Cherry-pick security/timelines changes

x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts

@@ -2401,6 +2401,21 @@ export const ecsFieldMap = {
     array: false,
     required: false,
   },
+  'process.entry_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.session_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
+  'process.group_leader.entity_id': {
+    type: 'keyword',
+    array: false,
+    required: false,
+  },
   'process.executable': {
     type: 'keyword',
     array: false,

x-pack/plugins/security_solution/common/ecs/process/index.ts

@@ -11,6 +11,9 @@ export interface ProcessEcs {
   Ext?: Ext;
   command_line?: string[];
   entity_id?: string[];
+  entry_leader?: ProcessSessionData;
+  session_leader?: ProcessSessionData;
+  group_leader?: ProcessSessionData;
   exit_code?: number[];
   hash?: ProcessHashData;
   parent?: ProcessParentData;
@@ -25,6 +28,12 @@ export interface ProcessEcs {
   working_directory?: string[];
 }
 
+export interface ProcessSessionData {
+  entity_id?: string[];
+  pid?: string[];
+  name?: string[];
+}
+
 export interface ProcessHashData {
   md5?: string[];
   sha1?: string[];

x-pack/plugins/security_solution/common/types/timeline/index.ts

@@ -476,6 +476,7 @@ export enum TimelineTabs {
   notes = 'notes',
   pinned = 'pinned',
   eql = 'eql',
+  session = 'session',
 }
 
 /**

x-pack/plugins/security_solution/kibana.json

@@ -22,6 +22,7 @@
     "licensing",
     "maps",
     "ruleRegistry",
+    "sessionView",
     "taskManager",
     "timelines",
     "triggersActionsUi",

x-pack/plugins/security_solution/public/common/components/events_viewer/index.tsx

@@ -105,6 +105,7 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
       itemsPerPage,
       itemsPerPageOptions,
       kqlMode,
+      sessionViewId,
       showCheckboxes,
       sort,
     } = defaultModel,
@@ -155,11 +156,11 @@ const StatefulEventsViewerComponent: React.FC<Props> = ({
 
   const globalFilters = useMemo(() => [...filters, ...(pageFilters ?? [])], [filters, pageFilters]);
   const trailingControlColumns: ControlColumnProps[] = EMPTY_CONTROL_COLUMNS;
-  const graphOverlay = useMemo(
-    () =>
-      graphEventId != null && graphEventId.length > 0 ? <GraphOverlay timelineId={id} /> : null,
-    [graphEventId, id]
-  );
+  const graphOverlay = useMemo(() => {
+    const shouldShowOverlay =
+      (graphEventId != null && graphEventId.length > 0) || sessionViewId !== null;
+    return shouldShowOverlay ? <GraphOverlay timelineId={id} /> : null;
+  }, [graphEventId, id, sessionViewId]);
   const setQuery = useCallback(
     (inspect, loading, refetch) => {
       dispatch(inputsActions.setQuery({ id, inputId: 'global', inspect, loading, refetch }));

x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx

@@ -176,4 +176,5 @@ export const requiredFieldsForActions = [
   'file.hash.sha256',
   'host.os.family',
   'event.code',
+  'process.entry_leader.entity_id',
 ];

x-pack/plugins/security_solution/public/detections/components/alerts_table/index.tsx

@@ -104,7 +104,7 @@ export const AlertsTableComponent: React.FC<AlertsTableComponentProps> = ({
   const kibana = useKibana();
   const [, dispatchToaster] = useStateToaster();
   const { addWarning } = useAppToasts();
-  const ACTION_BUTTON_COUNT = 4;
+  const ACTION_BUTTON_COUNT = 5;
 
   const getGlobalQuery = useCallback(
     (customFilters: Filter[]) => {

x-pack/plugins/security_solution/public/hosts/pages/navigation/events_query_tab_body.tsx

@@ -72,7 +72,7 @@ const EventsQueryTabBodyComponent: React.FC<HostsComponentsQueryProps> = ({
 }) => {
   const dispatch = useDispatch();
   const { globalFullScreen } = useGlobalFullScreen();
-  const ACTION_BUTTON_COUNT = 4;
+  const ACTION_BUTTON_COUNT = 5;
   const tGridEnabled = useIsExperimentalFeatureEnabled('tGridEnabled');
 
   useEffect(() => {

x-pack/plugins/security_solution/public/timelines/components/graph_overlay/index.tsx

