Hide GraphPreview if user license is lower than required

Author: albertoblaz

x-pack/solutions/security/packages/features/src/product_features_keys.ts

@@ -117,6 +117,11 @@ export enum ProductFeatureSecurityKey {
    * Enables customization of prebuilt Elastic rules
    */
   prebuiltRuleCustomization = 'prebuilt_rule_customization',
+
+  /**
+   * Enables graph visualization for alerts and events
+   */
+  graphVisualization = 'graph_visualization',
 }
 
 export enum ProductFeatureCasesKey {

x-pack/solutions/security/plugins/security_solution/public/common/hooks/use_has_graph_visualization_access.test.ts

@@ -0,0 +1,158 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { renderHook } from '@testing-library/react';
+import { useHasGraphVisualizationAccess } from './use_has_graph_visualization_access';
+import { useKibana } from '../lib/kibana';
+import { useLicense } from './use_license';
+import { BehaviorSubject } from 'rxjs';
+
+jest.mock('../lib/kibana');
+jest.mock('./use_license');
+
+describe('useHasGraphVisualizationAccess', () => {
+  const mockUseKibana = useKibana as jest.Mock;
+  const mockUseLicense = useLicense as jest.Mock;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe('ESS/Self-Managed Environment', () => {
+    it('should return true when user has Enterprise license', () => {
+      const productFeatureKeys$ = new BehaviorSubject<Set<string> | null>(null);
+
+      mockUseKibana.mockReturnValue({
+        services: {
+          productFeatureKeys$,
+          serverless: undefined,
+        },
+      });
+
+      mockUseLicense.mockReturnValue({
+        isEnterprise: jest.fn(() => true),
+      });
+
+      const { result } = renderHook(() => useHasGraphVisualizationAccess());
+
+      expect(result.current).toBe(true);
+    });
+
+    it('should return false when user does not have Enterprise license', () => {
+      const productFeatureKeys$ = new BehaviorSubject<Set<string> | null>(null);
+
+      mockUseKibana.mockReturnValue({
+        services: {
+          productFeatureKeys$,
+          serverless: undefined,
+        },
+      });
+
+      mockUseLicense.mockReturnValue({
+        isEnterprise: jest.fn(() => false),
+      });
+
+      const { result } = renderHook(() => useHasGraphVisualizationAccess());
+
+      expect(result.current).toBe(false);
+    });
+  });
+
+  describe('Serverless Environment', () => {
+    it('should return true when user has Complete tier with graphVisualization feature', () => {
+      const productFeatureKeys$ = new BehaviorSubject<Set<string> | null>(
+        new Set<string>(['graph_visualization'])
+      );
+
+      mockUseKibana.mockReturnValue({
+        services: {
+          productFeatureKeys$,
+          serverless: {
+            projectType: 'security',
+          },
+        },
+      });
+
+      mockUseLicense.mockReturnValue({
+        isEnterprise: jest.fn(() => false),
+      });
+
+      const { result } = renderHook(() => useHasGraphVisualizationAccess());
+
+      expect(result.current).toBe(true);
+    });
+
+    it('should return false when user has Essentials tier without graphVisualization feature', () => {
+      const productFeatureKeys$ = new BehaviorSubject<Set<string> | null>(new Set<string>([]));
+
+      mockUseKibana.mockReturnValue({
+        services: {
+          productFeatureKeys$,
+          serverless: {
+            projectType: 'security',
+          },
+        },
+      });
+
+      mockUseLicense.mockReturnValue({
+        isEnterprise: jest.fn(() => false),
+      });
+
+      const { result } = renderHook(() => useHasGraphVisualizationAccess());
+
+      expect(result.current).toBe(false);
+    });
+
+    it('should return false when productFeatureKeys is null', () => {
+      const productFeatureKeys$ = new BehaviorSubject<Set<string> | null>(null);
+
+      mockUseKibana.mockReturnValue({
+        services: {
+          productFeatureKeys$,
+          serverless: {
+            projectType: 'security',
+          },
+        },
+      });
+
+      mockUseLicense.mockReturnValue({
+        isEnterprise: jest.fn(() => true),
+      });
+
+      const { result } = renderHook(() => useHasGraphVisualizationAccess());
+
+      expect(result.current).toBe(false);
+    });
+
+    it('should prioritize PLI check over license check in serverless mode', () => {
+      const productFeatureKeys$ = new BehaviorSubject<Set<string> | null>(new Set<string>([]));
+
+      mockUseKibana.mockReturnValue({
+        services: {
+          productFeatureKeys$,
+          serverless: {
+            projectType: 'security',
+          },
+        },
+      });
+
+      // Even though isEnterprise returns true, PLI check should take precedence
+      const isEnterpriseMock = jest.fn(() => true);
+      mockUseLicense.mockReturnValue({
+        isEnterprise: isEnterpriseMock,
+      });
+
+      const { result } = renderHook(() => useHasGraphVisualizationAccess());
+
+      // Should return false because graphVisualization is not in PLI
+      expect(result.current).toBe(false);
+
+      // isEnterprise should not be called in serverless mode
+      expect(isEnterpriseMock).not.toHaveBeenCalled();
+    });
+  });
+});

