Skip to content

[Security] 9.4.0 release notes #6029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
florent-leborgne merged 13 commits into from
May 5, 2026
Merged

[Security] 9.4.0 release notes #6029

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
ec230d4
[Security] 9.4.0 release notes
natasha-moore-elastic Apr 21, 2026
c1a9f63
add script library
natasha-moore-elastic Apr 22, 2026
31d1a33
add missing endpoint entry
natasha-moore-elastic Apr 23, 2026
66f41b4
Apply suggestion from @benironside
benironside Apr 24, 2026
86047fe
Apply suggestions from code review
natasha-moore-elastic Apr 24, 2026
8799e16
add entity store deprecations
natasha-moore-elastic Apr 28, 2026
ab98362
add EA breaking changes and deprecations
natasha-moore-elastic Apr 28, 2026
727d4c1
Update release-notes/elastic-security/index.md
florent-leborgne Apr 30, 2026
5e85f3e
Merge branch 'main' into sec-rn-9.4.0
florent-leborgne Apr 30, 2026
268a6b3
Update release-notes/elastic-security/breaking-changes.md
florent-leborgne May 5, 2026
d31ed1e
Apply suggestions from code review
florent-leborgne May 5, 2026
cfb92f9
Merge branch 'main' into sec-rn-9.4.0
florent-leborgne May 5, 2026
a6dd6bb
Merge branch 'main' into sec-rn-9.4.0
florent-leborgne May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 121 additions & 2 deletions release-notes/elastic-security/breaking-changes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,127 @@
% **Action**<br> Steps for mitigating deprecation impact.
% ::::

## 9.4.0 [elastic-security-940-breaking-changes]

::::{dropdown} Entity Analytics: Risk scores reset after upgrading to 9.4
Copy link
Copy Markdown
Contributor Author

@natasha-moore-elastic natasha-moore-elastic Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jaredburgettelastic, could you please review these EA breaking changes and let me know which PR(s) we should link to for each? Thanks!

Copy link
Copy Markdown
Contributor

@jaredburgettelastic jaredburgettelastic May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deprecation PR here, thank you!

Copy link
Copy Markdown
Member

@florent-leborgne florent-leborgne May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added below

Risk scoring is moving from name-based to ID-based scoring tied to the entity store. Historical name-based risk scores are not migrated to the new model.

**Impact**<br> After upgrading to 9.4, all existing risk scores are cleared. The entity store initializes with a 3-hour lookback, so scored entity counts will be lower immediately after upgrade and will rebuild over time. Additionally, Identity Provider (IdP) user entities may not receive risk scores initially, as alerts do not yet map directly to IdP EUIDs. Local user and host entities are unaffected.

**Action**<br> No action required to trigger the rebuild — it happens automatically. Plan for a warm-up period after upgrading before risk score dashboards return to their pre-upgrade state.
Comment thread
florent-leborgne marked this conversation as resolved.

For more information, check [#258197]({{kib-pull}}258197).
::::

::::{dropdown} Entity Analytics: Risk engine management APIs removed
The standalone risk engine is replaced by an entity maintainer integrated into the entity store. The following risk engine management API endpoint is removed:

* `DELETE /api/risk_score/engine/dangerously_delete_data`

**Impact**<br> Any scripts or automations using this endpoint will fail.

**Action**<br> Remove references to this endpoint. Risk scoring is now managed through the entity store lifecycle. Refer to the Entity Store API documentation for the new endpoints.
% TODO: Add link to Entity Store API documentation when available. See https://github.com/elastic/docs-content-internal/issues/1100
::::

::::{dropdown} Entity Analytics: Asset criticality values reset and CSV format changed after upgrading to 9.4
Asset criticality storage is moving to the entity store. Historical values from the legacy index are not migrated to the new model. Additionally, the CSV upload format has changed: headers are now required, and uploading a CSV no longer creates new entities — entities must already exist in the entity store.

**Impact**<br> Existing asset criticality assignments are not carried over after upgrading to 9.4. CSV files using the old headerless format will no longer work.

**Action**<br> Re-assign asset criticality in 9.4 using the updated CSV format or the entity flyout. Update any CSV files to include the required header row before uploading.
::::

::::{dropdown} Entity Analytics: Privileged user monitoring replaced by watchlists
Privileged user monitoring is replaced by watchlists in 9.4. Historical privileged user assignments are not migrated to the new model.

