From af1f4cd2f76a04316ea2499d36b1d88505354d73 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Wed, 16 Jul 2025 13:35:35 +0100
Subject: [PATCH 1/5] [Security] 9.1.0 release notes

---
 .../elastic-security/deprecations.md          |  7 ++
 release-notes/elastic-security/index.md       | 96 +++++++++++++++++++
 2 files changed, 103 insertions(+)

diff --git a/release-notes/elastic-security/deprecations.md b/release-notes/elastic-security/deprecations.md
index 66fee32643..79aaf5d5d2 100644
--- a/release-notes/elastic-security/deprecations.md
+++ b/release-notes/elastic-security/deprecations.md
@@ -16,6 +16,13 @@ Review the deprecated functionality for {{elastic-sec}}. While deprecations have
 % **Action**<br> Steps for mitigating deprecation impact.
 % ::::
 
+## 9.1.0 [elastic-security-9.1.0-deprecations]
+
+::::{dropdown} Removes default quick prompts
+Removes default quick prompts from the Security AI Assistant.
+For more information, refer to [#225536]({{kib-pull}}225536).
+::::
+
 ## 9.0.0 [elastic-security-900-deprecations]
 
 ::::{dropdown} Removes Defend for Containers (D4C)
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 834ac23021..700421a13a 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -27,6 +27,102 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+## 9.1.0 [elastic-security-9.1.0-release-notes]
+
+### Features and enhancements [elastic-security-9.1.0-features-enhancements]
+
+* Adds an option to update the `kibana.alert.workflow_status` field for alerts associated with attack discoveries [#225029]({{kib-pull}}225029).
+* The rule execution gaps functionality is now generally available [#224657]({{kib-pull}}224657).
+* Adds the Security Entity Analytics privileged user monitoring feature [#224638]({{kib-pull}}224638).
+* Adds the ability to bulk fill gaps [#224585]({{kib-pull}}224585).
+* Automatic migration is now generally available [#224544]({{kib-pull}}224544).
+* Adds a name field to the automatic migration UI [#223860]({{kib-pull}}223860).
+* Adds simplified bulk editing for alert suppression [#223090]({{kib-pull}}223090).
+* Adds a human-readable incremental ID to cases, making referencing cases easier [#222874]({{kib-pull}}222874).
+* Adds the ability to change rule migration execution settings when re-processing a migration [#222542]({{kib-pull}}222542).
+* Adds `runscript` response action support for Microsoft Defender for Endpoint–enrolled hosts [#222377]({{kib-pull}}222377).
+* Updates automatic migration API schema [#219597]({{kib-pull}}219597).
+* Adds `siemV3` role migration to support the new Security **Global Artifact Management** privilege [#219566]({{kib-pull}}219566).
+* Adds automatic saving of attack discoveries, with search and filter capabilities [#218906]({{kib-pull}}218906).
+* Adds the ability to edit highlighted fields in the alert details flyout [#216740]({{kib-pull}}216740).
+* Adds API endpoints for the Entity Analytics privileged user monitoring feature [#215663]({{kib-pull}}215663).
+* Adds the onboarding flow for the Asset Inventory feature [#212315]({{kib-pull}}212315).
+* Adds the XSOAR connector [#212049]({{kib-pull}}212049).
+* Adds a custom script selector for choosing scripts to execute when using the `runscript` response action [#204965]({{kib-pull}}204965).
+* Updates {{elastic-sec}} Labs Knowledge Base content [#227125]({{kib-pull}}227125).
+* Displays which fields are customized for prebuilt rules [#225939]({{kib-pull}}225939).
+* Bumps default Gemini model [#225917]({{kib-pull}}225917).
+* Groups vulnerabilities by resource and cloud account using IDs instead of names [#225492]({{kib-pull}}225492).
+* Adds prompt tiles to the Security AI Assistant [#224981]({{kib-pull}}224981).
+* Adds support for collapsible sections in integrations READMEs [#223916]({{kib-pull}}223916).
+* Adds advanced policy settings in {{elastic-defend}} to enable collection of file origin information for File, Process, and DLL (ImageLoad) events [#223882]({{kib-pull}}223882), [#222030]({{kib-pull}}222030).
+* Adds the `ecs@mappings` component to the transform destination index template [#223878]({{kib-pull}}223878).
+* Adds the ability to revert prebuilt rules to their base version [#223301]({{kib-pull}}223301).
+* Adds an {{elastic-defend}} advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collection [#222197]({{kib-pull}}222197).
+* Updates the risk severity color map to match the new design [#222061]({{kib-pull}}222061).
+* Updates the asset criticality status color map to match the new design [#222024]({{kib-pull}}222024).
+* Updates the highlighted fields button styling in the alert details flyout [#221862]({{kib-pull}}221862).
+* Adds support for content connectors in {{elastic-sec}} and {{observability}} [#221856]({{kib-pull}}221856).
+* Expands CVE ID search to all search parameters, not just names [#221099]({{kib-pull}}221099).
+* Improves alert searching and filtering by including additional ECS data stream fields [#220447]({{kib-pull}}220447).
+* Updates default model IDs for Amazon Bedrock and OpenAI connectors [#220146]({{kib-pull}}220146).
+* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers[#219984]({{kib-pull}}219984).
+* Adds pinning and settings to the **Table** tab in the alert and event details flyouts [#218686]({{kib-pull}}218686).
+* Updates the data view selector in the event analyzer [#218183]({{kib-pull}}218183).