@@ -28,12 +28,17 @@ import {
   useGlobalFullScreen,
   useTimelineFullScreen,
 } from '../../../common/containers/use_full_screen';
+import { useKibana } from '../../../common/lib/kibana';
 import { useDeepEqualSelector } from '../../../common/hooks/use_selector';
 import { TimelineId } from '../../../../common/types/timeline';
 import { timelineSelectors } from '../../store/timeline';
 import { timelineDefaults } from '../../store/timeline/defaults';
 import { isFullScreen } from '../timeline/body/column_headers';
-import { updateTimelineGraphEventId } from '../../../timelines/store/timeline/actions';
+import {
+  updateTimelineGraphEventId,
+  updateTimelineSessionViewEventId,
+  updateTimelineSessionViewSessionId,
+} from '../../../timelines/store/timeline/actions';
 import { inputsActions } from '../../../common/store/actions';
 import { Resolver } from '../../../resolver/view';
 import {
@@ -70,6 +75,12 @@ const FullScreenButtonIcon = styled(EuiButtonIcon)`
   margin: 4px 0 4px 0;
 `;
 
+const ScrollableFlexItem = styled(EuiFlexItem)`
+  ${({ theme }) => `margin: 0 ${theme.eui.euiSizeM};`}
+  overflow: hidden;
+  width: 100%;
+`;
+
 interface OwnProps {
   timelineId: TimelineId;
 }
@@ -131,6 +142,14 @@ const GraphOverlayComponent: React.FC<OwnProps> = ({ timelineId }) => {
   const graphEventId = useDeepEqualSelector(
     (state) => (getTimeline(state, timelineId) ?? timelineDefaults).graphEventId
   );
+  const { sessionView } = useKibana().services;
+  const sessionViewId = useDeepEqualSelector(
+    (state) => (getTimeline(state, timelineId) ?? timelineDefaults).sessionViewId
+  );
+  const sessionViewMain = useMemo(() => {
+    return sessionViewId !== null ? sessionView.getSessionView(sessionViewId) : null;
+  }, [sessionView, sessionViewId]);
+
   const getStartSelector = useMemo(() => startSelector(), []);
   const getEndSelector = useMemo(() => endSelector(), []);
   const getIsLoadingSelector = useMemo(() => isLoadingSelector(), []);
@@ -180,6 +199,8 @@ const GraphOverlayComponent: React.FC<OwnProps> = ({ timelineId }) => {
       }
     }
     dispatch(updateTimelineGraphEventId({ id: timelineId, graphEventId: '' }));
+    dispatch(updateTimelineSessionViewEventId({ id: timelineId, eventId: null }));
+    dispatch(updateTimelineSessionViewSessionId({ id: timelineId, eventId: null }));
   }, [dispatch, timelineId, setTimelineFullScreen, setGlobalFullScreen]);
 
   useEffect(() => {
@@ -219,7 +240,18 @@ const GraphOverlayComponent: React.FC<OwnProps> = ({ timelineId }) => {
     [defaultDataView.patternList, isInTimeline, timelinePatterns]
   );
 
-  if (fullScreen && !isInTimeline) {
+  if (!isInTimeline && sessionViewId !== null) {
+    return (
+      <EuiFlexGroup alignItems="flexStart" gutterSize="none" direction="column">
+        <EuiFlexItem grow={false}>
+          <EuiButtonEmpty iconType="cross" onClick={onCloseOverlay} size="xs">
+            {i18n.CLOSE_SESSION}
+          </EuiButtonEmpty>
+        </EuiFlexItem>
+        <ScrollableFlexItem grow={2}>{sessionViewMain}</ScrollableFlexItem>
+      </EuiFlexGroup>
+    );
+  } else if (fullScreen && !isInTimeline) {
     return (
       <FullScreenOverlayContainer data-test-subj="overlayContainer">
         <EuiHorizontalRule margin="none" />

x-pack/plugins/security_solution/public/timelines/components/graph_overlay/translations.ts

@@ -13,3 +13,10 @@ export const CLOSE_ANALYZER = i18n.translate(
     defaultMessage: 'Close analyzer',
   }
 );
+
+export const CLOSE_SESSION = i18n.translate(
+  'xpack.securitySolution.timeline.graphOverlay.closeSessionButton',
+  {
+    defaultMessage: 'Close Session',
+  }
+);

x-pack/plugins/security_solution/public/timelines/components/timeline/body/actions/index.tsx

@@ -24,6 +24,8 @@ import { useShallowEqualSelector } from '../../../../../common/hooks/use_selecto
 import {
   setActiveTabTimeline,
   updateTimelineGraphEventId,
+  updateTimelineSessionViewSessionId,
+  updateTimelineSessionViewEventId,
 } from '../../../../store/timeline/actions';
 import {
   useGlobalFullScreen,
@@ -128,6 +130,24 @@ const ActionsComponent: React.FC<ActionProps> = ({
     }
   }, [dispatch, ecsData._id, timelineId, setGlobalFullScreen, setTimelineFullScreen]);
 
