[Security Solution] Fields with more than one value may display different `Alert prevalence` counts in the alert flyout vs a timeline

[andrew-goldstein]

Summary

Fields with more than one value may display different Alert prevalence counts in the alert flyout vs a timeline

Background

https://github.com/elastic/kibana/pull/131255 adds the Investigate in timeline action to the Alert prevalence column of the Highlighted fields table in the alert flyout, as shown in the screenshot below:

Fields that typically have just one value, like process.name, consistently display the same alert counts in both the Alert prevalence column in the flyout, and in a timeline when the Investigate in timeline action is performed by clicking the hover action next to the count.

Fields that have more than one value sometimes display different counts between the flyout and Timeline.

Example: The process.args in the sample JSON below contains two values:

    "process": {
      "args": [
        "\"C:\\lsass.exe\"",
        "--jyf"
      ],
      "name": "lsass.exe",
    },

In the video below:

• The process.args field displays 570 in the Alert prevalence column in the flyout
• Timeline displays a count of 285 alerts when the Investigate in timeline action is invoked

https://user-images.githubusercontent.com/4459398/167693128-52a0024e-4f71-4308-a8f5-c67050aed8f7.mov

Kibana/Elasticsearch Stack version:

8.3.0

Steps to reproduce:

1) Navigate to the Alerts page in the Security Solution

2) Add the following query to the search bar to filter for process events where process.args exists:

event.category: "process" and process.args : *

3) Keep clicking the View details action on alerts in the table until an alert that has multiple values for the process.args field is displayed in the alerts flyout

4) For a field with a single value, like process.name, click the Investigate in timeline action next to the count in the Alert prevalence column

Expected result

• The Alert prevalence count displayed in the flyout exactly matches the count displayed in Timeline's Query tab

5) Close timeline

6) In the alerts flyout, click the click the Investigate in timeline action next to the process.args column, which contains multiple values

Expected result

• Once agin, the Alert prevalence count displayed in the flyout exactly matches the count displayed in Timeline's Query tab

Actual result

• The counts are different, per the video below:

https://user-images.githubusercontent.com/4459398/167693128-52a0024e-4f71-4308-a8f5-c67050aed8f7.mov

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)