+* Updates the data view selector in the global header [#216685]({{kib-pull}}216685).
+* Updates UI handling for multiple CVEs and package fields [#216411]({{kib-pull}}216411).
+* Adds the Security AI prompts integration [#216106]({{kib-pull}}216106).
+* Adds support for grouping multi-value fields in Cloud Security [#215913]({{kib-pull}}215913).
+* Limits unassigned notes to a maximum of 100 per document instead of globally [#214922]({{kib-pull}}214922).
+* Updates the Detection rule monitoring dashboard to include rule gaps histogram [#214694]({{kib-pull}}214694).
+* Adds support for multiple CVEs and improves vulnerability data grid, flyout, and contextual flyout UI [#213039]({{kib-pull}}213039).
+* Adds support for the `MV_EXPAND` command for the {{esql}} rule type [#212675]({{kib-pull}}212675).
+* Updates the data view selector in Timelines [#210585]({{kib-pull}}210585).
+* Adds `unassigned` as an asset criticality level for bulk uploads [#208884]({{kib-pull}}208884).
+* Enables `isolate` and `release` response actions from the event details flyout [#206857]({{kib-pull}}206857).
+* Standardizes action triggers in alerts KPI visualizations [#206340]({{kib-pull}}206340).
+* Adds process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF.
+* Upgrades the Linux Endpoint to use Quark as an eBPF event source.
+* Adds support for DNS events on macOS. Events can be controlled from the {{elastic-defend}} policy using the **DNS events** checkbox.
+* Adds TCC (Transparency Consent and Control) events on macOS. Events are generated every time the TCC database is altered.
+* Adds `parent.command_line` to process events on macOS to keep in line with Linux and Windows.
+* Adds ETW visibility for WinHTTP and WinINet libraries.
+* Adds telemetry to assist detection of processes created in non-standard desktops.
+* Adds FirewallAntiTamper plug-in to protect processes against network tampering via Windows Firewall.
+* Reduces {{elastic-defend}} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction.
+* {{elastic-defend}}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data.
+* Adds support for Elliptic Curve certificates and TLS output settings, including `supported_protocols`, `cipher_suites`, and `curve_types`.
+* Updates GRPC library to v1.70.1.
+* Reduces {{elastic-defend}} CPU and memory usage for behavioral protections.
+
+### Fixes [elastic-security-9.1.0-fixes]
+
+* Fixes a bug where data wasn't fetched by the vulnerability expandable flyout in preview mode [#227262]({{kib-pull}}227262).
+* Fixes a bug where Timelines and investigations did not consistently use the default Security data view [#226314]({{kib-pull}}226314).
+* Fixes a bug where opening an alert deeplink didn't correctly load filters on the **Alerts** page [#225650]({{kib-pull}}225650).
+* Updates entity links to open in a flyout instead of leaving the current page [#225381]({{kib-pull}}225381).
+* Adds a title to the rule gap histogram in the Detection rule monitoring dashboard [#225274]({{kib-pull}}225274).
+* Fixes URL query handling for the asset inventory flyout [#225199]({{kib-pull}}225199).
+* Fixes a bug where pressing Escape with an alert details flyout open from a Timeline closed the Timeline instead of the flyout [#224352]({{kib-pull}}224352).
+* Fixes a bug where comma-separated `process.args` values didn't wrap properly in the alert details flyout's **Overview** tab [#223544]({{kib-pull}}223544).
+* Fixes wrapping for threat indicator match event renderer [#223164]({{kib-pull}}223164).
+* Fixes a z-index issue in the {{esql}} query editor within Timeline [#222841]({{kib-pull}}222841).
+* Fixes incorrect content displaying after tab switching in the integrations section on the **Get started** page [#222271]({{kib-pull}}222271).
+* Fixes the exception flyout to show the correct "Edit rule exception" title and button label when editing an exception item [#222248]({{kib-pull}}222248).
+* Retrieves active integrations from the installed integrations API [#218988]({{kib-pull}}218988).
+* Updates tooltips in the gap fills table [#218926]({{kib-pull}}218926).
+* Fixes AI Assistant prompt updates so UI changes reflect only successful updates [#217058]({{kib-pull}}217058).
+* Fixes error callout placement on the **Engine Status** tab of the **Entity Store** page [#216228]({{kib-pull}}216228).
+* Fixes alert severity ordering to display from highest severity to lowest [#215813]({{kib-pull}}215813).
+* Generalizes and consolidates custom {{fleet}} onboarding logic [#215561]({{kib-pull}}215561).
+* Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group [#215086]({{kib-pull}}215086).
+* Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions [#212316]({{kib-pull}}212316).
+* Refactors conversation pagination for the Security AI Assistant [#211831]({{kib-pull}}211831).
+* Fixes an issue where log level changes were not always handled correctly.
+* Fixes the artifact `channel` field and adds `manifest_type` in {{elastic-defend}} policy responses.
+* Fixes a bug where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
+* Fixes a crash in the scan response action and suppresses the end-user popup when running background malware scans.
+
 ## 9.0.3 [elastic-security-9.0.3-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.3-features-enhancements]

