---
title: Elastic Security breaking changes
description: Breaking changes can impact your Elastic applications, potentially disrupting normal operations. Before you upgrade, carefully review the Elastic Security...
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/release-notes/elastic-security/breaking-changes
products:
  - Elastic Cloud Enterprise
  - Elastic Cloud Hosted
  - Elastic Cloud on Kubernetes
  - Elastic Security
  - Elastic Stack
  - Kibana
---

# Elastic Security breaking changes
Breaking changes can impact your Elastic applications, potentially disrupting normal operations. Before you upgrade, carefully review the Elastic Security breaking changes and take the necessary steps to mitigate any issues. To learn how to upgrade, check [Upgrade your deployment, cluster, or orchestrator](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/deploy-manage/upgrade).

## 9.4.0

<dropdown title="Entity Analytics: Risk scores reset after upgrading to 9.4">
  Risk scoring is moving from name-based to ID-based scoring tied to the entity store. Historical name-based risk scores are not migrated to the new model.**Impact** After upgrading to 9.4, all existing risk scores are cleared. The entity store initializes with a 3-hour lookback, so scored entity counts will be lower immediately after upgrade and will rebuild over time. Additionally, Identity Provider (IdP) user entities may not receive risk scores initially, as alerts do not yet map directly to IdP EUIDs. Local user and host entities are unaffected.**Action** No action required to trigger the rebuild — it happens automatically. Plan for a warm-up period after upgrading before risk score dashboards return to their pre-upgrade state.For more information, check [#258197](https://github.com/elastic/kibana/pull/258197).
</dropdown>

<dropdown title="Entity Analytics: Risk engine management APIs removed">
  The standalone risk engine is replaced by an entity maintainer integrated into the entity store. The following risk engine management API endpoint is removed:
  - `DELETE /api/risk_score/engine/dangerously_delete_data`
  **Impact** Any scripts or automations using this endpoint will fail.**Action** Remove references to this endpoint. Risk scoring is now managed through the entity store lifecycle. Refer to the Entity Store API documentation for the new endpoints.
</dropdown>

<dropdown title="Entity Analytics: Asset criticality values reset and CSV format changed after upgrading to 9.4">
  Asset criticality storage is moving to the entity store. Historical values from the legacy index are not migrated to the new model. Additionally, the CSV upload format has changed: headers are now required, and uploading a CSV no longer creates new entities — entities must already exist in the entity store.**Impact** Existing asset criticality assignments are not carried over after upgrading to 9.4. CSV files using the old headerless format will no longer work.**Action** Re-assign asset criticality in 9.4 using the updated CSV format or the entity flyout. Update any CSV files to include the required header row before uploading.
</dropdown>

<dropdown title="Entity Analytics: Privileged user monitoring replaced by watchlists">
  Privileged user monitoring is replaced by watchlists in 9.4. Historical privileged user assignments are not migrated to the new model.**Impact** The privileged user monitoring UI and engine are removed. Existing privileged user configurations, including manual user lists and CSV uploads, are not carried over.**Action** Recreate your privileged user tracking using watchlists. The default **Privileged Users** watchlist automatically pulls in administrative users from Active Directory and Okta integrations.
</dropdown>

<dropdown title="Entity Analytics: Privileged user monitoring APIs removed">
  All privileged user monitoring APIs are removed in 9.4.Removed with no equivalent:
  - `POST /api/entity_analytics/monitoring/users`
  - `GET /api/entity_analytics/monitoring/users/list`
  - `PUT /api/entity_analytics/monitoring/users/{id}`
  - `DELETE /api/entity_analytics/monitoring/users/{id}`
  - `POST /api/entity_analytics/monitoring/users/_csv`
  - `POST /api/entity_analytics/monitoring/engine/init`
  - `POST /api/entity_analytics/monitoring/engine/disable`
  - `DELETE /api/entity_analytics/monitoring/engine/delete`
  - `POST /api/entity_analytics/privileged_user_monitoring/pad/install`
  - `GET /api/entity_analytics/privileged_user_monitoring/pad/status`
  Replaced by watchlists equivalents:
  - `POST .../monitoring/engine/schedule_now` → `POST /api/entity_analytics/watchlists/{watchlist_id}/sync`
  - `.../monitoring/entity_source/...` → `/api/entity_analytics/watchlists/{watchlist_id}/entity_source/...`
  **Impact** Any scripts or automations using these endpoints will fail.**Action** Remove references to removed endpoints. For entity source management, update paths to use the watchlists-scoped equivalents. Refer to the [Entity Analytics API documentation](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-entity-analytics-api).
</dropdown>

