From 9075a5c5382404d9ce979dd6a25d43cdc56eaea4 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 18 Jun 2026 10:05:55 +0100 Subject: [PATCH 1/2] [Security] Add EA entry to Stack and Serverless release notes --- .../breaking-changes.md | 31 +++++++++++++++++++ .../elastic-security/breaking-changes.md | 26 ++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/release-notes/elastic-cloud-serverless/breaking-changes.md b/release-notes/elastic-cloud-serverless/breaking-changes.md index 19d2d8c907..f6eb691326 100644 --- a/release-notes/elastic-cloud-serverless/breaking-changes.md +++ b/release-notes/elastic-cloud-serverless/breaking-changes.md @@ -18,6 +18,37 @@ products: ::: --> +## May 28, 2026 [elastic-cloud-serverless-05282026-breaking] + +::::{dropdown} Entity Analytics requires additional index privileges for custom roles + +The entity store reads entity data from a new set of indices. Roles that grant access to the Entity Analytics features must now include `read` on the following index patterns: + +- `.entities.v2.latest.security_*` +- `.entities.v2.updates.security_*` +- `entities-latest-*` +- `risk-score.risk-score-*` +- `.entity_analytics.*` + +The built-in Security roles have been updated to grant these privileges. Custom roles created against the `v1` index patterns (`.entities.v1.latest.security_*`) are not updated automatically. + +**Impact:** + +Users assigned a custom role that does not include the index patterns above will see the **Entity Analytics** page load in a degraded state — without entity data and without the standard "insufficient privileges" message. Users assigned built-in Security roles are not affected. + +**Action:** If you use custom roles to control access to Entity Analytics, add `read` on the following entity store and risk score index patterns to each affected role: + +```yaml +- names: + - ".entities.v2.latest.security_*" + - "entities-latest-*" + - "risk-score.risk-score-*" + - ".entity_analytics.*" + privileges: + - read +``` +:::: + ## April 15, 2026 [elastic-cloud-serverless-04152026-breaking] :::{dropdown} Disables sequence numbers for TSDB indices in release builds diff --git a/release-notes/elastic-security/breaking-changes.md b/release-notes/elastic-security/breaking-changes.md index b976f9ecea..fb37fba40a 100644 --- a/release-notes/elastic-security/breaking-changes.md +++ b/release-notes/elastic-security/breaking-changes.md @@ -34,6 +34,32 @@ Risk scoring is moving from name-based to ID-based scoring tied to the entity st For more information, check [#258197]({{kib-pull}}258197). :::: +::::{dropdown} Entity Analytics requires additional index privileges for custom roles +**Details**
Starting in 9.4.0, the entity store reads entity data from a new set of indices. Roles that grant access to the Entity Analytics features must now include `read` on the following index patterns: + +- `.entities.v2.latest.security_*` +- `.entities.v2.updates.security_*` +- `entities-latest-*` +- `risk-score.risk-score-*` +- `.entity_analytics.*` + +The built-in Security roles have been updated to grant these privileges. Custom roles created against the `v1` index patterns (`.entities.v1.latest.security_*`) are not updated automatically. + +**Impact**
Users assigned a custom role that does not include the index patterns above will see the **Entity Analytics** page load in a degraded state — without entity data and without the standard "insufficient privileges" message. Users assigned built-in Security roles are not affected. + +**Action**
If you use custom roles to control access to Entity Analytics, add `read` on the following entity store and risk score index patterns to each affected role: + +```yaml +- names: + - ".entities.v2.latest.security_*" + - "entities-latest-*" + - "risk-score.risk-score-*" + - ".entity_analytics.*" + privileges: + - read +``` +:::: + ::::{dropdown} Entity Analytics: Risk engine management APIs removed The standalone risk engine is replaced by an entity maintainer integrated into the entity store. The following risk engine management API endpoint is removed: From 33d93b7f379743d14116fa1cc493e37ab81ad869 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 18 Jun 2026 16:23:14 +0100 Subject: [PATCH 2/2] Update release-notes/elastic-security/breaking-changes.md Co-authored-by: Visha Angelova <91186315+vishaangelova@users.noreply.github.com> --- release-notes/elastic-security/breaking-changes.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/release-notes/elastic-security/breaking-changes.md b/release-notes/elastic-security/breaking-changes.md index fb37fba40a..28fa2c8c5c 100644 --- a/release-notes/elastic-security/breaking-changes.md +++ b/release-notes/elastic-security/breaking-changes.md @@ -58,6 +58,8 @@ The built-in Security roles have been updated to grant these privileges. Custom privileges: - read ``` + +For more information, check [#255800]({{kib-pull}}255800). :::: ::::{dropdown} Entity Analytics: Risk engine management APIs removed