[Security Solution] Ignore timerange in session view, to mirror session view component (#141137)

* Ignore timerange in session view, to mirror session view component * Remove timerange from process ancestry insight
2025-04-24 01:38:56 -04:00 · 2022-10-04 18:01:52 -04:00 · 2022-10-04 18:01:52 -04:00 · 7a6ff848ab
commit 7a6ff848ab
parent 45ad233c81
3 changed files with 42 additions and 20 deletions
--- a/x-pack/plugins/security_solution/public/common/components/event_details/insights/related_alerts_by_session.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/insights/related_alerts_by_session.tsx
@ -43,6 +43,7 @@ export const RelatedAlertsBySession = React.memo<Props>(
      timelineId: timelineId ?? '',
      signalIndexName: null,
      includeAlertIds: true,
+      ignoreTimerange: true,
    });

    const { fieldFromBrowserField } = getEnrichedFieldInfo({
--- a/x-pack/plugins/security_solution/public/common/containers/alerts/use_alert_prevalence.ts
+++ b/x-pack/plugins/security_solution/public/common/containers/alerts/use_alert_prevalence.ts
@ -24,6 +24,7 @@ interface UseAlertPrevalenceOptions {
  timelineId: string;
  signalIndexName: string | null;
  includeAlertIds?: boolean;
+  ignoreTimerange?: boolean;
 }

 interface UserAlertPrevalenceResult {
@ -39,13 +40,17 @@ export const useAlertPrevalence = ({
  timelineId,
  signalIndexName,
  includeAlertIds = false,
+  ignoreTimerange = false,
 }: UseAlertPrevalenceOptions): UserAlertPrevalenceResult => {
  const timelineTime = useDeepEqualSelector((state) =>
    inputsSelectors.timelineTimeRangeSelector(state)
  );
  const globalTime = useGlobalTime(false);
-
-  const { to, from } = timelineId === TimelineId.active ? timelineTime : globalTime;
+  let to: string | undefined;
+  let from: string | undefined;
+  if (ignoreTimerange === false) {
+    ({ to, from } = timelineId === TimelineId.active ? timelineTime : globalTime);
+  }
  const [initialQuery] = useState(() =>
    generateAlertPrevalenceQuery(field, value, from, to, includeAlertIds)
  );
@ -88,8 +93,8 @@ export const useAlertPrevalence = ({
 const generateAlertPrevalenceQuery = (
  field: string,
  value: string | string[] | undefined | null,
-  from: string,
-  to: string,
+  from: string | undefined,
+  to: string | undefined,
  includeAlertIds: boolean
 ) => {
  // if we don't want the alert ids included, we set size to 0 to reduce the response payload
@ -106,25 +111,15 @@ const generateAlertPrevalenceQuery = (
          [field]: actualValue,
        },
      },
-      filter: [
-        {
-          range: {
-            '@timestamp': {
-              gte: from,
-              lte: to,
-            },
-          },
-        },
-      ],
    },
  };

-  if (Array.isArray(value) && value.length > 1) {
-    const shouldValues = value.map((val) => ({ match: { [field]: val } }));
+  if (from !== undefined && to !== undefined) {
    query = {
+      ...query,
      bool: {
-        minimum_should_match: 1,
-        must: [
+        ...query.bool,
+        filter: [
          {
            range: {
              '@timestamp': {
@ -134,9 +129,36 @@ const generateAlertPrevalenceQuery = (
            },
          },
        ],
+      },
+    };
+  }
+
+  if (Array.isArray(value) && value.length > 1) {
+    const shouldValues = value.map((val) => ({ match: { [field]: val } }));
+    query = {
+      bool: {
+        minimum_should_match: 1,
        should: shouldValues,
      },
    };
+    if (from !== undefined && to !== undefined) {
+      query = {
+        ...query,
+        bool: {
+          ...query.bool,
+          must: [
+            {
+              range: {
+                '@timestamp': {
+                  gte: from,
+                  lte: to,
+                },
+              },
+            },
+          ],
+        },
+      };
+    }
  }

  return {
--- a/x-pack/plugins/security_solution/public/common/containers/alerts/use_alert_prevalence_from_process_tree.ts
+++ b/x-pack/plugins/security_solution/public/common/containers/alerts/use_alert_prevalence_from_process_tree.ts
@ -99,7 +99,7 @@ export function useAlertPrevalenceFromProcessTree({
 }: UseAlertPrevalenceFromProcessTree): UserAlertPrevalenceFromProcessTreeResult {
  const http = useHttp();

-  const { selectedPatterns, to, from } = useTimelineDataFilters(timelineId);
+  const { selectedPatterns } = useTimelineDataFilters(timelineId);
  const alertAndOriginalIndices = [...new Set(selectedPatterns.concat(indices))];
  const { loading, id, schema } = useAlertDocumentAnalyzerSchema({
    documentId,
@ -115,7 +115,6 @@ export function useAlertPrevalenceFromProcessTree({
          descendants: 500,
          indexPatterns: alertAndOriginalIndices,
          nodes: [id],
-          timeRange: { from, to },
          includeHits: true,
        }),
      });