From af413af18414e9f08b1c58e50d79d00a0eea958f Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Thu, 17 Jul 2025 09:10:32 +0100
Subject: [PATCH 2/5] Applies Endpoint feedback

Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
---
 release-notes/elastic-security/index.md | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 700421a13a..2ec4ecbb5b 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -81,18 +81,15 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds `unassigned` as an asset criticality level for bulk uploads [#208884]({{kib-pull}}208884).
 * Enables `isolate` and `release` response actions from the event details flyout [#206857]({{kib-pull}}206857).
 * Standardizes action triggers in alerts KPI visualizations [#206340]({{kib-pull}}206340).
-* Adds process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF.
-* Upgrades the Linux Endpoint to use Quark as an eBPF event source.
+* Adds {{elastic-defend}} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF.
 * Adds support for DNS events on macOS. Events can be controlled from the {{elastic-defend}} policy using the **DNS events** checkbox.
-* Adds TCC (Transparency Consent and Control) events on macOS. Events are generated every time the TCC database is altered.
-* Adds `parent.command_line` to process events on macOS to keep in line with Linux and Windows.
+* Adds TCC (Transparency Consent and Control) events to {{elastic-defend}} on macOS. Events are generated every time the TCC database is altered.
+* Adds `parent.command_line` to {{elastic-defend}} process events on macOS to keep in line with Linux and Windows.
 * Adds ETW visibility for WinHTTP and WinINet libraries.
 * Adds telemetry to assist detection of processes created in non-standard desktops.
-* Adds FirewallAntiTamper plug-in to protect processes against network tampering via Windows Firewall.
 * Reduces {{elastic-defend}} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction.
 * {{elastic-defend}}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data.
-* Adds support for Elliptic Curve certificates and TLS output settings, including `supported_protocols`, `cipher_suites`, and `curve_types`.
-* Updates GRPC library to v1.70.1.
+* Adds {{elastic-defend}} support for Elliptic Curve certificates and TLS output settings, including `supported_protocols`, `cipher_suites`, and `curve_types`.
 * Reduces {{elastic-defend}} CPU and memory usage for behavioral protections.
 