+  const entryLeader = useMemo(() => {
+    const { process } = ecsData;
+    const entryLeaderIds = process?.entry_leader?.entity_id;
+    if (entryLeaderIds !== undefined) {
+      return entryLeaderIds[0];
+    } else {
+      return null;
+    }
+  }, [ecsData]);
+
+  const openSessionView = useCallback(() => {
+    if (entryLeader !== null) {
+      dispatch(setActiveTabTimeline({ id: timelineId, activeTab: TimelineTabs.session }));
+      dispatch(updateTimelineSessionViewSessionId({ id: timelineId, eventId: entryLeader }));
+      dispatch(updateTimelineSessionViewEventId({ id: timelineId, eventId: entryLeader }));
+    }
+  }, [dispatch, timelineId, entryLeader]);
+
   return (
     <ActionsContainer>
       {showCheckboxes && !tGridEnabled && (
@@ -220,6 +240,21 @@ const ActionsComponent: React.FC<ActionProps> = ({
             </EventsTdContent>
           </div>
         ) : null}
+        {entryLeader !== null ? (
+          <div>
+            <EventsTdContent textAlign="center" width={DEFAULT_ACTION_BUTTON_WIDTH}>
+              <EuiToolTip data-test-subj="expand-event-tool-tip" content={i18n.OPEN_SESSION_VIEW}>
+                <EuiButtonIcon
+                  aria-label={i18n.VIEW_DETAILS_FOR_ROW({ ariaRowindex, columnValues })}
+                  data-test-subj="session-view-button"
+                  iconType="console"
+                  onClick={openSessionView}
+                  size="s"
+                />
+              </EuiToolTip>
+            </EventsTdContent>
+          </div>
+        ) : null}
       </>
     </ActionsContainer>
   );

x-pack/plugins/security_solution/public/timelines/components/timeline/body/index.tsx

@@ -108,7 +108,7 @@ export const BodyComponent = React.memo<StatefulBodyProps>(
     const { queryFields, selectAll } = useDeepEqualSelector((state) =>
       getManageTimeline(state, id)
     );
-    const ACTION_BUTTON_COUNT = 5;
+    const ACTION_BUTTON_COUNT = 6;
 
     const onRowSelected: OnRowSelected = useCallback(
       ({ eventIds, isSelected }: { eventIds: string[]; isSelected: boolean }) => {

x-pack/plugins/security_solution/public/timelines/components/timeline/body/translations.ts

@@ -28,6 +28,13 @@ export const COPY_TO_CLIPBOARD = i18n.translate(
   }
 );
 
+export const OPEN_SESSION_VIEW = i18n.translate(
+  'xpack.securitySolution.timeline.body.openSessionViewLabel',
+  {
+    defaultMessage: 'Open Session View',
+  }
+);
+
 export const INVESTIGATE = i18n.translate(
   'xpack.securitySolution.timeline.body.actions.investigateLabel',
   {

x-pack/plugins/security_solution/public/timelines/components/timeline/query_tab_content/index.tsx

@@ -202,7 +202,7 @@ export const QueryTabContentComponent: React.FC<Props> = ({
   } = useSourcererDataView(SourcererScopeName.timeline);
 
   const { uiSettings } = useKibana().services;
-  const ACTION_BUTTON_COUNT = 5;
+  const ACTION_BUTTON_COUNT = 6;
 
   const getManageTimeline = useMemo(() => timelineSelectors.getManageTimelineById(), []);
   const { filterManager: activeFilterManager } = useDeepEqualSelector((state) =>

x-pack/plugins/security_solution/public/timelines/components/timeline/session_tab_content/index.tsx

@@ -0,0 +1,48 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { EuiFlexGroup, EuiFlexItem } from '@elastic/eui';
+import React, { useMemo } from 'react';
+import styled from 'styled-components';
+import { timelineSelectors } from '../../../store/timeline';
+import { useKibana } from '../../../../common/lib/kibana';
+import { TimelineId } from '../../../../../common/types/timeline';
+import { timelineDefaults } from '../../../../timelines/store/timeline/defaults';
+import { useDeepEqualSelector } from '../../../../common/hooks/use_selector';
+
+const FullWidthFlexGroup = styled(EuiFlexGroup)`
+  margin: 0;
+  width: 100%;
+  overflow: hidden;
+`;
+
+const ScrollableFlexItem = styled(EuiFlexItem)`
+  ${({ theme }) => `margin: 0 ${theme.eui.euiSizeM};`}
+  overflow: hidden;
+`;
+
+interface Props {
+  timelineId: TimelineId;
+}
+
+const SessionTabContent: React.FC<Props> = ({ timelineId }) => {
+  const { sessionView } = useKibana().services;
+
+  const getTimeline = useMemo(() => timelineSelectors.getTimelineByIdSelector(), []);
+
+  const sessionViewId = useDeepEqualSelector(
+    (state) => (getTimeline(state, timelineId) ?? timelineDefaults).sessionViewId
+  );
+  const sessionViewMain = useMemo(() => {
+    return sessionViewId !== null ? sessionView.getSessionView(sessionViewId) : null;
+  }, [sessionView, sessionViewId]);
+
+  return <ScrollableFlexItem grow={2}>{sessionViewMain}</ScrollableFlexItem>;
+};
+
+// eslint-disable-next-line import/no-default-export
+export default SessionTabContent;