<dropdown title="Entity store management and CRUD APIs removed">
  The entity store management and CRUD APIs are removed and replaced by an updated API surface available from 9.4.
  For more information, check [#264679](https://github.com/elastic/kibana/pull/264679).Removed endpoints:
  - `POST /api/entity_store/enable`
  - `GET /api/entity_store/status`
  - `POST /api/entity_store/engines/{entityType}/init`
  - `POST /api/entity_store/engines/{entityType}/start`
  - `POST /api/entity_store/engines/{entityType}/stop`
  - `DELETE /api/entity_store/engines/{entityType}`
  - `DELETE /api/entity_store/engines`
  - `GET /api/entity_store/engines/{entityType}`
  - `GET /api/entity_store/engines`
  - `POST /api/entity_store/engines/apply_dataview_indices`
  - `GET /api/entity_store/entities/list`
  - `PUT /api/entity_store/entities/{entityType}`
  - `POST /api/entity_store/entities/bulk`
  - `DELETE /api/entity_store/entities/{entityType}`
  **Impact** Any scripts or automations using these endpoints will fail after upgrading to 9.4.**Action** Remove references to these endpoints. Refer to the Entity Store API documentation for information on new endpoints.
</dropdown>

<dropdown title="Entity store index structure has changed">
  In 9.4, the entity store consolidates all entity types into a single index per namespace, replacing the previous model where hosts, users, and services each had their own index. For more information, check [#251089](https://github.com/elastic/kibana/pull/251089).The old per-type index pattern (`.entities.v1.latest.security_{type}_<space-id>`) is replaced by:
  - A single latest index: `.entities.v2.latest.security_<space-id>-<mapping_version>`
  - A shared alias: `entities-latest-<space-id>`
  - History snapshot indices: `.entities.v2.history.security_<space-id>.<YYYY-MM-DD>-<HH>`
  **Impact** Any direct queries, dashboards, or integrations that reference the old per-type index patterns will fail after upgrading to 9.4.**Action** Update direct index references to use the new shared alias.
</dropdown>

<dropdown title="Entity Analytics: Entity identification in Explore/Entity flyout/Entity store">
  In 9.4, a fine-grained logical identifier has been introduced for user and host entities. In previous versions, user entities were identified by the `user.name` field and host entities were identified by the `host.name` field. This has been replaced by a priority ranking for hosts (`host.id` -> `host.name` -> `host.hostname`) and a user tiering identification which separates medium-confidence local users (i.e., a `user.name` associated with a particular `host.id`), from high-confidence IDP users found in integrations.**Impact** User and Host entities which do not provide enough information to properly identify them will not be available in the entity store. These entities will only be visible through "observed" aggregation views within the entity flyout and Explore details pages, with no Entity Analytics processing done against them, such as entity risk scoring, resolution, or watchlists. Additionally, entities which _are_ properly identified and are in the entity store will no longer have a link available to the Explore details page for that entity.
</dropdown>

<dropdown title="Removes serializer and deserializer parameters from the Lists API">
  Removes the unused `serializer` and `deserializer` parameters from the Lists API endpoints.
  For more information, check [#250111](https://github.com/elastic/kibana/pull/250111).**Impact** API requests that include `serializer` or `deserializer` parameters will return a deprecation warning header. The parameters are ignored.**Action** Remove any `serializer` or `deserializer` parameters from your Lists API requests.
</dropdown>


## 9.3.2

<dropdown title="Removes serializer and deserializer parameters from the Lists API">
  Removes the unused `serializer` and `deserializer` parameters from the Lists API endpoints.
  For more information, check [#250111](https://github.com/elastic/kibana/pull/250111).**Impact** API requests that include `serializer` or `deserializer` parameters will return a deprecation warning header. The parameters are ignored.**Action** Remove any `serializer` or `deserializer` parameters from your Lists API requests.
</dropdown>


## 9.2.7

<dropdown title="Removes serializer and deserializer parameters from the Lists API">
  Removes the unused `serializer` and `deserializer` parameters from the Lists API endpoints.
  For more information, check [#250111](https://github.com/elastic/kibana/pull/250111).**Impact** API requests that include `serializer` or `deserializer` parameters will return a deprecation warning header. The parameters are ignored.**Action** Remove any `serializer` or `deserializer` parameters from your Lists API requests.
</dropdown>