 ### Fixes [elastic-security-9.1.0-fixes]
@@ -118,10 +115,9 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group [#215086]({{kib-pull}}215086).
 * Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions [#212316]({{kib-pull}}212316).
 * Refactors conversation pagination for the Security AI Assistant [#211831]({{kib-pull}}211831).
-* Fixes an issue where log level changes were not always handled correctly.
 * Fixes the artifact `channel` field and adds `manifest_type` in {{elastic-defend}} policy responses.
-* Fixes a bug where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
-* Fixes a crash in the scan response action and suppresses the end-user popup when running background malware scans.
+* Fixes a bug in {{elastic-defend}} where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
+* Fixes a crash in the {{elastic-defend}} scan response action and suppresses the end-user popup when running background malware scans.
 
 ## 9.0.3 [elastic-security-9.0.3-release-notes]
 

From c194c018391c16872f12952bb771fa8dd2c98bcc Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Thu, 17 Jul 2025 14:29:48 +0100
Subject: [PATCH 3/5] Adds RM and EDR notes

---
 release-notes/elastic-security/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 2ec4ecbb5b..7911a6efd4 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -81,6 +81,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds `unassigned` as an asset criticality level for bulk uploads [#208884]({{kib-pull}}208884).
 * Enables `isolate` and `release` response actions from the event details flyout [#206857]({{kib-pull}}206857).
 * Standardizes action triggers in alerts KPI visualizations [#206340]({{kib-pull}}206340).
+* Introduces space-awareness capabilities for {{elastic-defend}} and other {{elastic-sec}}-specific {{fleet}} features.
 * Adds {{elastic-defend}} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF.
 * Adds support for DNS events on macOS. Events can be controlled from the {{elastic-defend}} policy using the **DNS events** checkbox.
 * Adds TCC (Transparency Consent and Control) events to {{elastic-defend}} on macOS. Events are generated every time the TCC database is altered.
@@ -115,6 +116,8 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group [#215086]({{kib-pull}}215086).
 * Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions [#212316]({{kib-pull}}212316).
 * Refactors conversation pagination for the Security AI Assistant [#211831]({{kib-pull}}211831).
+* Fixes a bug where unmodified prebuilt rules installed before v8.18 didn't appear in the **Upgrade** table when the **Unmodified** filter was selected [#227859]({{kib-pull}}227859).
+* Improves UI copy for the "bulk update with conflicts" modal [#227803]({{kib-pull}}227803).
 * Fixes the artifact `channel` field and adds `manifest_type` in {{elastic-defend}} policy responses.
 * Fixes a bug in {{elastic-defend}} where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
 * Fixes a crash in the {{elastic-defend}} scan response action and suppresses the end-user popup when running background malware scans.

From 6ee395995d82da233fb54c8791600c20eba4d165 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 18 Jul 2025 16:33:04 +0100
Subject: [PATCH 4/5] Address feedback

