Fixed issue when multiple joined results come back from privileged access detection (#224821)

Fixed some issues found with the privileged access detection heatmap.

- Fixed an issue when multiple joined results per user come back from
privileged access detection anomalies "top users" query.
- Fixed an emotion CSS issue where I imported the wrong module

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/privileged_access_detection/pad_chart/hooks/pad_esql_source_query_hooks.test.ts

@@ -35,7 +35,7 @@ describe('the source queries for privileged access detection', () => {
             | LOOKUP JOIN .entity_analytics.monitoring.users-default ON user.name
             | RENAME event_timestamp AS @timestamp
             | WHERE user.is_privileged == true
-            | STATS max_record_score = MAX(record_score), user.is_privileged = TOP(user.is_privileged, 100, "desc") by user.name
+            | STATS max_record_score = MAX(record_score), user.is_privileged = TOP(user.is_privileged, 1, "desc") by user.name
             | WHERE user.is_privileged == true
             | SORT max_record_score DESC
             | KEEP user.name
@@ -82,7 +82,7 @@ describe('the source queries for privileged access detection', () => {
             | LOOKUP JOIN .entity_analytics.monitoring.users-default ON user.name
             | RENAME event_timestamp AS @timestamp
             | WHERE user.is_privileged == true
-            | STATS max_record_score = MAX(record_score), user.is_privileged = TOP(user.is_privileged, 100, "desc") by user.name
+            | STATS max_record_score = MAX(record_score), user.is_privileged = TOP(user.is_privileged, 1, "desc") by user.name
             | WHERE user.is_privileged == true
             | SORT max_record_score DESC
             | KEEP user.name

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/privileged_access_detection/pad_chart/hooks/pad_esql_source_query_hooks.ts

@@ -16,13 +16,6 @@ const getHiddenBandsFilters = (anomalyBands: AnomalyBand[]) => {
   return hiddenBands.map(recordScoreFilterClause).join('');
 };
 
-/**
- * Currently, this query utilizes the `TOP` ES|QL command to filter for privileged users, and this effectively puts a cap on the number of data
- * sources, per `user.name`, this query supports. Right now, we have a total of 3 possible values ('integration', 'api', and 'csv'), so 100
- * is more than enough, and should likely suffice with the current architecture. If the `VALUES` ES|QL command is ever officially supported, this limitation would go away.
- */
-const numberOfSupportedDataSources = 100;
-
 export const usePadTopAnomalousUsersEsqlSource = ({
   jobIds,
   anomalyBands,
@@ -41,7 +34,7 @@ export const usePadTopAnomalousUsersEsqlSource = ({
     | WHERE record_score IS NOT NULL AND user.name IS NOT NULL
     ${getHiddenBandsFilters(anomalyBands)}
     ${getPrivilegedMonitorUsersJoin(spaceId)}
-    | STATS max_record_score = MAX(record_score), user.is_privileged = TOP(user.is_privileged, ${numberOfSupportedDataSources}, "desc") by user.name
+    | STATS max_record_score = MAX(record_score), user.is_privileged = TOP(user.is_privileged, 1, "desc") by user.name
     | WHERE user.is_privileged == true
     | SORT max_record_score DESC
     | KEEP user.name

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/components/privileged_user_monitoring/components/privileged_access_detection/pad_chart/pad_user_name_list.tsx

@@ -8,7 +8,7 @@
 import React from 'react';
 import { useExpandableFlyoutApi } from '@kbn/expandable-flyout';
 import { EuiFlexGroup, EuiFlexItem, EuiLink, EuiText } from '@elastic/eui';
-import { css } from '@emotion/css';
+import { css } from '@emotion/react';
 import { padChartStyling } from './pad_chart_styling';
 import { UserPanelKey } from '../../../../../../flyout/entity_details/shared/constants';