elastic
diff --git a/‎x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_graph.ts‎
Lines changed: 37 additions & 44 deletions b/‎x-pack/solutions/security/plugins/cloud_security_posture/server/routes/graph/fetch_graph.ts‎
Lines changed: 37 additions & 44 deletions
diff --git a/‎x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/graph_visualization.tsx‎
Lines changed: 1 addition & 1 deletion b/‎x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/left/components/graph_visualization.tsx‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store/data.json‎
Lines changed: 183 additions & 0 deletions b/‎x-pack/solutions/security/test/cloud_security_posture_api/es_archives/entity_store/data.json‎
Lines changed: 183 additions & 0 deletions
diff --git a/‎x-pack/solutions/security/test/cloud_security_posture_api/es_archives/logs_gcp_audit_ecs_only/data.json‎
Lines changed: 103 additions & 0 deletions b/‎x-pack/solutions/security/test/cloud_security_posture_api/es_archives/logs_gcp_audit_ecs_only/data.json‎
Lines changed: 103 additions & 0 deletions
@@ -242,54 +242,47 @@ ${
 | ENRICH ${enrichPolicyName} ON targetEntityId WITH targetEntityName = entity.name, targetEntityType = entity.type, targetEntitySubType = entity.sub_type, targetHostIp = host.ip
 
 // Construct actor and target entities data
-// If enrichment found a match (actorEntityType is not null), create full entity data
-// Otherwise, create minimal data with just id, type, and sourceNamespaceField
-| EVAL actorDocData = CASE(
-    actorEntityName IS NOT NULL,
-    CONCAT("{",
-      "\\"id\\":\\"", actorEntityId, "\\"",
-      ",\\"type\\":\\"", "${DOCUMENT_TYPE_ENTITY}", "\\"",
-      ",\\"sourceNamespaceField\\":\\"", actorEntityFieldHint, "\\"",
-      ",\\"entity\\":", "{",
-        "\\"name\\":\\"", COALESCE(actorEntityName, ""), "\\"",
-        ",\\"type\\":\\"", COALESCE(actorEntityType, ""), "\\"",
-        ",\\"sub_type\\":\\"", COALESCE(actorEntitySubType, ""), "\\"",
-        CASE (
-          actorHostIp IS NOT NULL,
-          CONCAT(",\\"host\\":", "{", "\\"ip\\":\\"", TO_STRING(actorHostIp), "\\"", "}"),
-          ""
-        ),
-      "}",
+// Build entity field conditionally - only include if any enrichment field exists
+| EVAL actorEntityField = CASE(
+    actorEntityName IS NOT NULL OR actorEntityType IS NOT NULL OR actorEntitySubType IS NOT NULL,
+    CONCAT(",\\"entity\\":", "{",
+      "\\"name\\":\\"", COALESCE(actorEntityName, ""), "\\"",
+      ",\\"type\\":\\"", COALESCE(actorEntityType, ""), "\\"",
+      ",\\"sub_type\\":\\"", COALESCE(actorEntitySubType, ""), "\\"",
+      CASE(
+        actorHostIp IS NOT NULL,
+        CONCAT(",\\"host\\":", "{", "\\"ip\\":\\"", TO_STRING(actorHostIp), "\\"", "}"),
+        ""
+      ),
     "}"),
-    CONCAT("{",
-      "\\"id\\":\\"", actorEntityId, "\\"",
-      ",\\"type\\":\\"", "${DOCUMENT_TYPE_ENTITY}", "\\"",
-      ",\\"sourceNamespaceField\\":\\"", actorEntityFieldHint, "\\"",
-    "}")
+    ""
   )
-| EVAL targetDocData = CASE(
-    targetEntityType IS NOT NULL,
-    CONCAT("{",
-      "\\"id\\":\\"", COALESCE(targetEntityId, ""), "\\"",
-      ",\\"type\\":\\"", "${DOCUMENT_TYPE_ENTITY}", "\\"",
-      ",\\"sourceNamespaceField\\":\\"", targetEntityFieldHint, "\\"",
-      ",\\"entity\\":", "{",
-        "\\"name\\":\\"", COALESCE(targetEntityName, ""), "\\"",
-        ",\\"type\\":\\"", COALESCE(targetEntityType, ""), "\\"",
-        ",\\"sub_type\\":\\"", COALESCE(targetEntitySubType, ""), "\\"",
-        CASE (
-          targetHostIp IS NOT NULL,
-          CONCAT(",\\"host\\":", "{", "\\"ip\\":\\"", TO_STRING(targetHostIp), "\\"", "}"),
-          ""
-        ),
-      "}",
+| EVAL targetEntityField = CASE(
+    targetEntityName IS NOT NULL OR targetEntityType IS NOT NULL OR targetEntitySubType IS NOT NULL,
+    CONCAT(",\\"entity\\":", "{",
+      "\\"name\\":\\"", COALESCE(targetEntityName, ""), "\\"",
+      ",\\"type\\":\\"", COALESCE(targetEntityType, ""), "\\"",
+      ",\\"sub_type\\":\\"", COALESCE(targetEntitySubType, ""), "\\"",
+      CASE(
+        targetHostIp IS NOT NULL,
+        CONCAT(",\\"host\\":", "{", "\\"ip\\":\\"", TO_STRING(targetHostIp), "\\"", "}"),
+        ""
+      ),
     "}"),
-    CONCAT("{",
-      "\\"id\\":\\"", COALESCE(targetEntityId, ""), "\\"",
-      ",\\"type\\":\\"", "${DOCUMENT_TYPE_ENTITY}", "\\"",
-      ",\\"sourceNamespaceField\\":\\"", targetEntityFieldHint, "\\"",
