From 7805d281144236638d7cfada76d87467686ff832 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 30 May 2025 15:56:15 -0400
Subject: [PATCH 1/3] First draft

---
 docs/release-notes/8.18.asciidoc | 121 +++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)

diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc
index 90b72a7f9c..ceed1e2528 100644
--- a/docs/release-notes/8.18.asciidoc
+++ b/docs/release-notes/8.18.asciidoc
@@ -9,6 +9,46 @@
 [[known-issue-8.18.2]]
 ==== Known issues
 
+// tag::known-issue[]
+[discrete]
+.The entity risk score feature may stop persisting risk score documents 
+[%collapsible]
+====
+*Details* +
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. 
+
+This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
+
+*Workaround* +
+
+To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the  Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+====
+// end::known-issue[]
+
 // tag::known-issue[]
 [discrete]
 .The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules 
@@ -36,6 +76,46 @@ On April 8, 2025, it was discovered that alert suppression for event correlation
 [[known-issue-8.18.1]]
 ==== Known issues
 
+// tag::known-issue[]
+[discrete]
+.The entity risk score feature may stop persisting risk score documents 
+[%collapsible]
+====
+*Details* +
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. 
+
+This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
+
+*Workaround* +
+
+To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the  Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+====
+// end::known-issue[]
+
 // tag::known-issue[]
 [discrete]
 .The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules 
@@ -71,6 +151,47 @@ On April 8, 2025, it was discovered that alert suppression for event correlation
 [discrete]
 [[known-issue-8.18.0]]
 ==== Known issues
+
+// tag::known-issue[]
+[discrete]
+.The entity risk score feature may stop persisting risk score documents 
+[%collapsible]
+====
+*Details* +
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. 
+
+This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
+
+*Workaround* +
+
+To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the  Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+====
+// end::known-issue[]
+
 // tag::known-issue[]
 [discrete]
 .Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x 

From 27964996e795762259d264563e6317395c6bf0eb Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 30 May 2025 16:09:13 -0400
Subject: [PATCH 2/3] Missing part

---
 docs/release-notes/8.18.asciidoc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc
index ceed1e2528..543f6ab286 100644
--- a/docs/release-notes/8.18.asciidoc
+++ b/docs/release-notes/8.18.asciidoc
@@ -19,6 +19,8 @@ On May 30, 2025, it was discovered that the entity risk score feature may stop p
 
 This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
 
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
 *Workaround* +
 
 To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
@@ -86,6 +88,8 @@ On May 30, 2025, it was discovered that the entity risk score feature may stop p
 
 This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
 
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
 *Workaround* +
 
 To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
@@ -162,6 +166,8 @@ On May 30, 2025, it was discovered that the entity risk score feature may stop p
 
 This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
 
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
 *Workaround* +
 
 To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.

From bd506f469c2b19ca43baf49172dec01583a58d2f Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 30 May 2025 16:43:42 -0400
Subject: [PATCH 3/3] Space and bold

---
 docs/release-notes/8.18.asciidoc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc
index 543f6ab286..d1086894ae 100644
--- a/docs/release-notes/8.18.asciidoc
+++ b/docs/release-notes/8.18.asciidoc
@@ -46,7 +46,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin
 }
 ```
 
-After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the  Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. 
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
 
 ====
 // end::known-issue[]
@@ -115,7 +115,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin
 }
 ```
 
-After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the  Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. 
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
 
 ====
 // end::known-issue[]
@@ -193,7 +193,7 @@ PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipelin
 }
 ```
 
-After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the  Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. 
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
 
 ====
 // end::known-issue[]