[Security Solution][Entity Analytics][Threat Hunting][WIP] Introduce threat hunting home experience

[abhishekbhatia1710]

Summary

• add the threat hunting home page and supporting components for the entity analytics area when the entityThreatHuntingEnabled flag is on
• wire the new page into entity analytics navigation/routes and surface new table actions for entity timelines and AI assistant entry points
• provide focused unit coverage for the new home experience

Screenshot of the UI :

[elasticmachine]

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

[Copilot]

Pull Request Overview

This PR introduces a new experimental Threat Hunting feature for Entity Analytics, providing an AI-powered interface for analyzing and investigating entity threats. The feature is controlled by the entityThreatHuntingEnabled experimental flag.

Key changes:

• Adds a new ThreatHuntingHomePage component with AI hypotheses section, entity risk levels visualization, and entities table
• Conditionally renders the new threat hunting page or legacy overview based on experimental flag
• Enhances entities list table with new action buttons for timeline navigation and AI assistant
• Updates navigation links to include threat hunting as a new entry point

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
routes.tsx	Adds conditional rendering logic to show ThreatHuntingHomePage when experimental flag is enabled
routes.test.tsx	Tests the conditional rendering behavior based on the experimental flag
threat_hunting_home_page.tsx	New page component implementing the threat hunting UI with AI hypotheses, risk levels, and entities table
threat_hunting_home_page.test.tsx	Comprehensive test coverage for the new threat hunting page component
links.ts	Adds threat hunting navigation link and updates entity analytics links structure
threat_hunting_entity_risk_levels.tsx	Component displaying entity risk levels with donut chart and table visualization
threat_hunting_entities_table.tsx	Wrapper component for entities table in threat hunting context
use_entities_list_columns.tsx	Enhances entities table with timeline and AI assistant action buttons when flag enabled
entities_list.tsx	Adds rowHeight configuration for new action buttons

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!
• Click to trigger kibana-deploy-cloud-from-pr for this PR!

[kibanamachine]

Project deployments require a Github label, please add one or more of ci:project-deploy-(elasticsearch|observability|security) and trigger the job through the checkbox again.

[Copilot]

Pull Request Overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 14 comments.

Comments suppressed due to low confidence (1)

x-pack/solutions/security/plugins/security_solution/public/entity_analytics/api/hooks/use_risk_score_kpi.tsx:117

• The dependency array for the useEffect hook has been updated to include riskEntities (line 113), but riskEntities is recalculated on every render based on multipleEntities and singleEntity. This could cause unnecessary re-executions of the search effect.

Consider memoizing riskEntities with useMemo or deriving it directly in the dependency array from the stable rest parameters to avoid unnecessary effect triggers:

const riskEntitiesMemo = useMemo(() => {
  if (multipleEntities && multipleEntities.length > 0) {
    return multipleEntities;
  }
  return singleEntity ? [singleEntity] : [];
}, [multipleEntities, singleEntity]);

Then use riskEntitiesMemo in the effect dependencies.

  const riskEntities = useMemo(() => {
    if (multipleEntities && multipleEntities.length > 0) {
      return multipleEntities;
    }

    return singleEntity ? [singleEntity] : [];
  }, [multipleEntities, singleEntity]);

  const primaryEntity = riskEntities[0] ?? singleEntity;
  const shouldSkip = skip || riskEntities.length === 0;

  useEffect(() => {
    if (!shouldSkip && defaultIndex && !isStatusLoading && riskEngineHasBeenEnabled) {
      search({
        filterQuery,
        defaultIndex: [defaultIndex],
        entity: primaryEntity,
        entities: riskEntities,
        timerange: requestTimerange,
      });
    }
  }, [
    defaultIndex,
    search,
    filterQuery,
    shouldSkip,
    primaryEntity,
    riskEntities,
    requestTimerange,
    isStatusLoading,
    riskEngineHasBeenEnabled,
  ]);

[Copilot]

Pull Request Overview

Copilot reviewed 17 out of 17 changed files in this pull request and generated 7 comments.

[Copilot]

The usePageSizePreference hook is duplicating functionality that already exists in use_page_size.ts. Both hooks:

• Store/retrieve page size from localStorage
• Handle validation and defaults
• Provide the same interface

Consider removing this inline implementation and importing usePageSize from ./use_page_size instead, or if the optional localStorageKey parameter is needed, refactor use_page_size.ts to accept an optional key parameter rather than duplicating the entire hook logic.

[Copilot]

The parser has the same issue as the DSL builder. When all requested entities are unsupported, entitiesToProcess will include unsupported entity types (line 55), and the code will attempt to access aggregation buckets using unsupported entity type names as keys (line 84).

Since the DSL builder won't create aggregations for these entity types (or will create invalid ones), rawAggregations?.[entityType] will be undefined, resulting in empty buckets. While this doesn't crash, it's inefficient and inconsistent.

The parser should use the same logic as recommended for the DSL: if supportedEntities.length === 0, return empty results early rather than falling back to unsupported entities.

[Copilot]

Redundant null check at line 103. The condition primaryEntity is already guaranteed to be truthy because:

• primaryEntity = riskEntities[0] ?? singleEntity (line 94)
• The check shouldSkip = skip || riskEntities.length === 0 (line 95) returns early if riskEntities is empty
• If riskEntities[0] exists (length > 0), then primaryEntity will be truthy
• The only case where primaryEntity could be falsy is when riskEntities.length === 0, but that's already handled by shouldSkip

Remove the primaryEntity check from line 103 as it's redundant with the shouldSkip check.

Suggested change

	riskEngineHasBeenEnabled &&
	primaryEntity
	riskEngineHasBeenEnabled

[Copilot]

Duplicate identifier extraction logic. The code extracts identifierCandidates (lines 72-74) and then searches for a valid string identifier twice:

1. Lines 80-82: To populate displayName
2. Lines 102-104: To populate timelineIdentifier

Both searches perform the exact same operation. Extract this once and reuse:

const validIdentifier = identifierCandidates.find(
  (value): value is string => typeof value === 'string' && value.length > 0
);
const displayName = record.entity?.name || validIdentifier || record.entity?.id;
const timelineIdentifier = validIdentifier;

[abhishekbhatia1710]

/ci

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: e9dd7cd

Failed CI Steps

• Quick Checks
• Linting
• Check Types

History

• 💔 Build #360441 failed 531bae1
• 💔 Build #358495 failed 4ec7f83

cc @abhishekbhatia1710

[abhishekbhatia1710]

Closing this as a new PR is created instead : #243311