[Security] Retain risk scores configuration setting (#3470)

natasha-moore-elastic · benironside · web-flow · commit 85c66558440b · 2025-10-21T09:59:04.000Z
Resolves #3417 by documenting the option to retain residual risk scores. Previews: * [Residual risk score](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3470/solutions/security/advanced-entity-analytics/entity-risk-scoring#residual-risk-score) * [Turn on the latest risk engine](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3470/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine#_turn_on_the_latest_risk_engine) --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
diff --git a/solutions/images/security-turn-on-risk-engine.png b/solutions/images/security-turn-on-risk-engine.png
diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md
@@ -80,7 +80,11 @@ In some cases, entities can retain a residual risk score:
 * If all alerts for an entity are closed
 * If all of the entity’s open alerts fall outside of the configured date and time range
 
-In these situations, the entity retains its last computed risk score until a new alert causes the score to be recalculated.
+{applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` By default, in these scenarios, entity risk scores are reset to zero if there are no new inputs. If, instead, you want entities to retain their last calculated risk score, select the **Retain previously calculated risk scores** checkbox on the [Entity risk score page](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#_turn_on_the_latest_risk_engine).
+
+:::{note}
+In versions 9.1 and earlier, residual risk scores are retained by default. This means that each entity keeps its last computed risk score until a new alert triggers a recalculation.
+:::
 
 ::::{dropdown} Click for a risk score calculation example
 This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
diff --git a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
@@ -28,24 +28,25 @@ The preview is limited to two risk scores per {{kib}} instance or serverless pro
 ::::
 
 
-To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+To preview risky entities, find **Entity risk score** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 
 ## Turn on the latest risk engine [_turn_on_the_latest_risk_engine]
 
 ::::{note}
 * To view risk score data, you must have alerts generated in your environment.
-* In {{stack}}, if you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 8.11 or newer, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine).
+* In {{stack}}, if you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 9.0 or later, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine).
 
 ::::
 
 
 If you’re installing the risk scoring engine for the first time:
 
-1. Find **Entity Risk Score** in the navigation menu.
-2. On the **Entity Risk Score** page, turn the toggle on.
-
-You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
+1. Find **Entity risk score** in the navigation menu or using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+2. On the **Entity risk score** page, turn the toggle on.
+3. {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Choose whether to retain [residual risk scores](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#residual-risk-score).
+4. Choose whether to include `Closed` alerts in risk scoring calculations.
+5. Optionally, specify a date and time range for the calculation.
 
 :::{image} /solutions/images/security-turn-on-risk-engine.png
 :alt: Turn on entity risk scoring
@@ -58,7 +59,7 @@ You can also choose to include `Closed` alerts in risk scoring calculations and
 stack:
 ```
 
-If you upgraded to 8.11 from an earlier {{stack}} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:
+If you upgraded to 9.0 or later from an earlier {{stack}} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:
 
 * The Entity Analytics dashboard
 * The **User risk** tab on the Users page
@@ -71,7 +72,7 @@ If you upgraded to 8.11 from an earlier {{stack}} version, and you have the orig
 :screenshot:
 :::
 
-1. Click **Manage** in the upgrade prompt, or find **Entity Risk Score** in the navigation menu.
+1. Click **Manage** in the upgrade prompt, or find **Entity risk score** in the navigation menu.
 2. On the Entity Risk Score page, click **Start update** next to the **Update available** label.
 
     :::{image} /solutions/images/security-risk-score-start-update.png
