Add data to user details page (#127019)

* Add user information to user details page

x-pack/plugins/security_solution/common/constants.ts

@@ -100,6 +100,8 @@ export enum SecurityPageName {
   hostsExternalAlerts = 'hosts-external_alerts',
   hostsRisk = 'hosts-risk',
   users = 'users',
+  usersAnomalies = 'users-anomalies',
+  usersRisk = 'users-risk',
   investigate = 'investigate',
   network = 'network',
   networkAnomalies = 'network-anomalies',

x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/all/index.ts

@@ -29,5 +29,6 @@ export interface HostsRequestOptions extends RequestOptionsPaginated<HostsFields
 
 export interface HostsSortField {
   field: HostsFields;
+
   direction: Direction;
 }

x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts

@@ -81,6 +81,8 @@ import {
   KpiRiskScoreStrategyResponse,
   KpiRiskScoreRequestOptions,
 } from './risk_score';
+import { UsersQueries } from './users';
+import { UserDetailsRequestOptions, UserDetailsStrategyResponse } from './users/details';
 
 export * from './cti';
 export * from './hosts';
@@ -91,6 +93,7 @@ export * from './network';
 export type FactoryQueryTypes =
   | HostsQueries
   | HostsKpiQueries
+  | UsersQueries
   | NetworkQueries
   | NetworkKpiQueries
   | RiskQueries
@@ -136,6 +139,8 @@ export type StrategyResponseType<T extends FactoryQueryTypes> = T extends HostsQ
   ? HostsKpiHostsStrategyResponse
   : T extends HostsKpiQueries.kpiUniqueIps
   ? HostsKpiUniqueIpsStrategyResponse
+  : T extends UsersQueries.details
+  ? UserDetailsStrategyResponse
   : T extends NetworkQueries.details
   ? NetworkDetailsStrategyResponse
   : T extends NetworkQueries.dns
@@ -192,6 +197,8 @@ export type StrategyRequestType<T extends FactoryQueryTypes> = T extends HostsQu
   ? HostsKpiHostsRequestOptions
   : T extends HostsKpiQueries.kpiUniqueIps
   ? HostsKpiUniqueIpsRequestOptions
+  : T extends UsersQueries.details
+  ? UserDetailsRequestOptions
   : T extends NetworkQueries.details
   ? NetworkDetailsRequestOptions
   : T extends NetworkQueries.dns

x-pack/plugins/security_solution/common/search_strategy/security_solution/risk_score/common/index.ts

@@ -19,6 +19,10 @@ export const buildHostNamesFilter = (hostNames: string[]) => {
   return { terms: { 'host.name': hostNames } };
 };
 
+export const buildUserNamesFilter = (userNames: string[]) => {
+  return { terms: { 'user.name': userNames } };
+};
+
 export enum RiskQueries {
   riskScore = 'riskScore',
   kpiRiskScore = 'kpiRiskScore',

x-pack/plugins/security_solution/common/search_strategy/security_solution/users/common/index.ts

@@ -6,6 +6,8 @@
  */
 
 import { Maybe, RiskSeverity } from '../../..';
+import { HostEcs } from '../../../../ecs/host';
+import { UserEcs } from '../../../../ecs/user';
 
 export const enum UserRiskScoreFields {
   timestamp = '@timestamp',
@@ -20,3 +22,33 @@ export interface UserRiskScoreItem {
   [UserRiskScoreFields.risk]: Maybe<RiskSeverity>;
   [UserRiskScoreFields.riskScore]: Maybe<number>;
 }
+
+export interface UserItem {
+  user?: Maybe<UserEcs>;
+  host?: Maybe<HostEcs>;
+  lastSeen?: Maybe<string>;
+  firstSeen?: Maybe<string>;
+}
+
+export enum UsersFields {
+  lastSeen = 'lastSeen',
+  hostName = 'userName',
+}
+
+export interface UserAggEsItem {
+  user_id?: UserBuckets;
+  user_domain?: UserBuckets;
+  user_name?: UserBuckets;
+  host_os_name?: UserBuckets;
+  host_ip?: UserBuckets;
+  host_os_family?: UserBuckets;
+  first_seen?: { value_as_string: string };
+  last_seen?: { value_as_string: string };
+}
+
+export interface UserBuckets {
+  buckets: Array<{
+    key: string;
+    doc_count: number;
+  }>;
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/users/details/index.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import type { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+
+import { Inspect, Maybe, TimerangeInput } from '../../../common';
+import { UserItem, UsersFields } from '../common';
+import { RequestOptionsPaginated } from '../..';
+
+export interface UserDetailsStrategyResponse extends IEsSearchResponse {
+  userDetails: UserItem;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface UserDetailsRequestOptions extends Partial<RequestOptionsPaginated<UsersFields>> {
+  userName: string;
+  skip?: boolean;
+  timerange: TimerangeInput;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface AggregationRequest {
+  [aggField: string]: estypes.AggregationsAggregationContainer;
+}

x-pack/plugins/security_solution/common/search_strategy/security_solution/users/index.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export enum UsersQueries {
+  details = 'userDetails',
+}

x-pack/plugins/security_solution/public/app/deep_links/index.ts

@@ -256,6 +256,24 @@ export const securitySolutionsDeepLinks: SecuritySolutionDeepLink[] = [
           }),
         ],
         order: 9004,
+        deepLinks: [
+          {
+            id: SecurityPageName.usersAnomalies,
+            title: i18n.translate('xpack.securitySolution.search.users.anomalies', {
+              defaultMessage: 'Anomalies',
+            }),
+            path: `${USERS_PATH}/anomalies`,
+            isPremium: true,
+          },
+          {
+            id: SecurityPageName.usersRisk,
+            title: i18n.translate('xpack.securitySolution.search.users.risk', {
+              defaultMessage: 'Risk',
+            }),
+            path: `${USERS_PATH}/userRisk`,
+            isPremium: true,
+          },
+        ],
       },
     ],
   },