From 2653f5d00034e3336becb9ae5f1b46d9e8b6e699 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 29 Apr 2025 13:14:22 -0400
Subject: [PATCH 1/9] First draft

---
 release-notes/elastic-security/index.md        | 16 ++++++++++++----
 release-notes/elastic-security/known-issues.md |  8 --------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index ffa6b4e24..b0a2cb98b 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -4,7 +4,7 @@ mapped_pages:
   - https://www.elastic.co/guide/en/security/current/release-notes.html
   - https://www.elastic.co/guide/en/security/current/whats-new.html
 ---
-# {{elastic-sec}} release notes [elastic-security-X.X.X-release-notes]
+# {{elastic-sec}} release notes 
 
 Review the changes, fixes, and more in each version of {{elastic-sec}}.
 
@@ -12,14 +12,22 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % Release notes include only features, enhancements, and fixes. Add breaking changes, deprecations, and known issues to the applicable release notes sections.
 
-% ## version.next [elastic-security-next-release-notes]
+% ## version.next [elastic-security-X.X.X-notes]
 
-% ### Features and enhancements [elastic-security-next-features-enhancements]
+% ### Features and enhancements [elastic-security-X.X.X-features-enhancements]
 % *
 
-% ### Fixes [elastic-security-next-fixes]
+% ### Fixes [elastic-security-X.X.X-fixes]
 % *
 
+## 9.0.1 [elastic-security-9.0.1-release-notes]
+
+### Features and enhancements [elastic-security-9.0.1-features-enhancements]
+There are no new features or enhancements.
+
+### Fixes [elastic-security-9.0.1-fixes]
+* Removes the technical preview badge from alert suppression fields for event correlation rules. 
+
 ## 9.0.0 [elastic-security-900-release-notes]
 
 ::::{NOTE}
diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index 96dca6490..1370f15b0 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -28,11 +28,3 @@ On April 10, 2025, it was discovered that when you install a new {{elastic-defen
 To resolve this issue, before you add an {{elastic-defend}} integration to a policy in {{fleet}}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.
 
 :::
-
-:::{dropdown} The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules
-
-**{{stack}} versions: 9.0.0**
-
-On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check [#1021](https://github.com/elastic/docs-content/issues/1021).
-
-:::

From 0a942c765b8fcfaff8e64765ffc26e2fb0a1be98 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 29 Apr 2025 13:24:39 -0400
Subject: [PATCH 2/9] Removes another fixed bug

---
 release-notes/elastic-security/index.md        |  3 ++-
 release-notes/elastic-security/known-issues.md | 12 +-----------
 2 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index b0a2cb98b..e546cc076 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -26,7 +26,8 @@ To check for security updates, go to [Security announcements for the Elastic sta
 There are no new features or enhancements.
 
 ### Fixes [elastic-security-9.0.1-fixes]
-* Removes the technical preview badge from alert suppression fields for event correlation rules. 
+* Removes the technical preview badge from alert suppression fields for event correlation rules 
+* Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions and lose their rule actions, exceptions, and customizations when you installed a new {{elastic-defend}} integration or {{agent}} policy ({{kib-pull}}217959)
 
 ## 9.0.0 [elastic-security-900-release-notes]
 
diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index 1370f15b0..dc19f3921 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -17,14 +17,4 @@ Known issues are significant defects or limitations that may impact your impleme
 
 :::
 
-:::{dropdown} Installing an {{elastic-defend}} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions
-
-**{{stack}} versions: 9.0.0**
-
-On April 10, 2025, it was discovered that when you install a new {{elastic-defend}} integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.  
-
-**Workaround**
-
-To resolve this issue, before you add an {{elastic-defend}} integration to a policy in {{fleet}}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.
-
-:::
+There are no known issues.

From fbd5f0c6425139a87465922d1a2c859b88f979a5 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 29 Apr 2025 15:55:51 -0400
Subject: [PATCH 3/9] Fix

---
 release-notes/elastic-security/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index e546cc076..6d9221ee7 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -27,7 +27,7 @@ There are no new features or enhancements.
 
