elastic · nastasha-solomon · Apr 29, 2025 · Apr 29, 2025 · Apr 29, 2025 · Apr 29, 2025
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
@@ -4,22 +4,33 @@ mapped_pages:
   - https://www.elastic.co/guide/en/security/current/release-notes.html
   - https://www.elastic.co/guide/en/security/current/whats-new.html
 ---
-# {{elastic-sec}} release notes [elastic-security-X.X.X-release-notes]
+# {{elastic-sec}} release notes 
 
 Review the changes, fixes, and more in each version of {{elastic-sec}}.
 
 To check for security updates, go to [Security announcements for the Elastic stack](https://discuss.elastic.co/c/announcements/security-announcements/31).
 
 % Release notes include only features, enhancements, and fixes. Add breaking changes, deprecations, and known issues to the applicable release notes sections.
 
-% ## version.next [elastic-security-next-release-notes]
+% ## version.next [elastic-security-X.X.X-notes]
 
-% ### Features and enhancements [elastic-security-next-features-enhancements]
+% ### Features and enhancements [elastic-security-X.X.X-features-enhancements]
 % *
 
-% ### Fixes [elastic-security-next-fixes]
+% ### Fixes [elastic-security-X.X.X-fixes]
 % *
 
+## 9.0.1 [elastic-security-9.0.1-release-notes]
+
+### Features and enhancements [elastic-security-9.0.1-features-enhancements]
+There are no new features or enhancements.
+
+### Fixes [elastic-security-9.0.1-fixes]
+* Removes the technical preview badge from alert suppression fields for event correlation rules 
+* Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new {{elastic-defend}} integration or {{agent}} policy [#217959]({{kib-pull}}217959)
+* Prevents {{esql}} rules from timing out if the rule query takes longer than five minutes to complete [#216667]({{kib-pull}}216667)
+* Fixes a bug that prevented you form scrolling in modals [#218697]({{kib-pull}}218697)
+
 ## 9.0.0 [elastic-security-900-release-notes]
 
 ::::{NOTE}

diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
@@ -8,31 +8,77 @@ Known issues are significant defects or limitations that may impact your impleme
 % Use the following template to add entries to this page.
 
 % :::{dropdown} Title of known issue
-% **Applicable versions for the known issue and the version for when the known issue was fixed**
-% On [Month Day, Year], a known issue was discovered that [description of known issue].
+% Applies to: Applicable versions for the known issue 
+% Description of the known issue.
 % For more information, check [Issue #](Issue link).
+% **Impact**<br> Impact of the known issue.
+% **Workaround**<br> Steps for a workaround until the known issue is fixed.
 
-% **Workaround**
-% Workaround description.
-
-:::
+% :::
 
 :::{dropdown} Installing an {{elastic-defend}} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions
 
-**{{stack}} versions: 9.0.0**
+Applies to: {{stack}} 9.0.0
 
 On April 10, 2025, it was discovered that when you install a new {{elastic-defend}} integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.  
 
 **Workaround**
 
 To resolve this issue, before you add an {{elastic-defend}} integration to a policy in {{fleet}}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.
 
+**Resolved**<br> 
+
+Resolved in {{stack}} 9.0.1
+
 :::
 
 :::{dropdown} The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules
 
-**{{stack}} versions: 9.0.0**
+Applies to: {{stack}} 9.0.0
 
 On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check [#1021](https://github.com/elastic/docs-content/issues/1021).
 
+**Resolved**<br> 
+
+Resolved in {{stack}} 9.0.1
+
+:::
+
+
+:::{dropdown} Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck
+
+Applies to: {{elastic-defend}} 9.0.0
+
+An `IRQL_NOT_LESS_EQUAL` [bugcheck](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-) in the {{elastic-defend}} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls [`FwpmTransactionBegin0`](https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0) to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {{elastic-defend}} driver from properly initializing in a timely manner. Subsequent system activity can invoke {{elastic-defend}}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.
+
+**Workaround**<br> 
+
+If you can't upgrade, either disable Trellix Access Protection or add a [Trellix Access Protection exclusion](https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html) for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). 
+
+**Resolved**<br> 
+
+Resolved in {{elastic-defend}} 9.0.1
+
+:::
+
+
+:::{dropdown} Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems
+
+Applies to: {{elastic-defend}} 9.0.0
+
+An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
+
+**Workaround**<br> 
+
+If you can't upgrade, turn off the relevant event source at the kernel level using your {{elastic-defend}} [advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings):
+
+* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`.
+* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`.
+
+Note that clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
+
+**Resolved**<br> 
+
+Resolved in {{elastic-defend}} 9.0.1
+
 :::