From 5fb8ce3ec6af26944c7ea65c8bf6d8e19ca821d2 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 2 Oct 2025 09:28:46 +0100 Subject: [PATCH 1/2] [Security] Entity store historical views --- .../advanced-entity-analytics/entity-store.md | 3 ++- .../view-analyze-risk-score-data.md | 27 +++++++++++++------ 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md index 8044ef5ca5..a2e3d77b0b 100644 --- a/solutions/security/advanced-entity-analytics/entity-store.md +++ b/solutions/security/advanced-entity-analytics/entity-store.md @@ -33,7 +33,8 @@ When the entity store is enabled, the following resources are generated for each * {{es}} resources, such as transforms, ingest pipelines, and enrich policies. * Data and fields for each entity. * The `.entities.v1.latest.security_user_`, `.entities.v1.latest.security_host_`, and `.entities.v1.latest.security_services_` indices, which contain field mappings for hosts, users, and services respectively. You can query these indices to see a list of fields that are mapped in the entity store. - +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Snapshot indices (`.entities.v1.history..*`) that store daily snapshots of entity data, enabling [historical analysis](/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#historical-entity-analysis) of attributes over time. +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Reset indices (`.entities.v1.reset.*`) that ensure entity timestamps are updated correctly in the latest index, supporting accurate time-based queries and future data resets. ## Enable entity store [enable-entity-store] diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md index a29641bd03..4864bbaa7d 100644 --- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md +++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md @@ -13,14 +13,7 @@ products: # View and analyze risk score data [analyze-risk-score-data] -The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data: - -* [Entity Analytics overview](#entity-analytics-overview) -* [Alerts page](#alerts-page) -* [Alert details flyout](#alert-details-flyout) -* [Hosts and Users pages](#hosts-users-pages) -* [Host and user details pages](#host-user-details-pages) -* [Entity details flyouts](#entity-details-flyouts) +The {{security-app}} provides several ways to monitor the change in the risk posture of entities in your environment. ::::{tip} We recommend that you prioritize [alert triaging](#alert-triaging) to identify anomalies or abnormal behavior patterns. @@ -183,3 +176,21 @@ In the entity details flyouts, you can access the risk score data in the risk su :alt: Host risk data in the Host risk summary section :screenshot: ::: + +## Analyze entities over time [historical-entity-analysis] +```yaml {applies_to} +stack: ga 9.2 +serverless: ga +``` + +The [entity store](/solutions/security/advanced-entity-analytics/entity-store.md) allows you to analyze how entity attributes change over time, making it easier to investigate past activity, track trends, and identify unusual behavior or changes that indicate risk. Use time-based queries in [Discover](/explore-analyze/discover.md) to answer questions such as: + +* What did user A’s attributes look like on March 15? +* How has user B's risk score changed over the last 90 days? +* Which user had the biggest jump in their risk score since yesterday? + +By analyzing current and past entity data, you can understand how your environment and its entities evolve over time. + +::::{note} +If you enabled the entity store before upgrading to 9.2, you'll need to re-start it using the **On**/**Off** toggle to access the historical analysis feature. +:::: \ No newline at end of file From 864d3792cdc6957cd3b2e60bdf0f93447bc1524d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 2 Oct 2025 17:29:17 +0100 Subject: [PATCH 2/2] address feedback --- .../view-analyze-risk-score-data.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md index 4864bbaa7d..2f647d6dee 100644 --- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md +++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md @@ -16,11 +16,9 @@ products: The {{security-app}} provides several ways to monitor the change in the risk posture of entities in your environment. ::::{tip} -We recommend that you prioritize [alert triaging](#alert-triaging) to identify anomalies or abnormal behavior patterns. +After reviewing an entity’s risk score, the recommended next step is to investigate the risky entity in [Timeline](/solutions/security/investigate/timeline.md). :::: - - ## Entity Analytics overview [entity-analytics-overview] In the Entity Analytics overview, you can view entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page. @@ -183,7 +181,7 @@ stack: ga 9.2 serverless: ga ``` -The [entity store](/solutions/security/advanced-entity-analytics/entity-store.md) allows you to analyze how entity attributes change over time, making it easier to investigate past activity, track trends, and identify unusual behavior or changes that indicate risk. Use time-based queries in [Discover](/explore-analyze/discover.md) to answer questions such as: +The [entity store](/solutions/security/advanced-entity-analytics/entity-store.md) allows you to analyze how entity attributes change over time, making it easier to investigate past activity, track trends, and identify unusual behavior or changes that may indicate risk. Use time-based queries in [Discover](/explore-analyze/discover.md) to answer questions such as: * What did user A’s attributes look like on March 15? * How has user B's risk score changed over the last 90 days?