---
 release-notes/elastic-security/index.md | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 7911a6efd4..6e9b71b148 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -37,7 +37,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds the ability to bulk fill gaps [#224585]({{kib-pull}}224585).
 * Automatic migration is now generally available [#224544]({{kib-pull}}224544).
 * Adds a name field to the automatic migration UI [#223860]({{kib-pull}}223860).
-* Adds simplified bulk editing for alert suppression [#223090]({{kib-pull}}223090).
+* Adds the ability to bulk set up and delete alert suppression [#223090]({{kib-pull}}223090).
 * Adds a human-readable incremental ID to cases, making referencing cases easier [#222874]({{kib-pull}}222874).
 * Adds the ability to change rule migration execution settings when re-processing a migration [#222542]({{kib-pull}}222542).
 * Adds `runscript` response action support for Microsoft Defender for Endpoint–enrolled hosts [#222377]({{kib-pull}}222377).
@@ -86,12 +86,13 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds support for DNS events on macOS. Events can be controlled from the {{elastic-defend}} policy using the **DNS events** checkbox.
 * Adds TCC (Transparency Consent and Control) events to {{elastic-defend}} on macOS. Events are generated every time the TCC database is altered.
 * Adds `parent.command_line` to {{elastic-defend}} process events on macOS to keep in line with Linux and Windows.
-* Adds ETW visibility for WinHTTP and WinINet libraries.
-* Adds telemetry to assist detection of processes created in non-standard desktops.
 * Reduces {{elastic-defend}} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction.
 * {{elastic-defend}}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data.
 * Adds {{elastic-defend}} support for Elliptic Curve certificates and TLS output settings, including `supported_protocols`, `cipher_suites`, and `curve_types`.
 * Reduces {{elastic-defend}} CPU and memory usage for behavioral protections.
+* Reduces {{elastic-defend}} CPU when processing events from the System process, such as IIS network events.
+* Improves {{elastic-defend}} logging of fatal exceptions.
+* Improves {{elastic-defend}} call site analysis logic.
 
 ### Fixes [elastic-security-9.1.0-fixes]
 
@@ -118,9 +119,12 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Refactors conversation pagination for the Security AI Assistant [#211831]({{kib-pull}}211831).
 * Fixes a bug where unmodified prebuilt rules installed before v8.18 didn't appear in the **Upgrade** table when the **Unmodified** filter was selected [#227859]({{kib-pull}}227859).
 * Improves UI copy for the "bulk update with conflicts" modal [#227803]({{kib-pull}}227803).
-* Fixes the artifact `channel` field and adds `manifest_type` in {{elastic-defend}} policy responses.
 * Fixes a bug in {{elastic-defend}} where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
 * Fixes a crash in the {{elastic-defend}} scan response action and suppresses the end-user popup when running background malware scans.
+* Fixes an unbounded kernel non-paged memory growth issue in the {{elastic-defend}} kernel driver during extremely high event load situations on Windows. Systems affected by this issue would slow down or become unresponsive until the triggering event load (such as network activity) subsided [#88](https://github.com/elastic/endpoint/issues/88).
+* Fixes a memory growth bug in {{elastic-defend}} on Linux when both **Collect session data** and **Capture terminal output** are enabled.
+* Fixes a bug in {{elastic-defend}} where Linux network events would have source and destination byte counts swapped.
+* Fixes an issue where {{elastic-defend}} may incorrectly set the artifact channel in policy responses, and adds `manifest_type` to policy responses.
 
 ## 9.0.3 [elastic-security-9.0.3-release-notes]
 

From 3474e42b553ae6883f13018316c63cd02bb40f4e Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Tue, 22 Jul 2025 09:17:51 +0100
Subject: [PATCH 5/5] Update release-notes/elastic-security/index.md

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
---
 release-notes/elastic-security/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 6e9b71b148..608d115fac 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -66,7 +66,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Expands CVE ID search to all search parameters, not just names [#221099]({{kib-pull}}221099).
 * Improves alert searching and filtering by including additional ECS data stream fields [#220447]({{kib-pull}}220447).
 * Updates default model IDs for Amazon Bedrock and OpenAI connectors [#220146]({{kib-pull}}220146).
-* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers[#219984]({{kib-pull}}219984).
+* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers [#219984]({{kib-pull}}219984).
 * Adds pinning and settings to the **Table** tab in the alert and event details flyouts [#218686]({{kib-pull}}218686).
 * Updates the data view selector in the event analyzer [#218183]({{kib-pull}}218183).
 * Updates the data view selector in the global header [#216685]({{kib-pull}}216685).