Skip to content

[Security] Add EA entry to Stack and Serverless release notes #6967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
natasha-moore-elastic wants to merge 2 commits into
base: main
Choose a base branch
from
+59 −0
Open

[Security] Add EA entry to Stack and Serverless release notes #6967

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9075a5c
[Security] Add EA entry to Stack and Serverless release notes
natasha-moore-elastic Jun 18, 2026
33d93b7
Update release-notes/elastic-security/breaking-changes.md
natasha-moore-elastic Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions release-notes/elastic-cloud-serverless/breaking-changes.md
View file
Open in desktop

@vishaangelova vishaangelova Jun 18, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an issue we could link to?

@uri-weisman uri-weisman Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was a while ago, and many PR were involved, but if I'm picking one, I think it will be this one.
CC @jared.burgett

Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,37 @@
:::
-->

## May 28, 2026 [elastic-cloud-serverless-05282026-breaking]

Check notice on line 21 in release-notes/elastic-cloud-serverless/breaking-changes.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.WordChoice: Consider using 'can, might' instead of 'May', unless the term is in the UI.

::::{dropdown} Entity Analytics requires additional index privileges for custom roles

The entity store reads entity data from a new set of indices. Roles that grant access to the Entity Analytics features must now include `read` on the following index patterns:

- `.entities.v2.latest.security_*`
- `.entities.v2.updates.security_*`
- `entities-latest-*`
- `risk-score.risk-score-*`
- `.entity_analytics.*`

The built-in Security roles have been updated to grant these privileges. Custom roles created against the `v1` index patterns (`.entities.v1.latest.security_*`) are not updated automatically.

**Impact:**

Users assigned a custom role that does not include the index patterns above will see the **Entity Analytics** page load in a degraded state — without entity data and without the standard "insufficient privileges" message. Users assigned built-in Security roles are not affected.

**Action:** If you use custom roles to control access to Entity Analytics, add `read` on the following entity store and risk score index patterns to each affected role:

```yaml
- names:
- ".entities.v2.latest.security_*"

@natasha-moore-elastic natasha-moore-elastic Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@uri-weisman @jaredburgettelastic should .entities.v2.updates.security_* also be listed here, since it's mentioned in the list of index patterns above?

@uri-weisman uri-weisman Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The .entities.v2.updates.security_* indices are for our internal use, and it's important that customers who enable Entity Analytics have read permissions on them.
That said, they're not critical for customers who only use the Entity Analytics overview page, since requests from that page don't target these indices.

- "entities-latest-*"
- "risk-score.risk-score-*"
- ".entity_analytics.*"
privileges:
- read
```
::::

@vishaangelova vishaangelova Jun 18, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
::::
For more information, view [#255800]({{kib-pull}}255800).
::::


## April 15, 2026 [elastic-cloud-serverless-04152026-breaking]

:::{dropdown} Disables sequence numbers for TSDB indices in release builds
Expand Down
28 changes: 28 additions & 0 deletions release-notes/elastic-security/breaking-changes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,34 @@ Risk scoring is moving from name-based to ID-based scoring tied to the entity st
For more information, check [#258197]({{kib-pull}}258197).
::::

::::{dropdown} Entity Analytics requires additional index privileges for custom roles
**Details**<br> Starting in 9.4.0, the entity store reads entity data from a new set of indices. Roles that grant access to the Entity Analytics features must now include `read` on the following index patterns:

- `.entities.v2.latest.security_*`
- `.entities.v2.updates.security_*`
- `entities-latest-*`
- `risk-score.risk-score-*`
- `.entity_analytics.*`

The built-in Security roles have been updated to grant these privileges. Custom roles created against the `v1` index patterns (`.entities.v1.latest.security_*`) are not updated automatically.

**Impact**<br> Users assigned a custom role that does not include the index patterns above will see the **Entity Analytics** page load in a degraded state — without entity data and without the standard "insufficient privileges" message. Users assigned built-in Security roles are not affected.

**Action**<br> If you use custom roles to control access to Entity Analytics, add `read` on the following entity store and risk score index patterns to each affected role:

```yaml
- names:
- ".entities.v2.latest.security_*"
- "entities-latest-*"
- "risk-score.risk-score-*"
- ".entity_analytics.*"
privileges:
- read
```

For more information, check [#255800]({{kib-pull}}255800).
::::
Comment thread
natasha-moore-elastic marked this conversation as resolved.

::::{dropdown} Entity Analytics: Risk engine management APIs removed
The standalone risk engine is replaced by an entity maintainer integrated into the entity store. The following risk engine management API endpoint is removed:

Expand Down
Loading