-    "}")
+    ""
   )
+| EVAL actorDocData = CONCAT("{",
+    "\\"id\\":\\"", actorEntityId, "\\"",
+    ",\\"type\\":\\"", "${DOCUMENT_TYPE_ENTITY}", "\\"",
+    ",\\"sourceNamespaceField\\":\\"", actorEntityFieldHint, "\\"",
+    actorEntityField,
+  "}")
+| EVAL targetDocData = CONCAT("{",
+    "\\"id\\":\\"", COALESCE(targetEntityId, ""), "\\"",
+    ",\\"type\\":\\"", "${DOCUMENT_TYPE_ENTITY}", "\\"",
+    ",\\"sourceNamespaceField\\":\\"", targetEntityFieldHint, "\\"",
+    targetEntityField,
+  "}")
 `
     : `
 // Fallback to null string with non-enriched entity metadata
 
@@ -146,7 +146,7 @@ export const GraphVisualization: React.FC = memo(() => {
           docMode === 'single-alert' ? ALERT_PREVIEW_BANNER : EVENT_PREVIEW_BANNER,
           singleDocumentData.index
         );
-      } else if (docMode === 'single-entity' && singleDocumentData) {
+      } else if (docMode === 'single-entity' && singleDocumentData?.entity) {
         showEntityPreview(singleDocumentData);
       } else if (docMode === 'grouped-entities' && documentsData.length > 0) {
         openPreviewPanel({
 
@@ -266,3 +266,186 @@
     }
   }
 }
+
+{
+  "type": "doc",
+  "value": {
+    "id": "7",
+    "index": ".entities.v1.latest.security_generic_default",
+    "source": {
+      "@timestamp": "2025-07-20T17:26:09.361Z",
+      "cloud": {
+        "account": {
+          "id": "multi-target-project-id",
+          "name": "multi-target-project-name"
+        },
+        "provider": "gcp",
+        "region": "us-west1",
+        "service": {
+          "name": "GCP IAM"
+        }
+      },
+      "entity": {
+        "EngineMetadata": {
+          "Type": "generic"
+        },
+        "id": "[email protected]",
+        "name": "MultiTargetUser",
+        "source": ".ds-logs-cloud_asset_inventory.asset_inventory-identity_gcp_iam_user-default-2025.07.16-000005",
+        "sub_type": "GCP IAM User",
+        "type": "Identity"
+      },
+      "event": {
+        "ingested": "2025-07-20T17:27:13.583Z"
+      },
+      "user": {
+        "id": "[email protected]",
+        "name": "MultiTargetUser"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "id": "8",
+    "index": ".entities.v1.latest.security_generic_default",
+    "source": {
+      "@timestamp": "2025-07-20T17:26:09.361Z",
+      "cloud": {
+        "account": {
+          "id": "multi-target-project-id",
+          "name": "multi-target-project-name"
+        },
+        "provider": "gcp",
+        "region": "us-west1",
+        "service": {
+          "name": "GCP Storage"
+        }
+      },
+      "entity": {
+        "EngineMetadata": {
+          "Type": "generic"
+        },
+        "id": "projects/multi-target-project-id/buckets/target-bucket-a",
+        "name": "TargetBucketA",
+        "source": ".ds-logs-cloud_asset_inventory.asset_inventory-storage_gcp_storage_bucket-default-2025.07.16-000005",
+        "sub_type": "GCP Storage Bucket",
+        "type": "Storage"
+      },
+      "event": {
+        "ingested": "2025-07-20T17:27:13.583Z"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "id": "9",
+    "index": ".entities.v1.latest.security_generic_default",
+    "source": {
+      "@timestamp": "2025-07-20T17:26:09.361Z",
+      "cloud": {
+        "account": {
+          "id": "multi-target-project-id",
+          "name": "multi-target-project-name"
+        },
+        "provider": "gcp",
+        "region": "us-west1",
+        "service": {
+          "name": "GCP Storage"
+        }
+      },
+      "entity": {
+        "EngineMetadata": {
+          "Type": "generic"
+        },
+        "id": "projects/multi-target-project-id/buckets/target-bucket-b",
+        "name": "TargetBucketB",
+        "source": ".ds-logs-cloud_asset_inventory.asset_inventory-storage_gcp_storage_bucket-default-2025.07.16-000005",
+        "sub_type": "GCP Storage Bucket",
+        "type": "Storage"
+      },
+      "event": {
+        "ingested": "2025-07-20T17:27:13.583Z"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "id": "10",
+    "index": ".entities.v1.latest.security_generic_default",
+    "source": {
+      "@timestamp": "2025-07-20T17:26:09.361Z",
+      "cloud": {
+        "account": {
+          "id": "multi-target-project-id",
+          "name": "multi-target-project-name"
+        },
+        "provider": "gcp",
+        "region": "us-west1",
+        "service": {
+          "name": "GCP Storage"