## 9.2.0

<dropdown title="Changes invalid category for Gatekeeper">
  Changes `event.category` from `security` to `configuration` for Gatekeeper on macOS.**Impact** Gatekeeper events on macOS are now labeled as `event.category == configuration`.**Action** If you're deploying custom rules using `event.category == security` on macOS, change the query to `event.category == configuration`.
</dropdown>


## 9.0.7

<dropdown title="Changes invalid category for Gatekeeper">
  Changes `event.category` from `security` to `configuration` for Gatekeeper on macOS.**Impact** Gatekeeper events on macOS are now labeled as `event.category == configuration`.**Action** If you're deploying custom rules using `event.category == security` on macOS, change the query to `event.category == configuration`.
</dropdown>


## 9.0.0

<dropdown title="Removes legacy security rules bulk endpoints">
  - `POST /api/detection_engine/rules/_bulk_create` has been replaced by `POST /api/detection_engine/rules/_import`
  - `PUT /api/detection_engine/rules/_bulk_update` has been replaced by `POST /api/detection_engine/rules/_bulk_action`
  - `PATCH /api/detection_engine/rules/_bulk_update` has been replaced by `POST /api/detection_engine/rules/_bulk_action`
  - `DELETE /api/detection_engine/rules/_bulk_delete` has been replaced by `POST /api/detection_engine/rules/_bulk_action`
  - `POST api/detection_engine/rules/_bulk_delete` has been replaced by `POST /api/detection_engine/rules/_bulk_action`
  These changes were introduced in [#197422](https://github.com/elastic/kibana/pull/197422).**Impact** Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.**Action**Update your implementations to use the new endpoints:
  - **For bulk creation of rules:**
    - Use `POST /api/detection_engine/rules/_import` ([API documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importrules)) to create multiple rules along with their associated entities (for example, exceptions and action connectors).
  - Alternatively, create rules individually using `POST /api/detection_engine/rules` ([API documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-createrule)).
  - **For bulk updates of rules:**
    - Use `POST /api/detection_engine/rules/_bulk_action` ([API documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-performrulesbulkaction)) to update fields in multiple rules simultaneously.
  - Alternatively, update rules individually using `PUT /api/detection_engine/rules` ([API documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-updaterule)).
  - **For bulk deletion of rules:**
    - Use `POST /api/detection_engine/rules/_bulk_action` ([API documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-performrulesbulkaction)) to delete multiple rules by IDs or query.
  - Alternatively, delete rules individually using `DELETE /api/detection_engine/rules` ([API documentation](https://www.elastic.co/docs/api/doc/kibana/operation/operation-deleterule)).
</dropdown>

<dropdown title="Removes deprecated endpoint management endpoints">
  - `POST /api/endpoint/isolate` has been replaced by `POST /api/endpoint/action/isolate`
  - `POST /api/endpoint/unisolate` has been replaced by `POST /api/endpoint/action/unisolate`
  - `GET /api/endpoint/policy/summaries` has been deprecated without replacement. Will be removed in v9.0.0
  - `POST /api/endpoint/suggestions/{{suggestion_type}}` has been deprecated without replacement. Will be removed in v9.0.0
  - `GET /api/endpoint/action_log/{{agent_id}}` has been deprecated without replacement. Will be removed in v9.0.0
  - `GET /api/endpoint/metadata/transforms` has been deprecated without replacement. Will be removed in v9.0.0
  **Impact** Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.**Action**
  - Remove references to `GET /api/endpoint/policy/summaries` endpoint.
  - Remove references to `POST /api/endpoint/suggestions/{{suggestion_type}}` endpoint.
  - Remove references to `GET /api/endpoint/action_log/{{agent_id}}` endpoint.
  - Remove references to `GET /api/endpoint/metadata/transforms` endpoint.
  - Replace references to deprecated endpoints with the replacements listed in the breaking change details.
</dropdown>

<dropdown title="Refactors the Timeline HTTP API endpoints">
  For more information, refer to [#200633](https://github.com/elastic/kibana/pull/200633).
</dropdown>

<dropdown title="Removes deprecated Elastic Defend APIs">
  For more information, refer to [#199598](https://github.com/elastic/kibana/pull/199598).
</dropdown>

<dropdown title="Removes deprecated API endpoints for bulk CRUD actions on detection rules">
  For more information, refer to [#197422](https://github.com/elastic/kibana/pull/197422) and [#207906](https://github.com/elastic/kibana/pull/207906).
</dropdown>