations/zh-CN.json
@@ -40570,7 +40570,6 @@
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.analyzerPreviewTitle": "分析器预览",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.errorDescription": "出现错误，无法分析此告警。",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.loadingAriaLabel": "分析器预览",
-    "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataDescription": "您只能可视化由使用 Elastic Defend 集成或来自 {winlogbeat} 的任何 {sysmon} 数据配置的主机触发的事件。请参阅 {link} 了解更多信息。",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataLinkText": "可视化事件分析器",
     "xpack.securitySolution.flyout.right.visualizations.analyzerPreview.treeViewAriaLabel": "分析器预览",
     "xpack.securitySolution.flyout.right.visualizations.assignees.popoverTooltip": "分配告警",
diff --git a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.test.tsx
index fc3cb1aba8d36..58b96f19d919f 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.test.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.test.tsx
@@ -17,6 +17,7 @@ import { ANALYZER_GRAPH_TEST_ID } from './test_ids';
 import { useWhichFlyout } from '../../shared/hooks/use_which_flyout';
 import { mockFlyoutApi } from '../../shared/mocks/mock_flyout_context';
 import { DocumentDetailsAnalyzerPanelKey } from '../../shared/constants/panel_keys';
+import { useIsInvestigateInResolverActionEnabled } from '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver';
 
 jest.mock('react-router-dom', () => {
   const actual = jest.requireActual('react-router-dom');
@@ -25,6 +26,10 @@ jest.mock('react-router-dom', () => {
 jest.mock('@kbn/expandable-flyout');
 jest.mock('../../../../resolver/view/use_resolver_query_params_cleaner');
 jest.mock('../../shared/hooks/use_which_flyout');
+jest.mock(
+  '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver'
+);
+
 const mockUseWhichFlyout = useWhichFlyout as jest.Mock;
 const FLYOUT_KEY = 'securitySolution';
 
@@ -38,6 +43,9 @@ jest.mock('react-redux', () => {
   };
 });
 
+const NO_ANALYZER_MESSAGE =
+  'You can only visualize events triggered by hosts configured with the Elastic Defend integration or any sysmon data from winlogbeat. Refer to Visual event analyzer(external, opens in a new tab or window) for more information.';
+
 describe('<AnalyzeGraph />', () => {
   beforeEach(() => {
     mockUseWhichFlyout.mockReturnValue(FLYOUT_KEY);
@@ -45,6 +53,7 @@ describe('<AnalyzeGraph />', () => {
   });
 
   it('renders analyzer graph correctly', () => {
+    (useIsInvestigateInResolverActionEnabled as jest.Mock).mockReturnValue(true);
     const contextValue = {
       eventId: 'eventId',
       scopeId: TableId.test,
@@ -60,7 +69,26 @@ describe('<AnalyzeGraph />', () => {
     expect(wrapper.getByTestId(ANALYZER_GRAPH_TEST_ID)).toBeInTheDocument();
   });
 
+  it('renders no data message when analyzer is not enabled', () => {
+    (useIsInvestigateInResolverActionEnabled as jest.Mock).mockReturnValue(false);
+    const contextValue = {
+      eventId: 'eventId',
+      scopeId: TableId.test,
+      dataAsNestedObject: {},
+    } as unknown as DocumentDetailsContext;
+
+    const { container } = render(
+      <TestProviders>
+        <DocumentDetailsContext.Provider value={contextValue}>
+          <AnalyzeGraph />
+        </DocumentDetailsContext.Provider>
+      </TestProviders>
+    );
+    expect(container).toHaveTextContent(NO_ANALYZER_MESSAGE);
+  });
+
   it('clicking view button should open details panel in preview', () => {
+    (useIsInvestigateInResolverActionEnabled as jest.Mock).mockReturnValue(true);
     const contextValue = {
       eventId: 'eventId',
       scopeId: TableId.test,
diff --git a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.tsx b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.tsx
index 253e51786ff14..d07ca9f53325b 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/analyze_graph.tsx
@@ -9,6 +9,7 @@ import type { FC } from 'react';
 import React, { useMemo, useCallback } from 'react';
 import { useExpandableFlyoutApi } from '@kbn/expandable-flyout';
 import { i18n } from '@kbn/i18n';
+import { EuiPanel } from '@elastic/eui';
 import { useWhichFlyout } from '../../shared/hooks/use_which_flyout';
 import { useDocumentDetailsContext } from '../../shared/context';
 import { ANALYZER_GRAPH_TEST_ID } from './test_ids';
@@ -16,6 +17,8 @@ import { Resolver } from '../../../../resolver/view';
 import { useTimelineDataFilters } from '../../../../timelines/containers/use_timeline_data_filters';
 import { isActiveTimeline } from '../../../../helpers';
 import { DocumentDetailsAnalyzerPanelKey } from '../../shared/constants/panel_keys';
+import { useIsInvestigateInResolverActionEnabled } from '../../../../detections/components/alerts_table/timeline_actions/investigate_in_resolver';
+import { AnalyzerPreviewNoDataMessage } from '../../right/components/analyzer_preview_container';
 
 export const ANALYZE_GRAPH_ID = 'analyze_graph';
 
