Elastic Security breaking changes
Breaking changes can impact your Elastic applications, potentially disrupting normal operations. Before you upgrade, carefully review the Elastic Security breaking changes and take the necessary steps to mitigate any issues. To learn how to upgrade, check Upgrade your deployment, cluster, or orchestrator.
Entity Analytics: Risk scores reset after upgrading to 9.4
Risk scoring is moving from name-based to ID-based scoring tied to the entity store. Historical name-based risk scores are not migrated to the new model.
Impact
After upgrading to 9.4, all existing risk scores are cleared. The entity store initializes with a 3-hour lookback, so scored entity counts will be lower immediately after upgrade and will rebuild over time. Additionally, Identity Provider (IdP) user entities may not receive risk scores initially, as alerts do not yet map directly to IdP EUIDs. Local user and host entities are unaffected.
Action
No action required to trigger the rebuild — it happens automatically. Plan for a warm-up period after upgrading before risk score dashboards return to their pre-upgrade state.
For more information, check #258197.
Entity Analytics: Risk engine management APIs removed
The standalone risk engine is replaced by an entity maintainer integrated into the entity store. The following risk engine management API endpoint is removed:
DELETE /api/risk_score/engine/dangerously_delete_data
Impact
Any scripts or automations using this endpoint will fail.
Action
Remove references to this endpoint. Risk scoring is now managed through the entity store lifecycle. Refer to the Entity Store API documentation for the new endpoints.
Entity Analytics: Asset criticality values reset and CSV format changed after upgrading to 9.4
Asset criticality storage is moving to the entity store. Historical values from the legacy index are not migrated to the new model. Additionally, the CSV upload format has changed: headers are now required, and uploading a CSV no longer creates new entities — entities must already exist in the entity store.
Impact
Existing asset criticality assignments are not carried over after upgrading to 9.4. CSV files using the old headerless format will no longer work.
Action
Re-assign asset criticality in 9.4 using the updated CSV format or the entity flyout. Update any CSV files to include the required header row before uploading.
Entity Analytics: Privileged user monitoring replaced by watchlists
Privileged user monitoring is replaced by watchlists in 9.4. Historical privileged user assignments are not migrated to the new model.
Impact
The privileged user monitoring UI and engine are removed. Existing privileged user configurations, including manual user lists and CSV uploads, are not carried over.
Action
Recreate your privileged user tracking using watchlists. The default Privileged Users watchlist automatically pulls in administrative users from Active Directory and Okta integrations.
Entity Analytics: Privileged user monitoring APIs removed
All privileged user monitoring APIs are removed in 9.4.
Removed with no equivalent:
POST /api/entity_analytics/monitoring/usersGET /api/entity_analytics/monitoring/users/listPUT /api/entity_analytics/monitoring/users/{id}DELETE /api/entity_analytics/monitoring/users/{id}POST /api/entity_analytics/monitoring/users/_csvPOST /api/entity_analytics/monitoring/engine/initPOST /api/entity_analytics/monitoring/engine/disableDELETE /api/entity_analytics/monitoring/engine/deletePOST /api/entity_analytics/privileged_user_monitoring/pad/installGET /api/entity_analytics/privileged_user_monitoring/pad/status
Replaced by watchlists equivalents:
POST .../monitoring/engine/schedule_now→POST /api/entity_analytics/watchlists/{watchlist_id}/sync.../monitoring/entity_source/...→/api/entity_analytics/watchlists/{watchlist_id}/entity_source/...
Impact
Any scripts or automations using these endpoints will fail.
Action
Remove references to removed endpoints. For entity source management, update paths to use the watchlists-scoped equivalents. Refer to the Entity Analytics API documentation.
Entity store management and CRUD APIs removed
The entity store management and CRUD APIs are removed and replaced by an updated API surface available from 9.4. For more information, check #264679.
Removed endpoints:
POST /api/entity_store/enableGET /api/entity_store/statusPOST /api/entity_store/engines/{entityType}/initPOST /api/entity_store/engines/{entityType}/startPOST /api/entity_store/engines/{entityType}/stopDELETE /api/entity_store/engines/{entityType}DELETE /api/entity_store/enginesGET /api/entity_store/engines/{entityType}GET /api/entity_store/enginesPOST /api/entity_store/engines/apply_dataview_indicesGET /api/entity_store/entities/listPUT /api/entity_store/entities/{entityType}POST /api/entity_store/entities/bulkDELETE /api/entity_store/entities/{entityType}
Impact
Any scripts or automations using these endpoints will fail after upgrading to 9.4.
Action
Remove references to these endpoints. Refer to the Entity Store API documentation for information on new endpoints.
Entity store index structure has changed
In 9.4, the entity store consolidates all entity types into a single index per namespace, replacing the previous model where hosts, users, and services each had their own index. For more information, check #251089.
The old per-type index pattern (.entities.v1.latest.security_{type}_<space-id>) is replaced by:
- A single latest index:
.entities.v2.latest.security_<space-id>-<mapping_version> - A shared alias:
entities-latest-<space-id> - History snapshot indices:
.entities.v2.history.security_<space-id>.<YYYY-MM-DD>-<HH>
Impact
Any direct queries, dashboards, or integrations that reference the old per-type index patterns will fail after upgrading to 9.4.
