elastic · natasha-moore-elastic · Jul 16, 2025 · Jul 17, 2025 · Jul 17, 2025 · Jul 18, 2025
@@ -16,6 +16,13 @@ Review the deprecated functionality for {{elastic-sec}}. While deprecations have
 % **Action**<br> Steps for mitigating deprecation impact.
 % ::::
 
+## 9.1.0 [elastic-security-9.1.0-deprecations]
+
+::::{dropdown} Removes default quick prompts
+Removes default quick prompts from the Security AI Assistant.
+For more information, refer to [#225536]({{kib-pull}}225536).
+::::
+
 ## 9.0.0 [elastic-security-900-deprecations]
 
 ::::{dropdown} Removes Defend for Containers (D4C)

@@ -27,6 +27,105 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+## 9.1.0 [elastic-security-9.1.0-release-notes]
+
+### Features and enhancements [elastic-security-9.1.0-features-enhancements]
+
+* Adds an option to update the `kibana.alert.workflow_status` field for alerts associated with attack discoveries [#225029]({{kib-pull}}225029).
+* The rule execution gaps functionality is now generally available [#224657]({{kib-pull}}224657).
+* Adds the Security Entity Analytics privileged user monitoring feature [#224638]({{kib-pull}}224638).
+* Adds the ability to bulk fill gaps [#224585]({{kib-pull}}224585).
+* Automatic migration is now generally available [#224544]({{kib-pull}}224544).
+* Adds a name field to the automatic migration UI [#223860]({{kib-pull}}223860).
+* Adds the ability to bulk set up and delete alert suppression [#223090]({{kib-pull}}223090).
+* Adds a human-readable incremental ID to cases, making referencing cases easier [#222874]({{kib-pull}}222874).
+* Adds the ability to change rule migration execution settings when re-processing a migration [#222542]({{kib-pull}}222542).
+* Adds `runscript` response action support for Microsoft Defender for Endpoint–enrolled hosts [#222377]({{kib-pull}}222377).
+* Updates automatic migration API schema [#219597]({{kib-pull}}219597).
+* Adds `siemV3` role migration to support the new Security **Global Artifact Management** privilege [#219566]({{kib-pull}}219566).
+* Adds automatic saving of attack discoveries, with search and filter capabilities [#218906]({{kib-pull}}218906).
+* Adds the ability to edit highlighted fields in the alert details flyout [#216740]({{kib-pull}}216740).
+* Adds API endpoints for the Entity Analytics privileged user monitoring feature [#215663]({{kib-pull}}215663).
+* Adds the onboarding flow for the Asset Inventory feature [#212315]({{kib-pull}}212315).
+* Adds the XSOAR connector [#212049]({{kib-pull}}212049).
+* Adds a custom script selector for choosing scripts to execute when using the `runscript` response action [#204965]({{kib-pull}}204965).
+* Updates {{elastic-sec}} Labs Knowledge Base content [#227125]({{kib-pull}}227125).
+* Displays which fields are customized for prebuilt rules [#225939]({{kib-pull}}225939).
+* Bumps default Gemini model [#225917]({{kib-pull}}225917).
+* Groups vulnerabilities by resource and cloud account using IDs instead of names [#225492]({{kib-pull}}225492).
+* Adds prompt tiles to the Security AI Assistant [#224981]({{kib-pull}}224981).
+* Adds support for collapsible sections in integrations READMEs [#223916]({{kib-pull}}223916).
+* Adds advanced policy settings in {{elastic-defend}} to enable collection of file origin information for File, Process, and DLL (ImageLoad) events [#223882]({{kib-pull}}223882), [#222030]({{kib-pull}}222030).
+* Adds the `ecs@mappings` component to the transform destination index template [#223878]({{kib-pull}}223878).
+* Adds the ability to revert prebuilt rules to their base version [#223301]({{kib-pull}}223301).
+* Adds an {{elastic-defend}} advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collection [#222197]({{kib-pull}}222197).
+* Updates the risk severity color map to match the new design [#222061]({{kib-pull}}222061).
+* Updates the asset criticality status color map to match the new design [#222024]({{kib-pull}}222024).
+* Updates the highlighted fields button styling in the alert details flyout [#221862]({{kib-pull}}221862).
+* Adds support for content connectors in {{elastic-sec}} and {{observability}} [#221856]({{kib-pull}}221856).
+* Expands CVE ID search to all search parameters, not just names [#221099]({{kib-pull}}221099).
+* Improves alert searching and filtering by including additional ECS data stream fields [#220447]({{kib-pull}}220447).
+* Updates default model IDs for Amazon Bedrock and OpenAI connectors [#220146]({{kib-pull}}220146).
+* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers[#219984]({{kib-pull}}219984).
+* Adds pinning and settings to the **Table** tab in the alert and event details flyouts [#218686]({{kib-pull}}218686).
+* Updates the data view selector in the event analyzer [#218183]({{kib-pull}}218183).
+* Updates the data view selector in the global header [#216685]({{kib-pull}}216685).
+* Updates UI handling for multiple CVEs and package fields [#216411]({{kib-pull}}216411).
+* Adds the Security AI prompts integration [#216106]({{kib-pull}}216106).
+* Adds support for grouping multi-value fields in Cloud Security [#215913]({{kib-pull}}215913).
+* Limits unassigned notes to a maximum of 100 per document instead of globally [#214922]({{kib-pull}}214922).
+* Updates the Detection rule monitoring dashboard to include rule gaps histogram [#214694]({{kib-pull}}214694).
+* Adds support for multiple CVEs and improves vulnerability data grid, flyout, and contextual flyout UI [#213039]({{kib-pull}}213039).
