[Entity Analytics] Fix toggle ignoring V2 store status when V1 experimental flag is disabled#263918
Merged
seanrathier merged 6 commits intoelastic:mainfrom Apr 17, 2026
Merged
Conversation
Tracks the changes needed in communicates_with and accesses maintainers to align with the EntityRelationship schema introduced in elastic#262242. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ema update Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…us when V1 flag is disabled When `entityStoreDisabled` experimental flag is true and V2 is enabled, `deriveEntityAnalyticsStatus` was checking `isEntityStoreFeatureFlagDisabled` before `isEntityStoreV2Enabled`, causing the V2 running status to be silently discarded in favour of risk-engine-only derivation. The toggle showed OFF despite the V2 entity store being fully running. Also fixes `storeOn` in `useToggleEntityAnalytics`, which was gated on `!isEntityStoreFeatureFlagDisabled` even in V2 mode, preventing the toggle from correctly identifying the store as running and stopping it on click. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
seanrathier
requested review from
CAWilson94
and removed request for
CAWilson94
seanrathier
added
release_note:skip
Contributor
|
Pinging @elastic/contextual-security-apps (Team:Cloud Security) |
Contributor
ApprovabilityVerdict: Needs human review This PR modifies feature flag gating logic that determines whether entity analytics is enabled or disabled, changing the order of condition evaluation. All changed files are owned by @elastic/security-entity-analytics, which the author is not a member of, so the designated code owners should review these changes. You can customize Macroscope's approvability policy. Learn more. |
opauloh
approved these changes
Apr 16, 2026
Contributor
💚 Build Succeeded
Metrics [docs]Async chunks
cc @seanrathier |
jaredburgettelastic
approved these changes
Apr 17, 2026
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/24571559094 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 17, 2026
…mental flag is disabled (elastic#263918) (cherry picked from commit 9531d93)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added
the
backport missing
Contributor
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
kibanamachine
added a commit
that referenced
this pull request
Apr 21, 2026
…experimental flag is disabled (#263918) (#264111) # Backport This will backport the following commits from `main` to `9.4`: - [[Entity Analytics] Fix toggle ignoring V2 store status when V1 experimental flag is disabled (#263918)](#263918) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"seanrathier","email":"sean.rathier@gmail.com"},"sourceCommit":{"committedDate":"2026-04-17T14:54:42Z","message":"[Entity Analytics] Fix toggle ignoring V2 store status when V1 experimental flag is disabled (#263918)","sha":"9531d936e499b92f816e7282b23b153dae4c6210","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Cloud Security","backport:version","v9.4.0","v9.5.0"],"title":"[Entity Analytics] Fix toggle ignoring V2 store status when V1 experimental flag is disabled","number":263918,"url":"https://github.com/elastic/kibana/pull/263918","mergeCommit":{"message":"[Entity Analytics] Fix toggle ignoring V2 store status when V1 experimental flag is disabled (#263918)","sha":"9531d936e499b92f816e7282b23b153dae4c6210"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/263918","number":263918,"mergeCommit":{"message":"[Entity Analytics] Fix toggle ignoring V2 store status when V1 experimental flag is disabled (#263918)","sha":"9531d936e499b92f816e7282b23b153dae4c6210"}}]}] BACKPORT--> Co-authored-by: seanrathier <sean.rathier@gmail.com>
kibanamachine
removed
the
backport missing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the entity analytics toggle showing OFF despite the V2 entity store being fully running, when the
entityStoreDisabledexperimental flag is enabled alongsidesecuritySolution:entityStoreEnableV2.Root cause 1 — status derivation (
use_entity_analytics_status.ts):deriveEntityAnalyticsStatuscheckedisEntityStoreFeatureFlagDisabledbeforeisEntityStoreV2Enabled. WhenentityStoreDisabled=trueand V2 is enabled, the function short-circuited intoderiveRiskEngineOnlyStatus, discarding the polled V2 running status entirely. The fix moves the V2 check first so it supersedes the V1 feature flag.Root cause 2 — toggle action (
use_toggle_entity_analytics.ts):storeOnwas computed as!isEntityStoreFeatureFlagDisabled && entityStoreStatus === 'running'. In V2 mode withentityStoreDisabled=true, this always evaluated tofalse, causing the toggle click to always try to enable the store (instead of stopping it when already running). The fix computesstoreOnindependently of the V1 flag when in V2 mode.Closes https://github.com/elastic/security-team/issues/16767
Checklist
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Release Notes
Fix entity analytics toggle displaying OFF when V2 entity store is running and the V1
entityStoreDisabledexperimental flag is enabled.