From 2a0dca7f660b49a7089be2182766811364656198 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:10:11 -0400 Subject: [PATCH 01/13] First draft --- .../elastic-cloud-serverless/known-issues.md | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index 6843ee2622..0a69ed4180 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -16,7 +16,36 @@ Known issues are significant defects or limitations that may impact your impleme ## Active -There are no active known issues. +:::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents + +On May 30, 2025, it was discovered that the entity risk score feature eventually stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the default ingest pipeline for the risk scoring index (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. + +**Workaround** + +To resolve this issue, manually create the ingest pipeline in each space in which entity risk scoring is turned on. This can be done using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. + +``` +PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default +{ + "_meta": { + "managed_by": "entity_analytics", + "managed": true + }, + "description": "Pipeline for adding timestamp value to event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + } + ] +} +``` + +After the above step is complete, risk scores should automatically begin to successfully persist during the entity risk engine's next run cycle. Details for the next run time are described on the Entity risk score page. From the page, you can manually run the risk score again by clicking **Run Engine**. + +::: ## Resolved From 2acd7a9de9f61c3a83931b6d56b428a7386047cd Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:25:05 -0400 Subject: [PATCH 02/13] updates security release notes --- .../elastic-cloud-serverless/known-issues.md | 2 +- .../elastic-security/known-issues.md | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index 0a69ed4180..cdd5163318 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -22,7 +22,7 @@ On May 30, 2025, it was discovered that the entity risk score feature eventually **Workaround** -To resolve this issue, manually create the ingest pipeline in each space in which entity risk scoring is turned on. This can be done using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. +To resolve this issue, manually create the ingest pipeline in each space in which you have turned on entity risk scoring. This can be done using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. ``` PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 111a173df3..35f650771d 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -16,6 +16,43 @@ Known issues are significant defects or limitations that may impact your impleme % ::: +:::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents + +Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 + +On May 30, 2025, it was discovered that the entity risk score feature eventually stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 and before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the default ingest pipeline for the risk scoring index in {{stack}} 8.18.0 (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. + +**NOTE:** This bug will not affect you if you created an {{es}} cluster in {{stack}} 8.18.0 or 9.0.0 and higher. It also does not affect you if didn’t enable entity risk scoring until {{stack}} 8.18.0 or 9.0.0 and higher. + +**Workaround** + +To resolve this issue, apply the following workaround before or after upgrading to {{stack}} 9.0.0 or higher. + +The first step is to manually create the ingest pipeline in each space in which you have turned on entity risk scoring. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. + +``` +PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default +{ + "_meta": { + "managed_by": "entity_analytics", + "managed": true + }, + "description": "Pipeline for adding timestamp value to event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{_ingest.timestamp}}" + } + } + ] +} +``` + +After the above step is complete, risk scores should automatically begin to successfully persist during the entity risk engine's next run cycle. Details for the next run time are described on the Entity risk score page. From the page, you can manually run the risk score again by clicking **Run Engine**. + +::: + :::{dropdown} Installing an {{elastic-defend}} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions Applies to: {{stack}} 9.0.0 From c7ec267287b60a9ed201ab29d4db58468e8a088b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:26:17 -0400 Subject: [PATCH 03/13] Missing word --- release-notes/elastic-cloud-serverless/known-issues.md | 2 +- release-notes/elastic-security/known-issues.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index cdd5163318..8b26a8ed5a 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -18,7 +18,7 @@ Known issues are significant defects or limitations that may impact your impleme :::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents -On May 30, 2025, it was discovered that the entity risk score feature eventually stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the default ingest pipeline for the risk scoring index (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. +On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the default ingest pipeline for the risk scoring index (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. **Workaround** diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 35f650771d..2c6727c5e6 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -20,7 +20,7 @@ Known issues are significant defects or limitations that may impact your impleme Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 -On May 30, 2025, it was discovered that the entity risk score feature eventually stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 and before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the default ingest pipeline for the risk scoring index in {{stack}} 8.18.0 (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. +On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 and before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the default ingest pipeline for the risk scoring index in {{stack}} 8.18.0 (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. **NOTE:** This bug will not affect you if you created an {{es}} cluster in {{stack}} 8.18.0 or 9.0.0 and higher. It also does not affect you if didn’t enable entity risk scoring until {{stack}} 8.18.0 or 9.0.0 and higher. From 02ccf077efb129407bad14f8fc0de56f4d95a32b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:28:56 -0400 Subject: [PATCH 04/13] Minor fixes --- release-notes/elastic-cloud-serverless/known-issues.md | 2 +- release-notes/elastic-security/known-issues.