[Entity Analytics] [8.18 Only] Add deprecation warning for the legacy risk score modules (#202775)

## Summary > [!NOTE] > Example deployment with data loaded (message me for credentials): https://kibana-pr-202775.kb.us-west2.gcp.elastic-cloud.com/app/management/stack/upgrade_assistant/kibana_deprecations Add a deprecation warning when users have the risk scoring modules/legacy risk engine installed. We are removing the legacy risk engine in 9.0.0 which means users data will be there in the index but the UI won’t display it, scores will even continue to be calculated if they for some reason don’t upgrade to the new risk engine. But there will be no dedicated views in kibana. In 8.18 we are adding an upgrade assistant warning if they have the legacy risk engine installed, this is to guide them to upgrade. I have tried to use the same language as our documentation by calling it the risk score module. Upgrade Assistant List view: <img width="1728" alt="Screenshot 2024-12-12 at 09 40 36" src="https://github.com/user-attachments/assets/90cbfa44-fc29-42e5-afea-c74b6b848881"> Clicking the deprecation: <img width="1343" alt="Screenshot 2024-12-13 at 10 59 21" src="https://github.com/user-attachments/assets/8299038e-fe26-44d0-8330-7682fcdf29c9" /> ### Test Steps - on a system with the legacy risk module installed - I used the [security-documents-generator](https://github.com/elastic/security-documents-generator) `yarn start generate-legacy-risk-score` command. - You would have to deploy an 8.11 system to install it through the UI - navigate the the update assistant in stack management - notice the deprecation warning is displayed - upgrade your risk engine by navigating to security > management > entity risk score and clicking start upgrade - notice the deprecation warning is no longer displayed. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2025-04-24 01:38:56 -04:00 · 2024-12-17 11:51:27 +00:00 · 2024-12-17 11:51:27 +00:00 · 217eb98360
commit 217eb98360
parent 1b82c6d8ba
5 changed files with 128 additions and 0 deletions
--- a/docs/upgrade-notes.asciidoc
+++ b/docs/upgrade-notes.asciidoc
@ -1505,6 +1505,43 @@ Enable X-Pack Security.

 NOTE: For the complete Elastic Security solution release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].

