[Release notes][Serverless & Sec 9.x] Add known issue to release notes for "Entity Risk Score documents eventually fail to persist (#1550)

nastasha-solomon · jaredburgettelastic · shainaraskas · web-flow · commit 5b47cc9a10fb · 2025-05-30T16:47:10.000-04:00
Contributes to #1548 by adding a known issue about the risk score feature in Serverless and Security 9.x. Preview: - [Elastic Cloud Serverless known issues](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/1550/release-notes/elastic-cloud-serverless/known-issues) - [Security Serverless 9.x known issues](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/1550/release-notes/elastic-security/known-issues) **Corresponding PRs** - 8.x: elastic/security-docs#6866 --------- Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com> Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md
@@ -16,7 +16,38 @@ Known issues are significant defects or limitations that may impact your impleme
 
 ## Active
 
-There are no active known issues. 
+:::{dropdown} In {{sec-serverless}}, the entity risk score feature may stop persisting risk score documents
+
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was previously turned on. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in an earlier {{serverless-short}} release) from being created when {{kib}} starts up.
+
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
+**Workaround**
+
+To resolve this issue, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {{kib}} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**.
+
+:::
 
 ## Resolved
 
diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
@@ -16,6 +16,45 @@ Known issues are significant defects or limitations that may impact your impleme
 
 % :::
 
+:::{dropdown} The entity risk score feature may stop persisting risk score documents
+
+Applies to: {{stack}} 9.0.1, 9.0.1, 9.0.2
+
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {{stack}} 8.18.0+ or 9.0.0+. This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {{stack}} 8.18.0) from being created when {{kib}} starts up.
+
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
+**NOTE:** This bug does not affect {{es}} clusters created in {{stack}} 8.18.0 or 9.0.0 and higher. It also won't affect you if you only turned on entity risk scoring in {{stack}} 8.18.0 or 9.0.0 and higher.
+
+**Workaround**
+
+To resolve this issue, apply the following workaround before or after upgrading to {{stack}} 9.0.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {{kib}} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+:::
+
 :::{dropdown} Installing an {{elastic-defend}} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions
 
 Applies to: {{stack}} 9.0.0