 ### Fixes [elastic-security-9.0.1-fixes]
 * Removes the technical preview badge from alert suppression fields for event correlation rules 
-* Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions and lose their rule actions, exceptions, and customizations when you installed a new {{elastic-defend}} integration or {{agent}} policy ({{kib-pull}}217959)
+* Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new {{elastic-defend}} integration or {{agent}} policy [#217959]({{kib-pull}}217959)
 
 ## 9.0.0 [elastic-security-900-release-notes]
 

From 27fc872b5982f9df5bedf5d2689e9760a8b39e49 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Wed, 30 Apr 2025 15:49:02 -0400
Subject: [PATCH 4/9] Adds 218697

---
 release-notes/elastic-security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 6d9221ee7..617e6094c 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -28,6 +28,7 @@ There are no new features or enhancements.
 ### Fixes [elastic-security-9.0.1-fixes]
 * Removes the technical preview badge from alert suppression fields for event correlation rules 
 * Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new {{elastic-defend}} integration or {{agent}} policy [#217959]({{kib-pull}}217959)
+* Fixes a bug that prevented you form scrolling in modals ({kibana-pull}218697[#218697]).
 
 ## 9.0.0 [elastic-security-900-release-notes]
 

From cc75d93f3745fef8ff1ff89ec800abb074c42a57 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Thu, 1 May 2025 12:58:23 -0400
Subject: [PATCH 5/9] Adds 216667

---
 release-notes/elastic-security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 617e6094c..f5dfd3871 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -28,6 +28,7 @@ There are no new features or enhancements.
 ### Fixes [elastic-security-9.0.1-fixes]
 * Removes the technical preview badge from alert suppression fields for event correlation rules 
 * Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new {{elastic-defend}} integration or {{agent}} policy [#217959]({{kib-pull}}217959)
+* Prevents {{esql}} rules from timing out if the rule query takes longer than five minutes to complete [#216667]({{kib-pull}}216667)
 * Fixes a bug that prevented you form scrolling in modals ({kibana-pull}218697[#218697]).
 
 ## 9.0.0 [elastic-security-900-release-notes]

From f6a1f20cfdce7236b77cfe3580e9a182a5429391 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 2 May 2025 13:38:37 -0400
Subject: [PATCH 6/9] Re-adds known issues

---
 .../elastic-security/known-issues.md          | 76 +++++++++++++++++--
 1 file changed, 71 insertions(+), 5 deletions(-)

diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index dc19f3921..a40377074 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -8,13 +8,79 @@ Known issues are significant defects or limitations that may impact your impleme
 % Use the following template to add entries to this page.
 
 % :::{dropdown} Title of known issue
-% **Applicable versions for the known issue and the version for when the known issue was fixed**
-% On [Month Day, Year], a known issue was discovered that [description of known issue].
+% Applies to: Applicable versions for the known issue 
+% Description of the known issue.
 % For more information, check [Issue #](Issue link).
+% **Impact**<br> Impact of the known issue.
+% **Workaround**<br> Steps for a workaround until the known issue is fixed.
 
-% **Workaround**
-% Workaround description.
+% :::
+
+:::{dropdown} Installing an {{elastic-defend}} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions
+
+Applies to: {{stack}} 9.0.0
+
+On April 10, 2025, it was discovered that when you install a new {{elastic-defend}} integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.  
+
+**Workaround**
+
+To resolve this issue, before you add an {{elastic-defend}} integration to a policy in {{fleet}}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.
+
+**Resolved**<br> 
+
+{{stack}} 9.0.1
+
+:::
+
+:::{dropdown} The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules
+
+Applies to: {{stack}} 9.0.0
+
+On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check [#1021](https://github.com/elastic/docs-content/issues/1021).
+
+**Resolved**<br> 
+
+{{stack}} 9.0.1
 
 :::
 
-There are no known issues.
+
+:::{dropdown} Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck
+
+Applies to: {{elastic-defend}} 9.0.0
+
+An `IRQL_NOT_LESS_EQUAL` [bugcheck](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-) in the {{elastic-defend}} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls [`FwpmTransactionBegin0`](https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0) to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {{elastic-defend}} driver from properly initializing in a timely manner. Subsequent system activity can invoke {{elastic-defend}}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.
+
+**Workaround**<br> 
+
+If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). 
+
+**Resolved**<br> 
+
+{{elastic-defend}} 9.0.1
+
+:::
+
+
+:::{dropdown} Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems
+
+Applies to: {{elastic-defend}} 9.0.0
+
+An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unreponsive until the triggering event load (for example, network activity) subsided. We are only aware of this issue occurring on very busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
+
+**Workaround**<br> 
+
+If you can't upgrade, turn off the relevant event source at the kernel level using your {{elastic-defend}}  [advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings):
+
+* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`.
+* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`.
+
+::::{note}
+Clearing the corresponding checkbox under <<event-collection,Event Collection>> is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
+::::
+
+**Resolved**<br> 
+
+{{elastic-defend}} 8.17.6, 8.18.1, 9.0.1
+
+:::

