elastic · nastasha-solomon · May 30, 2025 · May 30, 2025
@@ -9,6 +9,48 @@
 [[known-issue-8.18.2]]
 ==== Known issues
 
+// tag::known-issue[]
+[discrete]
+.The entity risk score feature may stop persisting risk score documents 
+[%collapsible]
+====
+*Details* +
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. 
+
+This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
+
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
+*Workaround* +
+
+To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+====
+// end::known-issue[]
+
 // tag::known-issue[]
 [discrete]
 .The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules 
@@ -36,6 +78,48 @@ On April 8, 2025, it was discovered that alert suppression for event correlation
 [[known-issue-8.18.1]]
 ==== Known issues
 
+// tag::known-issue[]
+[discrete]
+.The entity risk score feature may stop persisting risk score documents 
+[%collapsible]
+====
+*Details* +
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. 
+
+This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
+
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
+*Workaround* +
+
+To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+====
+// end::known-issue[]
+
 // tag::known-issue[]
 [discrete]
 .The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules 
@@ -71,6 +155,49 @@ On April 8, 2025, it was discovered that alert suppression for event correlation
 [discrete]
 [[known-issue-8.18.0]]
 ==== Known issues
+
+// tag::known-issue[]
+[discrete]
+.The entity risk score feature may stop persisting risk score documents 
+[%collapsible]
+====
+*Details* +
+On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to {stack} 8.18.0 or higher. 
+
+This is due to a bug that prevents the `entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name>` ingest pipeline (which is set as a default pipeline for the risk scoring index in {stack} 8.18.0) from being created when {kib} starts up.
+
+While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.
+
+*Workaround* +
+
+To resolve this issue, apply the following workaround before or after upgrading to {stack} 8.18.0 or higher.
+
+First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that `default` in the example ingest pipeline name below is the {kib} space ID.
+
+```
+PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
+{
+  "_meta": {
+    "managed_by": "entity_analytics",
+    "managed": true
+  },
+  "description": "Pipeline for adding timestamp value to event.ingested",
+  "processors": [
+    {
+      "set": {
+        "field": "event.ingested",
+        "value": "{{_ingest.timestamp}}"
+      }
+    }
+  ]
+}
+```
+
+After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the **Entity risk score** page, where you can also manually run the risk score by clicking **Run Engine**. 
+
+====
+// end::known-issue[]
+
 // tag::known-issue[]
 [discrete]
 .Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x