**Impact**<br> The privileged user monitoring UI and engine are removed. Existing privileged user configurations, including manual user lists and CSV uploads, are not carried over.

**Action**<br> Recreate your privileged user tracking using watchlists. The default **Privileged Users** watchlist automatically pulls in administrative users from Active Directory and Okta integrations.
% TODO: Add link to Watchlist documentation when available: [Watchlists](/solutions/security/advanced-entity-analytics/watchlists.md). See https://github.com/elastic/docs-content/pull/5994
::::

::::{dropdown} Entity Analytics: Privileged user monitoring APIs removed
All privileged user monitoring APIs are removed in 9.4.

Removed with no equivalent:
* `POST /api/entity_analytics/monitoring/users`
* `GET /api/entity_analytics/monitoring/users/list`
* `PUT /api/entity_analytics/monitoring/users/{id}`
* `DELETE /api/entity_analytics/monitoring/users/{id}`
* `POST /api/entity_analytics/monitoring/users/_csv`
* `POST /api/entity_analytics/monitoring/engine/init`
* `POST /api/entity_analytics/monitoring/engine/disable`
* `DELETE /api/entity_analytics/monitoring/engine/delete`
* `POST /api/entity_analytics/privileged_user_monitoring/pad/install`
* `GET /api/entity_analytics/privileged_user_monitoring/pad/status`

Replaced by watchlists equivalents:
* `POST .../monitoring/engine/schedule_now` → `POST /api/entity_analytics/watchlists/{watchlist_id}/sync`
* `.../monitoring/entity_source/...` → `/api/entity_analytics/watchlists/{watchlist_id}/entity_source/...`

**Impact**<br> Any scripts or automations using these endpoints will fail.

**Action**<br> Remove references to removed endpoints. For entity source management, update paths to use the watchlists-scoped equivalents. Refer to the [Entity Analytics API documentation]({{kib-apis}}/group/endpoint-security-entity-analytics-api).
::::

::::{dropdown} Entity store management and CRUD APIs removed
The entity store management and CRUD APIs are removed and replaced by an updated API surface available from 9.4.
For more information, check [#264679]({{kib-pull}}264679).

Removed endpoints:
* `POST /api/entity_store/enable`
* `GET /api/entity_store/status`
* `POST /api/entity_store/engines/{entityType}/init`
* `POST /api/entity_store/engines/{entityType}/start`
* `POST /api/entity_store/engines/{entityType}/stop`
* `DELETE /api/entity_store/engines/{entityType}`
* `DELETE /api/entity_store/engines`
* `GET /api/entity_store/engines/{entityType}`
* `GET /api/entity_store/engines`
* `POST /api/entity_store/engines/apply_dataview_indices`
* `GET /api/entity_store/entities/list`
* `PUT /api/entity_store/entities/{entityType}`
* `POST /api/entity_store/entities/bulk`
* `DELETE /api/entity_store/entities/{entityType}`

**Impact**<br> Any scripts or automations using these endpoints will fail after upgrading to 9.4.

**Action**<br> Remove references to these endpoints. Refer to the Entity Store API documentation for information on new endpoints.
% TODO: Add link to Entity Store API documentation when available. See https://github.com/elastic/docs-content-internal/issues/1100
::::

::::{dropdown} Entity store index structure has changed
In 9.4, the entity store consolidates all entity types into a single index per namespace, replacing the previous model where hosts, users, and services each had their own index. For more information, check [#251089]({{kib-pull}}251089).

The old per-type index pattern (`.entities.v1.latest.security_{type}_<space-id>`) is replaced by:

* A single latest index: `.entities.v2.latest.security_<space-id>-<mapping_version>`
* A shared alias: `entities-latest-<space-id>`
* History snapshot indices: `.entities.v2.history.security_<space-id>.<YYYY-MM-DD>-<HH>`

**Impact**<br> Any direct queries, dashboards, or integrations that reference the old per-type index patterns will fail after upgrading to 9.4.

**Action**<br> Update direct index references to use the new shared alias.
::::

Comment thread
florent-leborgne marked this conversation as resolved.
::::{dropdown} Entity Analytics: Entity identification in Explore/Entity flyout/Entity store
In 9.4, a fine-grained logical identifier has been introduced for user and host entities. In previous versions, user entities were identified by the `user.name` field and host entities were identified by the `host.name` field. This has been replaced by a priority ranking for hosts (`host.id` -> `host.name` -> `host.hostname`) and a user tiering identification which separates medium-confidence local users (i.e., a `user.name` associated with a particular `host.id`), from high-confidence IDP users found in integrations.