x-pack/solutions/security/plugins/security_solution/public/common/hooks/use_has_graph_visualization_access.ts

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import useObservable from 'react-use/lib/useObservable';
+import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys';
+import { useKibana } from '../lib/kibana';
+import { useLicense } from './use_license';
+
+/**
+ * Hook to determine if the user has the required license for graph visualization feature.
+ *
+ * In ESS/Self-Managed: Requires Enterprise license or higher
+ * In Serverless: Requires Security Analytics Complete tier (not Essentials)
+ *
+ * @returns boolean indicating if graph visualization is available
+ */
+export const useHasGraphVisualizationAccess = (): boolean => {
+  const { productFeatureKeys$, serverless } = useKibana().services;
+  const licenseService = useLicense();
+
+  // Get current product feature keys from observable (serverless PLI system)
+  const productFeatureKeys = useObservable(productFeatureKeys$, null);
+
+  // Detect if running in serverless mode
+  const isServerless = serverless !== undefined;
+
+  if (isServerless) {
+    // In serverless: Check if Complete tier feature is enabled
+    return productFeatureKeys?.has(ProductFeatureSecurityKey.graphVisualization) ?? false;
+  } else {
+    // In ESS/Self-Managed: Check for Enterprise license or higher
+    return licenseService.isEnterprise();
+  }
+};

x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/hooks/use_graph_preview.test.tsx

@@ -12,6 +12,10 @@ import { useGraphPreview } from './use_graph_preview';
 import type { GetFieldsData } from './use_get_fields_data';
 import { mockFieldData } from '../mocks/mock_get_fields_data';
 import { mockDataFormattedForFieldBrowser } from '../mocks/mock_data_formatted_for_field_browser';
+import { useHasGraphVisualizationAccess } from '../../../../common/hooks/use_has_graph_visualization_access';
+
+jest.mock('../../../../common/hooks/use_has_graph_visualization_access');
+const mockUseHasGraphVisualizationAccess = useHasGraphVisualizationAccess as jest.Mock;
 
 const alertMockGetFieldsData: GetFieldsData = (field: string) => {
   if (field === 'kibana.alert.uuid') {
@@ -48,6 +52,11 @@ const eventMockGetFieldsData: GetFieldsData = (field: string) => {
 const eventMockDataFormattedForFieldBrowser: TimelineEventsDetailsItem[] = [];
 
 describe('useGraphPreview', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+    // Default mock: graph visualization feature is available
+    mockUseHasGraphVisualizationAccess.mockReturnValue(true);
+  });
   it(`should return false when missing actor`, () => {
     const getFieldsData: GetFieldsData = (field: string) => {
       if (field === 'actor.entity.id') {
@@ -326,4 +335,34 @@ describe('useGraphPreview', () => {
       isAlert: true,
     });
   });
+
+  describe('License checking', () => {
+    it('should return false when all conditions are met but env does not have required license', () => {
+      mockUseHasGraphVisualizationAccess.mockReturnValue(false);
+
+      const hookResult = renderHook((props: UseGraphPreviewParams) => useGraphPreview(props), {
+        initialProps: {
+          getFieldsData: alertMockGetFieldsData,
+          ecsData: {
+            _id: 'id',
+            event: {
+              action: ['action'],
+            },
+          },
+          dataFormattedForFieldBrowser: alertMockDataFormattedForFieldBrowser,
+        },
+      });
+
+      expect(hookResult.result.current.hasGraphRepresentation).toBe(false);
+      expect(hookResult.result.current).toStrictEqual({
+        hasGraphRepresentation: false,
+        timestamp: mockFieldData['@timestamp'][0],
+        eventIds: ['eventId'],
+        actorIds: ['actorId'],
+        action: ['action'],
+        targetIds: ['targetId'],
+        isAlert: true,
+      });
+    });
+  });
 });

x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/hooks/use_graph_preview.ts

