elastic · natasha-moore-elastic · Oct 6, 2025 · Oct 2, 2025 · Oct 3, 2025 · Oct 3, 2025
@@ -27,6 +27,30 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+## 9.1.5 [elastic-security-9.1.5-release-notes]
+
+### Features and enhancements [elastic-security-9.1.5-features-enhancements]
+* Adds `customized_fields` and `has_base_version` fields to the internal rule schema [#235394]({{kib-pull}}235394).
+* Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start Elastic Agent service.
+* Increases the throughput of {{elastic-defend}} Logstash connections by increasing the maximum size it can upload at once.
+* Improves reliability and accuracy of reporting of the {{elastic-defend}}'s {{es}} connection.
+
+### Fixes [elastic-security-9.1.5-fixes]
+* Fixes browser fields caching to use the `dataView` ID instead of the index pattern [#234381]({{kib-pull}}234381).
+* Removes `null` in confirmation dialog when bulk editing index patterns for rules [#236572]({{kib-pull}}236572).
+* Fixes the URL passed to detection rule actions via the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067).
+* Fixes system prompt updates from the Conversations tab in AI Assistant [#234812]({{kib-pull}}234812).
+* Fixes an issue in the Highlighted fields table in the alert details flyout [#234222]({{kib-pull}}234222).
+* Fixes an issue in rule exceptions to include the `matches` operator only for supported fields [#233127]({{kib-pull}}233127).
+* Adds support in {{elastic-defend}} for installing eBPF event probes on Linux endpoints when cgroup2 is mounted in a non-standard location or not mounted at all.
+* Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
+* Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.
+* Removes `.process.thread.capabilities.permitted` and `.process.thread.capabilities.effective` from Linux network events in {{elastic-defend}}.
+* Fixes an issue in {{elastic-defend}} where host isolation could auto-release incorrectly. Host isolation now only releases when {{elastic-endpoint}} becomes orphaned. Intermittent {{elastic-agent}} connectivity changes no longer alter the host isolation state.
+* Fixes an issue where {{elastic-defend}} would incorrectly calculate throughput capacity when sending documents to output.  This may have limited event throughput on extremely busy endpoints.
+* Fixes an issue in {{elastic-defend}} installation logging where only the first character of install paths (usually 'C') would be logged.
+
+
 ## 9.1.4 [elastic-security-9.1.4-release-notes]
 
 ### Features and enhancements [elastic-security-9.1.4-features-enhancements]

@@ -17,7 +17,7 @@ Known issues are significant defects or limitations that may impact your impleme
 % :::
 
 
-:::{dropdown} Filters may not apply correctly on the Alerts page
+::::{dropdown} Filters may not apply correctly on the Alerts page
 Applies to: 9.1.0, 9.1.1, 9.1.2, and 9.1.3 
 
 **Impact**
@@ -36,7 +36,11 @@ You can turn off the {{kib}} `courier:ignoreFilterIfFieldNotInIndex` [advanced s
 Ensure you give any users who will need access to the new space the appropriate permissions. 
 :::
 
-:::
+**Resolved**<br>
+
+Resolved in {{stack}} 9.1.4
+
+::::
 
 :::{dropdown} The {{elastic-agent}} Docker image is not available at `docker.elastic.co/beats/elastic-agent:9.0.0`