+* Adds support for the `MV_EXPAND` command for the {{esql}} rule type [#212675]({{kib-pull}}212675).
+* Updates the data view selector in Timelines [#210585]({{kib-pull}}210585).
+* Adds `unassigned` as an asset criticality level for bulk uploads [#208884]({{kib-pull}}208884).
+* Enables `isolate` and `release` response actions from the event details flyout [#206857]({{kib-pull}}206857).
+* Standardizes action triggers in alerts KPI visualizations [#206340]({{kib-pull}}206340).
+* Introduces space-awareness capabilities for {{elastic-defend}} and other {{elastic-sec}}-specific {{fleet}} features.
+* Adds {{elastic-defend}} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF.
+* Adds support for DNS events on macOS. Events can be controlled from the {{elastic-defend}} policy using the **DNS events** checkbox.
+* Adds TCC (Transparency Consent and Control) events to {{elastic-defend}} on macOS. Events are generated every time the TCC database is altered.
+* Adds `parent.command_line` to {{elastic-defend}} process events on macOS to keep in line with Linux and Windows.
+* Reduces {{elastic-defend}} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction.
+* {{elastic-defend}}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data.
+* Adds {{elastic-defend}} support for Elliptic Curve certificates and TLS output settings, including `supported_protocols`, `cipher_suites`, and `curve_types`.
+* Reduces {{elastic-defend}} CPU and memory usage for behavioral protections.
+* Reduces {{elastic-defend}} CPU when processing events from the System process, such as IIS network events.
+* Improves {{elastic-defend}} logging of fatal exceptions.
+* Improves {{elastic-defend}} call site analysis logic.
+
+### Fixes [elastic-security-9.1.0-fixes]
+
+* Fixes a bug where data wasn't fetched by the vulnerability expandable flyout in preview mode [#227262]({{kib-pull}}227262).
+* Fixes a bug where Timelines and investigations did not consistently use the default Security data view [#226314]({{kib-pull}}226314).
+* Fixes a bug where opening an alert deeplink didn't correctly load filters on the **Alerts** page [#225650]({{kib-pull}}225650).
+* Updates entity links to open in a flyout instead of leaving the current page [#225381]({{kib-pull}}225381).
+* Adds a title to the rule gap histogram in the Detection rule monitoring dashboard [#225274]({{kib-pull}}225274).
+* Fixes URL query handling for the asset inventory flyout [#225199]({{kib-pull}}225199).
+* Fixes a bug where pressing Escape with an alert details flyout open from a Timeline closed the Timeline instead of the flyout [#224352]({{kib-pull}}224352).
+* Fixes a bug where comma-separated `process.args` values didn't wrap properly in the alert details flyout's **Overview** tab [#223544]({{kib-pull}}223544).
+* Fixes wrapping for threat indicator match event renderer [#223164]({{kib-pull}}223164).
+* Fixes a z-index issue in the {{esql}} query editor within Timeline [#222841]({{kib-pull}}222841).
+* Fixes incorrect content displaying after tab switching in the integrations section on the **Get started** page [#222271]({{kib-pull}}222271).
+* Fixes the exception flyout to show the correct "Edit rule exception" title and button label when editing an exception item [#222248]({{kib-pull}}222248).
+* Retrieves active integrations from the installed integrations API [#218988]({{kib-pull}}218988).
+* Updates tooltips in the gap fills table [#218926]({{kib-pull}}218926).
+* Fixes AI Assistant prompt updates so UI changes reflect only successful updates [#217058]({{kib-pull}}217058).
+* Fixes error callout placement on the **Engine Status** tab of the **Entity Store** page [#216228]({{kib-pull}}216228).
+* Fixes alert severity ordering to display from highest severity to lowest [#215813]({{kib-pull}}215813).
+* Generalizes and consolidates custom {{fleet}} onboarding logic [#215561]({{kib-pull}}215561).
+* Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group [#215086]({{kib-pull}}215086).
+* Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions [#212316]({{kib-pull}}212316).
+* Refactors conversation pagination for the Security AI Assistant [#211831]({{kib-pull}}211831).
+* Fixes a bug where unmodified prebuilt rules installed before v8.18 didn't appear in the **Upgrade** table when the **Unmodified** filter was selected [#227859]({{kib-pull}}227859).
+* Improves UI copy for the "bulk update with conflicts" modal [#227803]({{kib-pull}}227803).
+* Fixes a bug in {{elastic-defend}} where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
+* Fixes a crash in the {{elastic-defend}} scan response action and suppresses the end-user popup when running background malware scans.
+* Fixes an unbounded kernel non-paged memory growth issue in the {{elastic-defend}} kernel driver during extremely high event load situations on Windows. Systems affected by this issue would slow down or become unresponsive until the triggering event load (such as network activity) subsided [#88](https://github.com/elastic/endpoint/issues/88).
+* Fixes a memory growth bug in {{elastic-defend}} on Linux when both **Collect session data** and **Capture terminal output** are enabled.
+* Fixes a bug in {{elastic-defend}} where Linux network events would have source and destination byte counts swapped.
+* Fixes an issue where {{elastic-defend}} may incorrectly set the artifact channel in policy responses, and adds `manifest_type` to policy responses.
+
 ## 9.0.3 [elastic-security-9.0.3-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.3-features-enhancements]