+        }
+      },
+      "entity": {
+        "EngineMetadata": {
+          "Type": "generic"
+        },
+        "id": "projects/multi-target-project-id/buckets/target-bucket-c",
+        "name": "TargetBucketC",
+        "source": ".ds-logs-cloud_asset_inventory.asset_inventory-storage_gcp_storage_bucket-default-2025.07.16-000005",
+        "sub_type": "GCP Storage Bucket",
+        "type": "Storage"
+      },
+      "event": {
+        "ingested": "2025-07-20T17:27:13.583Z"
+      }
+    }
+  }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "id": "11",
+    "index": ".entities.v1.latest.security_generic_default",
+    "source": {
+      "@timestamp": "2025-07-20T17:26:09.361Z",
+      "cloud": {
+        "account": {
+          "id": "multi-target-project-id",
+          "name": "multi-target-project-name"
+        },
+        "provider": "gcp",
+        "region": "us-west1",
+        "service": {
+          "name": "GCP IAM"
+        }
+      },
+      "entity": {
+        "EngineMetadata": {
+          "Type": "generic"
+        },
+        "id": "projects/multi-target-project-id/serviceAccounts/target-sa-different@multi-target-project-id.iam.gserviceaccount.com",
+        "name": "TargetServiceDifferent",
+        "source": ".ds-logs-cloud_asset_inventory.asset_inventory-identity_gcp_service_account-default-2025.07.16-000005",
+        "sub_type": "GCP Service Account",
+        "type": "Service"
+      },
+      "event": {
+        "ingested": "2025-07-20T17:27:13.583Z"
+      },
+      "service": {
+        "id": "projects/multi-target-project-id/serviceAccounts/target-sa-different@multi-target-project-id.iam.gserviceaccount.com",
+        "name": "TargetServiceDifferent"
+      }
+    }
+  }
+}
@@ -308,4 +308,107 @@
       }
     }
   }
+}
+
+{
+  "type": "doc",
+  "value": {
+    "data_stream": "logs-gcp.audit-default",
+    "id": "10",
+    "index": ".ds-logs-gcp.audit-default-2024.09.11-000001",
+    "source": {
+      "@timestamp": "2024-09-11T10:00:00.000Z",
+      "user": {
+        "entity": {
+          "id": "[email protected]"
+        }
+      },
+      "client": {
+        "user": {
+          "email": "[email protected]"
+        }
+      },
+      "cloud": {
+        "project": {
+          "id": "multi-target-project-id"
+        },
+        "provider": "gcp"
+      },
+      "ecs": {
+        "version": "8.11.0"
+      },
+      "event": {
+        "action": "google.cloud.multi.target.action",
+        "agent_id_status": "missing",
+        "category": [
+          "configuration"
+        ],
+        "id": "multi-target-mixed-event-id",
+        "ingested": "2024-09-11T10:00:00.000Z",
+        "kind": "event",
+        "outcome": "success",
+        "provider": "activity",
+        "type": [
+          "change"
+        ]
+      },
+      "gcp": {
+        "audit": {
+          "authorization_info": [
+            {
+              "granted": true,
+              "permission": "storage.buckets.update",
+              "resource": "projects/multi-target-project-id"
+            }
+          ],
+          "logentry_operation": {
+            "id": "multi-target-operation-id"
+          },
+          "type": "type.googleapis.com/google.cloud.audit.AuditLog"
+        }
+      },
+      "log": {
+        "level": "NOTICE",
+        "logger": "projects/multi-target-project-id/logs/cloudaudit.googleapis.com%2Factivity"
+      },
+      "related": {
+        "ip": [
+          "10.0.0.15"
+        ],
+        "user": [
+          "[email protected]"
+        ]
+      },
+      "service": {
+        "name": "storage.googleapis.com",
+        "target": {
+          "entity": {
+            "id": [
+              "projects/multi-target-project-id/buckets/target-bucket-c",
+              "projects/multi-target-project-id/serviceAccounts/target-sa-different@multi-target-project-id.iam.gserviceaccount.com"
+            ]
+          }
+        }
+      },
+      "source": {
+        "ip": "10.0.0.15"
+      },
+      "entity": {
+        "target": {
+          "id": [
+            "projects/multi-target-project-id/buckets/target-bucket-a",
+            "projects/multi-target-project-id/buckets/target-bucket-b"
+          ]
+        }
+      },
+      "tags": [],
+      "user_agent": {
+        "device": {
+          "name": "Other"
+        },
+        "name": "Other",
+        "original": "google-cloud-sdk/380.0.0"
+      }
+    }
+  }
 }