Check warning on line 130 in release-notes/elastic-security/breaking-changes.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.Latinisms: Latin terms and abbreviations are a common source of confusion. Use 'that is' instead of 'i.e'.

Check warning on line 130 in release-notes/elastic-security/breaking-changes.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.Spelling: 'tiering' is a possible misspelling.

**Impact**<br> User and Host entities which do not provide enough information to properly identify them will not be available in the entity store. These entities will only be visible through "observed" aggregation views within the entity flyout and Explore details pages, with no Entity Analytics processing done against them, such as entity risk scoring, resolution, or watchlists. Additionally, entities which _are_ properly identified and are in the entity store will no longer have a link available to the Explore details page for that entity.
::::

::::{dropdown} Removes serializer and deserializer parameters from the Lists API
Removes the unused `serializer` and `deserializer` parameters from the Lists API endpoints.
For more information, check [#250111]({{kib-pull}}250111).

**Impact**<br> API requests that include `serializer` or `deserializer` parameters will return a deprecation warning header. The parameters are ignored.

**Action**<br> Remove any `serializer` or `deserializer` parameters from your Lists API requests.
::::

## 9.3.2 [elastic-security-932-breaking-changes]
::::{dropdown} Removes `serializer` and `deserializer` parameters from the Lists API
::::{dropdown} Removes serializer and deserializer parameters from the Lists API
Removes the unused `serializer` and `deserializer` parameters from the Lists API endpoints.
For more information, check [#250111]({{kib-pull}}250111).

Expand All @@ -33,7 +152,7 @@
::::

## 9.2.7 [elastic-security-927-breaking-changes]
::::{dropdown} Removes `serializer` and `deserializer` parameters from the Lists API
::::{dropdown} Removes serializer and deserializer parameters from the Lists API
Removes the unused `serializer` and `deserializer` parameters from the Lists API endpoints.
For more information, check [#250111]({{kib-pull}}250111).

Expand Down
31 changes: 31 additions & 0 deletions release-notes/elastic-security/deprecations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,37 @@ Review the deprecated functionality for {{elastic-sec}}. While deprecations have
% **Action**<br> Steps for mitigating deprecation impact.
% ::::

## 9.4.0 [elastic-security-9.4.0-deprecations]

::::{dropdown} Entity Analytics: Asset Criticality APIs deprecated
Copy link
Copy Markdown
Contributor Author

@natasha-moore-elastic natasha-moore-elastic Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jaredburgettelastic, could you please review this deprecation and let me know which PR(s) we should link to? Thanks!

Copy link
Copy Markdown
Contributor

@jaredburgettelastic jaredburgettelastic May 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deprecation PR here, thank you!

Copy link
Copy Markdown
Member

@florent-leborgne florent-leborgne May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added below

The dedicated Asset Criticality APIs are deprecated in 9.4 and replaced by the Entity Store CRUD APIs.

Deprecated endpoints:
* `DELETE /api/asset_criticality`
* `POST /api/asset_criticality`
* `GET /api/asset_criticality`
* `GET /api/asset_criticality/list`

**Impact**<br> These endpoints will continue to work in 9.4 but will be removed in a future release.

**Action**<br> Migrate to the equivalent Entity Store APIs.
Comment thread
florent-leborgne marked this conversation as resolved.

For more information, check [#258440]({{kib-pull}}258440).
% TODO: Add link to Entity Store API documentation when available. See https://github.com/elastic/docs-content-internal/issues/1100
::::

::::{dropdown} Removes the Threat Hunting Agent from Agent Builder
Removes the built-in Threat Hunting Agent from Agent Builder. Security AI workflows now use the Elastic AI Agent with Security skills, which is the default experience in 9.4.0.
For more information, refer to [#263996]({{kib-pull}}263996).

**Impact**<br> Conversations stored with the Threat Hunting Agent will no longer appear in the conversation list and cannot be continued from the UI. No automatic migration is planned.

::::

::::{dropdown} Deprecates Enable CCS Warning Privileges in Kibana advanced settings
Deprecates the `Enable CCS Warning Privileges` setting in {{kib}} **Advanced settings**. For more information, refer to [#252183]({{kib-pull}}252183).
::::

## 9.1.0 [elastic-security-9.1.0-deprecations]

::::{dropdown} Removes default quick prompts
Expand Down
Loading
Loading