@@ -34,7 +37,9 @@ export const ANALYZER_PREVIEW_BANNER = {
  * Analyzer graph view displayed in the document details expandable flyout left section under the Visualize tab
  */
 export const AnalyzeGraph: FC = () => {
-  const { eventId, scopeId } = useDocumentDetailsContext();
+  const { eventId, scopeId, dataAsNestedObject } = useDocumentDetailsContext();
+  const isEnabled = useIsInvestigateInResolverActionEnabled(dataAsNestedObject);
+
   const key = useWhichFlyout() ?? 'memory';
   const { from, to, shouldUpdate, selectedPatterns } = useTimelineDataFilters(
     isActiveTimeline(scopeId)
@@ -52,7 +57,7 @@ export const AnalyzeGraph: FC = () => {
     });
   }, [openPreviewPanel, key, scopeId]);
 
-  return (
+  return isEnabled ? (
     <div data-test-subj={ANALYZER_GRAPH_TEST_ID}>
       <Resolver
         databaseDocumentID={eventId}
@@ -64,6 +69,10 @@ export const AnalyzeGraph: FC = () => {
         showPanelOnClick={onClick}
       />
     </div>
+  ) : (
+    <EuiPanel hasShadow={false}>
+      <AnalyzerPreviewNoDataMessage />
+    </EuiPanel>
   );
 };
 
diff --git a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/right/components/analyzer_preview_container.tsx b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/right/components/analyzer_preview_container.tsx
index 145693eccf551..6db6ed0583872 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/right/components/analyzer_preview_container.tsx
+++ b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/right/components/analyzer_preview_container.tsx
@@ -120,31 +120,38 @@ export const AnalyzerPreviewContainer: React.FC = () => {
       }}
       data-test-subj={ANALYZER_PREVIEW_TEST_ID}
     >
-      {isEnabled ? (
-        <AnalyzerPreview />
-      ) : (
-        <FormattedMessage
-          id="xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataDescription"
-          defaultMessage="You can only visualize events triggered by hosts configured with the Elastic Defend integration or any {sysmon} data from {winlogbeat}. Refer to {link} for more information."
-          values={{
-            sysmon: <EuiMark>{'sysmon'}</EuiMark>,
-            winlogbeat: <EuiMark>{'winlogbeat'}</EuiMark>,
-            link: (
-              <EuiLink
-                href="https://www.elastic.co/guide/en/security/current/visual-event-analyzer.html"
-                target="_blank"
-              >
-                <FormattedMessage
-                  id="xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataLinkText"
-                  defaultMessage="Visual event analyzer"
-                />
-              </EuiLink>
-            ),
-          }}
-        />
-      )}
+      {isEnabled ? <AnalyzerPreview /> : <AnalyzerPreviewNoDataMessage />}
     </ExpandablePanel>
   );
 };
 
 AnalyzerPreviewContainer.displayName = 'AnalyzerPreviewContainer';
+
+/**
+ * No data message for the analyzer preview.
+ */
+export const AnalyzerPreviewNoDataMessage: React.FC = () => {
+  return (
+    <FormattedMessage
+      id="xpack.securitySolution.flyout.visualizations.analyzerPreview.noDataDescription"
+      defaultMessage="You can only visualize events triggered by hosts configured with the Elastic Defend integration or any {sysmon} data from {winlogbeat}. Refer to {link} for more information."
+      values={{
+        sysmon: <EuiMark>{'sysmon'}</EuiMark>,
+        winlogbeat: <EuiMark>{'winlogbeat'}</EuiMark>,
+        link: (
+          <EuiLink
+            href="https://www.elastic.co/guide/en/security/current/visual-event-analyzer.html"
+            target="_blank"
+          >
+            <FormattedMessage
+              id="xpack.securitySolution.flyout.right.visualizations.analyzerPreview.noDataLinkText"
+              defaultMessage="Visual event analyzer"
+            />
+          </EuiLink>
+        ),
+      }}
+    />
+  );
+};
+
+AnalyzerPreviewNoDataMessage.displayName = 'AnalyzerPreviewNoDataMessage';