elastic · natasha-moore-elastic · Oct 6, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 6, 2025
@@ -33,7 +33,8 @@ When the entity store is enabled, the following resources are generated for each
 * {{es}} resources, such as transforms, ingest pipelines, and enrich policies.
 * Data and fields for each entity.
 * The `.entities.v1.latest.security_user_<space-id>`, `.entities.v1.latest.security_host_<space-id>`, and `.entities.v1.latest.security_services_<space-id>` indices, which contain field mappings for hosts, users, and services respectively. You can query these indices to see a list of fields that are mapped in the entity store.
-
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Snapshot indices (`.entities.v1.history.<ISO_date>.*`) that store daily snapshots of entity data, enabling [historical analysis](/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md#historical-entity-analysis) of attributes over time.
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Reset indices (`.entities.v1.reset.*`) that ensure entity timestamps are updated correctly in the latest index, supporting accurate time-based queries and future data resets.
 
 ## Enable entity store [enable-entity-store]
 

@@ -13,14 +13,7 @@ products:
 
 # View and analyze risk score data [analyze-risk-score-data]
 
-The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data:
-
-* [Entity Analytics overview](#entity-analytics-overview)
-* [Alerts page](#alerts-page)
-* [Alert details flyout](#alert-details-flyout)
-* [Hosts and Users pages](#hosts-users-pages)
-* [Host and user details pages](#host-user-details-pages)
-* [Entity details flyouts](#entity-details-flyouts)
+The {{security-app}} provides several ways to monitor the change in the risk posture of entities in your environment.
 
 ::::{tip}
 We recommend that you prioritize [alert triaging](#alert-triaging) to identify anomalies or abnormal behavior patterns.
@@ -183,3 +176,21 @@ In the entity details flyouts, you can access the risk score data in the risk su
 :alt: Host risk data in the Host risk summary section
 :screenshot:
 :::
+
+## Analyze entities over time [historical-entity-analysis]
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+The [entity store](/solutions/security/advanced-entity-analytics/entity-store.md) allows you to analyze how entity attributes change over time, making it easier to investigate past activity, track trends, and identify unusual behavior or changes that indicate risk. Use time-based queries in [Discover](/explore-analyze/discover.md) to answer questions such as:
+
+* What did user A’s attributes look like on March 15?
+* How has user B's risk score changed over the last 90 days?
+* Which user had the biggest jump in their risk score since yesterday?
+
+By analyzing current and past entity data, you can understand how your environment and its entities evolve over time.
+
+::::{note}
+If you enabled the entity store before upgrading to 9.2, you'll need to re-start it using the **On**/**Off** toggle to access the historical analysis feature.
+::::