@@ -11,6 +11,7 @@ import { get } from 'lodash/fp';
 import type { GetFieldsData } from './use_get_fields_data';
 import { getField, getFieldArray } from '../utils';
 import { useBasicDataFromDetailsData } from './use_basic_data_from_details_data';
+import { useHasGraphVisualizationAccess } from '../../../../common/hooks/use_has_graph_visualization_access';
 
 export interface UseGraphPreviewParams {
   /**
@@ -58,7 +59,7 @@ export interface UseGraphPreviewResult {
   action?: string[];
 
   /**
-   * Boolean indicating if the event is has a graph representation (contains event ids, actor ids and action)
+   * Boolean indicating if the event has a graph representation (contains event ids, actor ids, action, and valid license)
    */
   hasGraphRepresentation: boolean;
 
@@ -84,12 +85,18 @@ export const useGraphPreview = ({
   const actorIds = getFieldArray(getFieldsData('actor.entity.id'));
   const targetIds = getFieldArray(getFieldsData('target.entity.id'));
   const action: string[] | undefined = get(['event', 'action'], ecsData);
+
+  // Check if user license is high enough to access graph visualization
+  const hasRequiredLicense = useHasGraphVisualizationAccess();
+
   const hasGraphRepresentation =
     Boolean(timestamp) &&
     Boolean(action?.length) &&
     actorIds.length > 0 &&
     eventIds.length > 0 &&
-    targetIds.length > 0;
+    targetIds.length > 0 &&
+    hasRequiredLicense;
+
   const { isAlert } = useBasicDataFromDetailsData(dataFormattedForFieldBrowser);
 
   return { timestamp, eventIds, actorIds, action, targetIds, hasGraphRepresentation, isAlert };

x-pack/solutions/security/plugins/security_solution/public/mocks.ts

@@ -7,6 +7,7 @@
 
 import { BehaviorSubject, of } from 'rxjs';
 import { UpsellingService } from '@kbn/security-solution-upselling/service';
+import type { ProductFeatureKeyType } from '@kbn/security-solution-features';
 import type { BreadcrumbsNav } from './common/breadcrumbs';
 import { allowedExperimentalValues } from '../common/experimental_features';
 import type { PluginStart, PluginSetup, ContractStartServices } from './types';
@@ -19,6 +20,7 @@ export const contractStartServicesMock: ContractStartServices = {
   getComponents$: jest.fn(() => of({})),
   upselling,
   onboarding: onboardingService,
+  productFeatureKeys$: new BehaviorSubject<Set<ProductFeatureKeyType> | null>(null),
 };
 
 const setupMock = (): PluginSetup => ({

x-pack/solutions/security/plugins/security_solution/public/plugin_contract.ts

@@ -62,6 +62,7 @@ export class PluginContract {
       getComponents$: this.componentsService.getComponents$.bind(this.componentsService),
       upselling: this.upsellingService,
       onboarding: this.onboardingService,
+      productFeatureKeys$: this.productFeatureKeys$,
     };
   }
 }

x-pack/solutions/security/plugins/security_solution/public/types.ts

@@ -61,7 +61,7 @@ import type { MapsStartApi } from '@kbn/maps-plugin/public';
 import type { ServerlessPluginStart } from '@kbn/serverless/public';
 import type { DiscoverSharedPublicStart } from '@kbn/discover-shared-plugin/public';
 import type { AutomaticImportPluginStart } from '@kbn/automatic-import-plugin/public';
-import type { ProductFeatureKeys } from '@kbn/security-solution-features';
+import type { ProductFeatureKeyType, ProductFeatureKeys } from '@kbn/security-solution-features';
 import type { ElasticAssistantSharedStatePublicPluginStart } from '@kbn/elastic-assistant-shared-state-plugin/public';
 import type { InferencePublicStart } from '@kbn/inference-plugin/public';
 import type { ResolverPluginSetup } from './resolver/types';
@@ -172,6 +172,7 @@ export interface ContractStartServices {
   getComponents$: GetComponents$;
   upselling: UpsellingService;
   onboarding: OnboardingService;
+  productFeatureKeys$: Observable<Set<ProductFeatureKeyType> | null>;
 }
 
 export type StartServices = CoreStart &

x-pack/solutions/security/plugins/security_solution_serverless/common/pli/pli_config.ts

@@ -58,6 +58,7 @@ export const PLI_PRODUCT_FEATURES: PliProductFeatures = {
       ProductFeatureKey.prebuiltRuleCustomization,
       ProductFeatureKey.siemMigrations,
       ProductFeatureKey.aiValueReport,
+      ProductFeatureKey.graphVisualization,
     ],
   },
   [ProductLine.endpoint]: {