+[discrete]
+[[breaking-201810]]
+.Remove original user and host risk scoring and all associated UIs (9.0.0)
+[%collapsible]
+====
+*Details* +
+--
+The original host and risk score modules have been superseded since v8.10.0 by the Risk Engine.
+
+In 9.0.0 these modules will no longer be supported, the scores will no longer display in the UI 
+and all UI controls associated with managing or upgrading the legacy modules will be removed.
+--
+
+*Impact* +
+As well as the legacy risk scores not being shown in the UI, alerts will no longer have the legacy risk score added to them in the `<host|user>.risk.calculated_level`
+and `<host|user>.risk.calculated_score_norm` fields.
+
+The legacy risk scores are stored in the `ml_host_risk_score_<space_id>` and `ml_user_risk_score_<space_id>`
+indices, these indices will not be deleted if the user chooses not to upgrade. 
+
+Legacy risk scores are generated by the following transforms:
+
+- `ml_hostriskscore_pivot_transform_<space_id>`
+- `ml_hostriskscore_latest_transform_<space_id>`
+- `ml_userriskscore_pivot_transform_<space_id>`
+- `ml_userriskscore_latest_transform_<space_id>`
+
+If a user does not upgrade to use the Risk Engine, these transforms will continue to run in 9.0.0, but it will be up to the user to manage them.
+
+*Action* +
+
+Upgrade to use the Risk Engine in all spaces which use the legacy risk scoring modules:
+
+- In the main menu, go to *Security > Manage > Entity Risk Score*.
+- If the original user and host risk score modules are enabled, you'll see a button to "Start update". Click the button, and follow the instructions.
+====
+
 [discrete]
 [[breaking-161806]]
 .[Elastic Defend] Converted filterQuery to KQL.(8.11)
--- a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts
+++ b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts
@ -504,6 +504,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
        riskScorePrerequisites: `${SECURITY_SOLUTION_DOCS}ers-requirements.html`,
        entityRiskScoring: `${SECURITY_SOLUTION_DOCS}entity-risk-scoring.html`,
        assetCriticality: `${SECURITY_SOLUTION_DOCS}asset-criticality.html`,
+        legacyRiskScoreModuleDeprecation: `${KIBANA_DOCS}breaking-changes-summary.html#breaking-201810`,
      },
      detectionEngineOverview: `${SECURITY_SOLUTION_DOCS}detection-engine-overview.html`,
      aiAssistant: `${SECURITY_SOLUTION_DOCS}security-assistant.html`,
--- a/src/platform/packages/shared/kbn-doc-links/src/types.ts
+++ b/src/platform/packages/shared/kbn-doc-links/src/types.ts
@ -372,6 +372,7 @@ export interface DocLinks {
      readonly riskScorePrerequisites: string;
      readonly entityRiskScoring: string;
      readonly assetCriticality: string;
+      readonly legacyRiskScoreModuleDeprecation: string;
    };
    readonly detectionEngineOverview: string;
    readonly signalsMigrationApi: string;
--- a/x-pack/plugins/security_solution/server/deprecations/register_risk_score_modules_deprecation.ts
+++ b/x-pack/plugins/security_solution/server/deprecations/register_risk_score_modules_deprecation.ts
@ -0,0 +1,83 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { i18n } from '@kbn/i18n';
+import type {
+  DeprecationsServiceSetup,
+  DocLinksServiceSetup,
+  IScopedClusterClient,
+} from '@kbn/core/server';
+
+interface Dependencies {
+  deprecationsService: DeprecationsServiceSetup;
+  docLinks: DocLinksServiceSetup;
+}
+
+/*
+ * Deprecations are not space aware, so we look for the presence of the legacy risk engine in at least one space.
+ * This is done by checking if at least one legacy transform is present.
+ * Legacy transforms are deleted as part of the upgrade process, so if they are present, the user has not yet upgraded.
+ */
+const isModuleInAtLeastOneSpace = async ({
+  esClient,
+}: {
+  esClient: IScopedClusterClient;
+}): Promise<boolean> => {
+  // space is the last part of the transform id
+  const transformPrefixes = [
+    'ml_hostriskscore_pivot_transform_*',
+    'ml_hostriskscore_latest_transform_*',
+    'ml_userriskscore_pivot_transform_*',
+    'ml_userriskscore_latest_transform_*',
+  ];
+
+  const { transforms } = await esClient.asInternalUser.transform.getTransform({
+    transform_id: transformPrefixes,
+    size: 1,
+  });
+
+  return transforms.length > 0;
+};
+
+export const registerRiskScoreModulesDeprecation = ({
+  deprecationsService,
+  docLinks,
+}: Dependencies) => {
+  deprecationsService.registerDeprecations({
+    getDeprecations: async ({ esClient }) => {
+      if (!(await isModuleInAtLeastOneSpace({ esClient }))) {
+        return [];
+      }
+
+      return [
+        {
+          documentationUrl:
+            docLinks.links.securitySolution.entityAnalytics.legacyRiskScoreModuleDeprecation,
+          title: i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.title', {
+            defaultMessage: 'The original user and host risk score modules are deprecated.',
+          }),
+          message: i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.message', {
+            defaultMessage: `We have detected that you have the original user and host risk score modules installed in at least one space. These modules are deprecated, and your risk score data will not be displayed after you upgrade (your data will not be deleted). Please migrate to the latest risk engine in each space before upgrading.`,
+          }),
+          level: 'warning',
+          deprecationType: 'feature',
+          correctiveActions: {
+            manualSteps: [
+              i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.manualStep1', {
+                defaultMessage: 'In the main menu, go to Security > Manage > Entity Risk Score.',
+              }),
+              i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.manualStep3', {
+                defaultMessage:
+                  'If the original user and host risk score modules are enabled, you\'ll see a button to "Start update". Click the button, and follow the instructions.',
+              }),
+            ],
+          },
+        },
+      ];
+    },
+  });
+};
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@ -128,6 +128,7 @@ import { turnOffAgentPolicyFeatures } from './endpoint/migrations/turn_off_agent
 import { getCriblPackagePolicyPostCreateOrUpdateCallback } from './security_integrations';
 import { scheduleEntityAnalyticsMigration } from './lib/entity_analytics/migrations';
 import { SiemMigrationsService } from './lib/siem_migrations/siem_migrations_service';
+import { registerRiskScoreModulesDeprecation } from './deprecations/register_risk_score_modules_deprecation';

 export type { SetupPlugins, StartPlugins, PluginSetup, PluginStart } from './plugin_contract';

@ -442,6 +443,11 @@ export class Plugin implements ISecuritySolutionPlugin {
      this.completeExternalResponseActionsTask.setup({ taskManager: plugins.taskManager });
    }

+    registerRiskScoreModulesDeprecation({
+      deprecationsService: core.deprecations,
+      docLinks: core.docLinks,
+    });
+
    core
      .getStartServices()
      .then(async ([coreStart, depsStart]) => {