|
9 | 9 | [[known-issue-8.18.2]] |
10 | 10 | ==== Known issues |
11 | 11 |
|
| 12 | +// tag::known-issue[] |
| 13 | +[discrete] |
| 14 | +.The entity risk score feature may stop persisting risk score documents |
| 15 | +[%collapsible] |
| 16 | +==== |
| 17 | +*Details* + |
| 18 | +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. |
| 19 | +
|
| 20 | +This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up. |
| 21 | +
|
| 22 | +*Workaround* + |
| 23 | +
|
| 24 | +To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher. |
| 25 | +
|
| 26 | +First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID. |
| 27 | +
|
| 28 | +``` |
| 29 | +PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default |
| 30 | +{ |
| 31 | + "_meta": { |
| 32 | + "managed_by": "entity_analytics", |
| 33 | + "managed": true |
| 34 | + }, |
| 35 | + "description": "Pipeline for adding timestamp value to event.ingested", |
| 36 | + "processors": [ |
| 37 | + { |
| 38 | + "set": { |
| 39 | + "field": "event.ingested", |
| 40 | + "value": "{{_ingest.timestamp}}" |
| 41 | + } |
| 42 | + } |
| 43 | + ] |
| 44 | +} |
| 45 | +``` |
| 46 | +
|
| 47 | +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. |
| 48 | +
|
| 49 | +==== |
| 50 | +// end::known-issue[] |
| 51 | + |
12 | 52 | // tag::known-issue[] |
13 | 53 | [discrete] |
14 | 54 | .The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules |
@@ -36,6 +76,46 @@ On April 8, 2025, it was discovered that alert suppression for event correlation |
36 | 76 | [[known-issue-8.18.1]] |
37 | 77 | ==== Known issues |
38 | 78 |
|
| 79 | +// tag::known-issue[] |
| 80 | +[discrete] |
| 81 | +.The entity risk score feature may stop persisting risk score documents |
| 82 | +[%collapsible] |
| 83 | +==== |
| 84 | +*Details* + |
| 85 | +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. |
| 86 | +
|
| 87 | +This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up. |
| 88 | +
|
| 89 | +*Workaround* + |
| 90 | +
|
| 91 | +To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher. |
| 92 | +
|
| 93 | +First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID. |
| 94 | +
|
| 95 | +``` |
| 96 | +PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default |
| 97 | +{ |
| 98 | + "_meta": { |
| 99 | + "managed_by": "entity_analytics", |
| 100 | + "managed": true |
| 101 | + }, |
| 102 | + "description": "Pipeline for adding timestamp value to event.ingested", |
| 103 | + "processors": [ |
| 104 | + { |
| 105 | + "set": { |
| 106 | + "field": "event.ingested", |
| 107 | + "value": "{{_ingest.timestamp}}" |
| 108 | + } |
| 109 | + } |
| 110 | + ] |
| 111 | +} |
| 112 | +``` |
| 113 | +
|
| 114 | +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. |
| 115 | +
|
| 116 | +==== |
| 117 | +// end::known-issue[] |
| 118 | + |
39 | 119 | // tag::known-issue[] |
40 | 120 | [discrete] |
41 | 121 | .The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules |
@@ -71,6 +151,47 @@ On April 8, 2025, it was discovered that alert suppression for event correlation |
71 | 151 | [discrete] |
72 | 152 | [[known-issue-8.18.0]] |
73 | 153 | ==== Known issues |
| 154 | + |
| 155 | +// tag::known-issue[] |
| 156 | +[discrete] |
| 157 | +.The entity risk score feature may stop persisting risk score documents |
| 158 | +[%collapsible] |
| 159 | +==== |
| 160 | +*Details* + |
| 161 | +On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. |
| 162 | +
|
| 163 | +This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up. |
| 164 | +
|
| 165 | +*Workaround* + |
| 166 | +
|
| 167 | +To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher. |
| 168 | +
|
| 169 | +First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID. |
| 170 | +
|
| 171 | +``` |
| 172 | +PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default |
| 173 | +{ |
| 174 | + "_meta": { |
| 175 | + "managed_by": "entity_analytics", |
| 176 | + "managed": true |
| 177 | + }, |
| 178 | + "description": "Pipeline for adding timestamp value to event.ingested", |
| 179 | + "processors": [ |
| 180 | + { |
| 181 | + "set": { |
| 182 | + "field": "event.ingested", |
| 183 | + "value": "{{_ingest.timestamp}}" |
| 184 | + } |
| 185 | + } |
| 186 | + ] |
| 187 | +} |
| 188 | +``` |
| 189 | +
|
| 190 | +After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking **Run Engine**. |
| 191 | +
|
| 192 | +==== |
| 193 | +// end::known-issue[] |
| 194 | + |
74 | 195 | // tag::known-issue[] |
75 | 196 | [discrete] |
76 | 197 | .Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x |
|
0 commit comments