elastic · natasha-moore-elastic · Oct 6, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 6, 2025
@@ -33,7 +33,8 @@ When the entity store is enabled, the following resources are generated for each
 * {{es}} resources, such as transforms, ingest pipelines, and enrich policies.
 * Data and fields for each entity.
 * The `.entities.v1.latest.security_user_<space-id>`, `.entities.v1.latest.security_host_<space-id>`, and `.entities.v1.latest.security_services_<space-id>` indices, which contain field mappings for hosts, users, and services respectively. You can query these indices to see a list of fields that are mapped in the entity store.
-
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Snapshot indices (`.entities.v1.history.<ISO_date>.*`) that store daily snapshots of entity data, enabling [historical analysis](/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#historical-entity-analysis) of attributes over time.
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Reset indices (`.entities.v1.reset.*`) that ensure entity timestamps are updated correctly in the latest index, supporting accurate time-based queries and future data resets.
 
 ## Enable entity store [enable-entity-store]
 

@@ -13,21 +13,12 @@ products:
 
 # View and analyze risk score data [analyze-risk-score-data]
 
-The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data:
-
-* [Entity Analytics overview](#entity-analytics-overview)
-* [Alerts page](#alerts-page)
-* [Alert details flyout](#alert-details-flyout)
-* [Hosts and Users pages](#hosts-users-pages)
-* [Host and user details pages](#host-user-details-pages)
-* [Entity details flyouts](#entity-details-flyouts)
+The {{security-app}} provides several ways to monitor the change in the risk posture of entities in your environment.
 
 ::::{tip}
-We recommend that you prioritize [alert triaging](#alert-triaging) to identify anomalies or abnormal behavior patterns.
+After reviewing an entity’s risk score, the recommended next step is to investigate the risky entity in [Timeline](/solutions/security/investigate/timeline.md).
 ::::
 
-
-
 ## Entity Analytics overview [entity-analytics-overview]
 
 In the Entity Analytics overview, you can view entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
@@ -183,3 +174,21 @@ In the entity details flyouts, you can access the risk score data in the risk su
 :alt: Host risk data in the Host risk summary section
 :screenshot:
 :::
+
+## Analyze entities over time [historical-entity-analysis]
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+The [entity store](/solutions/security/advanced-entity-analytics/entity-store.md) allows you to analyze how entity attributes change over time, making it easier to investigate past activity, track trends, and identify unusual behavior or changes that may indicate risk. Use time-based queries in [Discover](/explore-analyze/discover.md) to answer questions such as:
+
+* What did user A’s attributes look like on March 15?
+* How has user B's risk score changed over the last 90 days?
+* Which user had the biggest jump in their risk score since yesterday?
+
+By analyzing current and past entity data, you can understand how your environment and its entities evolve over time.
+
+::::{note}
+If you enabled the entity store before upgrading to 9.2, you'll need to re-start it using the **On**/**Off** toggle to access the historical analysis feature.
+::::