From 8ec5401d853edbc23cde07ed0fc1edb024b89c8d Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 2 May 2025 15:02:30 -0400
Subject: [PATCH 7/9] Fixes syntax

---
 release-notes/elastic-security/index.md        | 2 +-
 release-notes/elastic-security/known-issues.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index f5dfd3871..256adb772 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -29,7 +29,7 @@ There are no new features or enhancements.
 * Removes the technical preview badge from alert suppression fields for event correlation rules 
 * Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new {{elastic-defend}} integration or {{agent}} policy [#217959]({{kib-pull}}217959)
 * Prevents {{esql}} rules from timing out if the rule query takes longer than five minutes to complete [#216667]({{kib-pull}}216667)
-* Fixes a bug that prevented you form scrolling in modals ({kibana-pull}218697[#218697]).
+* Fixes a bug that prevented you form scrolling in modals [#218697]({{kib-pull}}218697)
 
 ## 9.0.0 [elastic-security-900-release-notes]
 
diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index a40377074..53218eb12 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -76,7 +76,7 @@ If you can't upgrade, turn off the relevant event source at the kernel level usi
 * Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`.
 
 ::::{note}
-Clearing the corresponding checkbox under <<event-collection,Event Collection>> is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
+Clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
 ::::
 
 **Resolved**<br> 

From ce0bc789327a134754edc4030268cca5bed9a8db Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 2 May 2025 16:34:08 -0400
Subject: [PATCH 8/9] Syntax fixes

---
 release-notes/elastic-security/known-issues.md | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index 53218eb12..fcbe75482 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -28,7 +28,7 @@ To resolve this issue, before you add an {{elastic-defend}} integration to a pol
 
 **Resolved**<br> 
 
-{{stack}} 9.0.1
+Resolved in {{stack}} 9.0.1
 
 :::
 
@@ -40,7 +40,7 @@ On April 8, 2025, it was discovered that alert suppression for event correlation
 
 **Resolved**<br> 
 
-{{stack}} 9.0.1
+Resolved in {{stack}} 9.0.1
 
 :::
 
@@ -53,11 +53,11 @@ An `IRQL_NOT_LESS_EQUAL` [bugcheck](https://learn.microsoft.com/en-us/windows-ha
 
 **Workaround**<br> 
 
-If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). 
+If you can't upgrade, either disable Trellix Access Protection or add a [Trellix Access Protection exclusion](https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html) for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). 
 
 **Resolved**<br> 
 
-{{elastic-defend}} 9.0.1
+Resolved in {{elastic-defend}} 9.0.1
 
 :::
 
@@ -70,17 +70,15 @@ An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel
 
 **Workaround**<br> 
 
-If you can't upgrade, turn off the relevant event source at the kernel level using your {{elastic-defend}}  [advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings):
+If you can't upgrade, turn off the relevant event source at the kernel level using your {{elastic-defend}} [advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings):
 
 * Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`.
 * Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`.
 
-::::{note}
-Clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
-::::
+Note that clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
 
 **Resolved**<br> 
 
-{{elastic-defend}} 8.17.6, 8.18.1, 9.0.1
+Resolved in {{elastic-defend}} 9.0.1
 
 :::

From 21932e6bcbdba8df7ce60e12f90a597c2e19c8f1 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Fri, 2 May 2025 16:50:02 -0400
Subject: [PATCH 9/9] Update release-notes/elastic-security/known-issues.md

Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
---
 release-notes/elastic-security/known-issues.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index fcbe75482..910c3ac34 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -66,7 +66,7 @@ Resolved in {{elastic-defend}} 9.0.1
 
 Applies to: {{elastic-defend}} 9.0.0
 
-An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unreponsive until the triggering event load (for example, network activity) subsided. We are only aware of this issue occurring on very busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
+An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
 
 **Workaround**<br>