Action
Update direct index references to use the new shared alias.
Entity Analytics: Entity identification in Explore/Entity flyout/Entity store
In 9.4, a fine-grained logical identifier has been introduced for user and host entities. In previous versions, user entities were identified by the user.name field and host entities were identified by the host.name field. This has been replaced by a priority ranking for hosts (host.id -> host.name -> host.hostname) and a user tiering identification which separates medium-confidence local users (i.e., a user.name associated with a particular host.id), from high-confidence IDP users found in integrations.
Impact
User and Host entities which do not provide enough information to properly identify them will not be available in the entity store. These entities will only be visible through "observed" aggregation views within the entity flyout and Explore details pages, with no Entity Analytics processing done against them, such as entity risk scoring, resolution, or watchlists. Additionally, entities which are properly identified and are in the entity store will no longer have a link available to the Explore details page for that entity.
Removes serializer and deserializer parameters from the Lists API
Removes the unused serializer and deserializer parameters from the Lists API endpoints.
For more information, check #250111.
Impact
API requests that include serializer or deserializer parameters will return a deprecation warning header. The parameters are ignored.
Action
Remove any serializer or deserializer parameters from your Lists API requests.
Removes serializer and deserializer parameters from the Lists API
Removes the unused serializer and deserializer parameters from the Lists API endpoints.
For more information, check #250111.
Impact
API requests that include serializer or deserializer parameters will return a deprecation warning header. The parameters are ignored.
Action
Remove any serializer or deserializer parameters from your Lists API requests.
Removes serializer and deserializer parameters from the Lists API
Removes the unused serializer and deserializer parameters from the Lists API endpoints.
For more information, check #250111.
Impact
API requests that include serializer or deserializer parameters will return a deprecation warning header. The parameters are ignored.
Action
Remove any serializer or deserializer parameters from your Lists API requests.
Changes invalid category for Gatekeeper
Changes event.category from security to configuration for Gatekeeper on macOS.
Impact
Gatekeeper events on macOS are now labeled as event.category == configuration.
Action
If you're deploying custom rules using event.category == security on macOS, change the query to event.category == configuration.
Changes invalid category for Gatekeeper
Changes event.category from security to configuration for Gatekeeper on macOS.
Impact
Gatekeeper events on macOS are now labeled as event.category == configuration.
Action
If you're deploying custom rules using event.category == security on macOS, change the query to event.category == configuration.
Removes legacy security rules bulk endpoints
POST /api/detection_engine/rules/_bulk_createhas been replaced byPOST /api/detection_engine/rules/_importPUT /api/detection_engine/rules/_bulk_updatehas been replaced byPOST /api/detection_engine/rules/_bulk_actionPATCH /api/detection_engine/rules/_bulk_updatehas been replaced byPOST /api/detection_engine/rules/_bulk_actionDELETE /api/detection_engine/rules/_bulk_deletehas been replaced byPOST /api/detection_engine/rules/_bulk_actionPOST api/detection_engine/rules/_bulk_deletehas been replaced byPOST /api/detection_engine/rules/_bulk_action
These changes were introduced in #197422.
Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.
Action
Update your implementations to use the new endpoints:
For bulk creation of rules:
- Use
POST /api/detection_engine/rules/_import(API documentation) to create multiple rules along with their associated entities (for example, exceptions and action connectors). - Alternatively, create rules individually using
POST /api/detection_engine/rules(API documentation).
- Use
For bulk updates of rules:
- Use
POST /api/detection_engine/rules/_bulk_action(API documentation) to update fields in multiple rules simultaneously. - Alternatively, update rules individually using
PUT /api/detection_engine/rules(API documentation).
- Use
For bulk deletion of rules:
- Use
POST /api/detection_engine/rules/_bulk_action(API documentation) to delete multiple rules by IDs or query. - Alternatively, delete rules individually using
DELETE /api/detection_engine/rules(API documentation).
- Use
Removes deprecated endpoint management endpoints
POST /api/endpoint/isolatehas been replaced byPOST /api/endpoint/action/isolatePOST /api/endpoint/unisolatehas been replaced byPOST /api/endpoint/action/unisolateGET /api/endpoint/policy/summarieshas been deprecated without replacement. Will be removed in v9.0.0POST /api/endpoint/suggestions/{{suggestion_type}}has been deprecated without replacement. Will be removed in v9.0.0GET /api/endpoint/action_log/{{agent_id}}has been deprecated without replacement. Will be removed in v9.0.0GET /api/endpoint/metadata/transformshas been deprecated without replacement. Will be removed in v9.0.0
Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.
Action
- Remove references to
GET /api/endpoint/policy/summariesendpoint. - Remove references to
POST /api/endpoint/suggestions/{{suggestion_type}}endpoint. - Remove references to
GET /api/endpoint/action_log/{{agent_id}}endpoint. - Remove references to
GET /api/endpoint/metadata/transformsendpoint. - Replace references to deprecated endpoints with the replacements listed in the breaking change details.
Refactors the Timeline HTTP API endpoints
For more information, refer to #200633.
Removes deprecated Elastic Defend APIs
For more information, refer to #199598.