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index 8b26a8ed5a..8f2cc054bd 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -18,7 +18,7 @@ Known issues are significant defects or limitations that may impact your impleme :::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents -On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the default ingest pipeline for the risk scoring index (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. +On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the default ingest pipeline for the risk scoring index (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. **Workaround** diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 2c6727c5e6..8edbb2d436 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -20,9 +20,9 @@ Known issues are significant defects or limitations that may impact your impleme Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 -On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 and before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the default ingest pipeline for the risk scoring index in {{stack}} 8.18.0 (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) to be created when {{kib}} starts up. While document persistence may initially appear to succeed, it eventually fails after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. +On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 and before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the default ingest pipeline for the risk scoring index in {{stack}} 8.18.0 (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. -**NOTE:** This bug will not affect you if you created an {{es}} cluster in {{stack}} 8.18.0 or 9.0.0 and higher. It also does not affect you if didn’t enable entity risk scoring until {{stack}} 8.18.0 or 9.0.0 and higher. +**NOTE:** This bug does not affect {{es}} clusters created in {{stack}} 8.18.0 or 9.0.0 and higher. It also won't affect you if you only turned on entity risk scoring in {{stack}} 8.18.0 or 9.0.0 and higher. **Workaround** From 5e12de591cbe57caaf802b883a14584beac09e4d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:45:52 -0400 Subject: [PATCH 05/13] Revisions and formatting --- release-notes/elastic-cloud-serverless/known-issues.md | 8 +++++--- release-notes/elastic-security/known-issues.md | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index 8f2cc054bd..c05046408d 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -18,11 +18,13 @@ Known issues are significant defects or limitations that may impact your impleme :::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents -On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the default ingest pipeline for the risk scoring index (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in an earlier {{serverless-short}} release) from being created when {{kib}} starts up. + +While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. **Workaround** -To resolve this issue, manually create the ingest pipeline in each space in which you have turned on entity risk scoring. This can be done using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. +To resolve this issue, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. ``` PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default @@ -43,7 +45,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin } ``` -After the above step is complete, risk scores should automatically begin to successfully persist during the entity risk engine's next run cycle. Details for the next run time are described on the Entity risk score page. From the page, you can manually run the risk score again by clicking **Run Engine**. +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. ::: diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 8edbb2d436..6eeb50703f 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -20,7 +20,9 @@ Known issues are significant defects or limitations that may impact your impleme Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 -On May 30, 2025, it was discovered that the entity risk score feature may eventually stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 and before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the default ingest pipeline for the risk scoring index in {{stack}} 8.18.0 (`entity_analytics_create_eventIngest_from_timestamp-pipeline-`) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days, which is how long it takes for the risk score data stream to roll over and its underlying index’s settings to take on the new default pipeline. +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18) from being created when {{kib}} starts up. + +While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. **NOTE:** This bug does not affect {{es}} clusters created in {{stack}} 8.18.0 or 9.0.0 and higher. It also won't affect you if you only turned on entity risk scoring in {{stack}} 8.18.0 or 9.0.0 and higher. @@ -28,7 +30,7 @@ On May 30, 2025, it was discovered that the entity risk score feature may eventu To resolve this issue, apply the following workaround before or after upgrading to {{stack}} 9.0.0 or higher. -The first step is to manually create the ingest pipeline in each space in which you have turned on entity risk scoring. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. +First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. ``` PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default @@ -49,7 +51,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin } ``` -After the above step is complete, risk scores should automatically begin to successfully persist during the entity risk engine's next run cycle. Details for the next run time are described on the Entity risk score page. From the page, you can manually run the risk score again by clicking **Run Engine**. +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. ::: From 61bc9f31ce5c0b19715ac334844aaee423cd28e7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:48:01 -0400 Subject: [PATCH 06/13] spaces --- release-notes/elastic-cloud-serverless/known-issues.md | 6 +++--- release-notes/elastic-security/known-issues.md | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index c05046408d..5d57822032 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -18,13 +18,13 @@ Known issues are significant defects or limitations that may impact your impleme :::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents -On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in an earlier {{serverless-short}} release) from being created when {{kib}} starts up. +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in an earlier {{serverless-short}} release) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. **Workaround** -To resolve this issue, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. +To resolve this issue, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {{kib}} space ID. ``` PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default @@ -45,7 +45,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin } ``` -After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. ::: diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 6eeb50703f..05770d333e 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -16,11 +16,11 @@ Known issues are significant defects or limitations that may impact your impleme % ::: -:::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents +:::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents. Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 -On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18) from being created when {{kib}} starts up. +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. @@ -28,9 +28,9 @@ While document persistence may initially appear to succeed, it will eventually f **Workaround** -To resolve this issue, apply the following workaround before or after upgrading to {{stack}} 9.0.0 or higher. +To resolve this issue, apply the following workaround before or after upgrading to {{stack}} 9.0.0 or higher. -First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the space ID. +First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {{kib}} space ID. ``` PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default From 30d0e372fea02f360c0e0e0cc81727e3cb36c207 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 30 May 2025 15:50:04 -0400 Subject: [PATCH 07/13] Update release-notes/elastic-security/known-issues.md --- release-notes/elastic-security/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 05770d333e..9248ec17c0 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -16,7 +16,7 @@ Known issues are significant defects or limitations that may impact your impleme % ::: -:::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents. +:::{dropdown} The entity risk score feature may stop persisting risk score documents Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 From fcd357c2ad41098c401e10e2e4500a091a3003a8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 30 May 2025 15:54:09 -0400 Subject: [PATCH 08/13] Update release-notes/elastic-security/known-issues.md --- release-notes/elastic-security/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 9248ec17c0..92bee4a4e4 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -20,7 +20,7 @@ Known issues are significant defects or limitations that may impact your impleme Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 -On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on in {{stack}} 8.18.0 before you upgraded to {{stack}} 9.0.0 or higher. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18) from being created when {{kib}} starts up. +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {{stack}} 8.18.0+ or 9.0.0+. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. From a9d366eaef3257c789a03a02d7b1f22e684672cc Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 15:58:33 -0400 Subject: [PATCH 09/13] zero --- release-notes/elastic-security/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 92bee4a4e4..97671bfb91 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -20,7 +20,7 @@ Known issues are significant defects or limitations that may impact your impleme Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 -On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {{stack}} 8.18.0+ or 9.0.0+. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18) from being created when {{kib}} starts up. +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {{stack}} 8.18.0+ or 9.0.0+. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18.0) from being created when {{kib}} starts up. While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. From 45c785be49e35452ab1cf39f92b17103e75ef973 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 30 May 2025 16:07:37 -0400 Subject: [PATCH 10/13] Update release-notes/elastic-cloud-serverless/known-issues.md Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com> --- release-notes/elastic-cloud-serverless/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index 5d57822032..6310decd4d 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -20,7 +20,7 @@ Known issues are significant defects or limitations that may impact your impleme On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in an earlier {{serverless-short}} release) from being created when {{kib}} starts up. -While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. +While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. **Workaround** From 86776723296073e2df2c76ade51d2ffb5828fa27 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 30 May 2025 16:09:38 -0400 Subject: [PATCH 11/13] Update release-notes/elastic-security/known-issues.md Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com> --- release-notes/elastic-security/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 97671bfb91..7d9b18b8c4 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -22,7 +22,7 @@ Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2 On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {{stack}} 8.18.0+ or 9.0.0+. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18.0) from being created when {{kib}} starts up. -While document persistence may initially appear to succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. +While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline. **NOTE:** This bug does not affect {{es}} clusters created in {{stack}} 8.18.0 or 9.0.0 and higher. It also won't affect you if you only turned on entity risk scoring in {{stack}} 8.18.0 or 9.0.0 and higher. From b115f32584d151b65e2018ea263682d26edbc68a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 30 May 2025 16:33:32 -0400 Subject: [PATCH 12/13] Update release-notes/elastic-cloud-serverless/known-issues.md Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- release-notes/elastic-cloud-serverless/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index 6310decd4d..85f7491306 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -45,7 +45,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin } ``` -After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. ::: From b72dc4360faea08bc4decee7456ea79cf555425e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Fri, 30 May 2025 16:36:07 -0400 Subject: [PATCH 13/13] Shaina's feedback --- release-notes/elastic-security/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 7d9b18b8c4..1eae0be974 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -51,7 +51,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin } ``` -After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. :::