From 53933c166f3fabdd2dfd896880be024967aed16e Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 13 Oct 2025 11:32:04 +0100
Subject: [PATCH 1/9] Adds Endpoint RNs

---
 .../elastic-security/breaking-changes.md      | 11 +++++
 release-notes/elastic-security/index.md       | 47 +++++++++++++++++++
 2 files changed, 58 insertions(+)

diff --git a/release-notes/elastic-security/breaking-changes.md b/release-notes/elastic-security/breaking-changes.md
index 80b6b2cc92..57ddc72ee8 100644
--- a/release-notes/elastic-security/breaking-changes.md
+++ b/release-notes/elastic-security/breaking-changes.md
@@ -15,6 +15,17 @@ Breaking changes can impact your Elastic applications, potentially disrupting no
 % **Action**<br> Steps for mitigating deprecation impact.
 % ::::
 
+## 9.2.0 [elastic-security-900-breaking-changes]
+::::{dropdown} Changes invalid category for Gatekeeper
+
+Changes `event.category` from `security` to `configuration` for Gatekeeper on macOS.
+
+**Impact**<br> Gatekeeper events on macOS are now labeled as `event.category == configuration`.
+
+**Action**<br> If you're deploying custom rules using `event.category == security` on macOS, change the query to `event.category == configuration`.
+
+::::
+
 ## 9.0.7 [elastic-security-900-breaking-changes]
 ::::{dropdown} Changes invalid category for Gatekeeper
 
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index c07fc1efdc..484a5d5478 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -27,6 +27,53 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+
+## 9.2.0 [elastic-security-9.2.0-release-notes]
+
+### Features and enhancements [elastic-security-9.2.0-features-enhancements]
+* Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start {{agent}} service.
+* Updates the `endpoint-package` submodule.
+* Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control by the end user.
+* Increases the throughput of {{elastic-defend}} {{ls}} connections by increasing the maximum size it can upload at once.
+* Adds {{elastic-defend}} support for device control on macOS.
+* Updates the device control schema.
+* Adds architecture of PE file in malware alerts to {{elastic-defend}}.
+* Adds the `Endpoint.state.orphaned` indicator to {{elastic-defend}} policy response.
+* Adds {{elastic-defend}} support for cluster migration.
+* Adds firewall anti-tamper plug-in to protect {{elastic-endpoint}} processes against network blocking via Windows Firewall.
+* Includes `origin_url`, `origin_referrer_url`, and `Ext.windows.zone_identifier` fields by default to Windows image load and process events, if the information can be retrieved.
+* Improves {{elastic-defend}} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Ldap-Client) to create new event types that prebuilt endpoint rules can use to detect malicious LDAP activity.
+* Adds more Linux diagnostic process `ptrace` events.
+* Improves reporting reliability and accuracy of the {{elastic-defend}}'s {{es}} connection.
+* Enriches {{elastic-defend}} macOS network connect events with `network.direction`. Possible values are `ingress` and `egress`.
+* Improves {{elastic-defend}} malware scan queue efficiency by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
+* Adds an {{elastic-defend}} advanced policy setting `windows.advanced.events.security.event_disabled` that lets users disable security event collection per event ID.
+* Shortens the time it takes {{elastic-defend}} to recover from a `DEGRADED` status caused by communication issues with {{agent}}.
+* Improves the `verify` command to ensure {{elastic-endpoint}} service is running, otherwise {{agent}} has to fix it automatically.
+* Adds {{elastic-defend}} support for Windows on ARM.
+* Improves the reliability of {{elastic-defend}} Kafka connections.
+* Adds {{elastic-defend}} support for diagnostic DNS events on Linux.
+
+### Fixes [elastic-security-9.2.0-fixes]
+* Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within Malware Protections to avoid invalid watchdog firings.
+* Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
+* Addresses CVE-2025-##### in {{elastic-defend}} on Windows, which could allow a low-privilege attacker to delete arbitrary files on the system. On Windows versions before 25H2, this could result in local privilege escalation.
+* Adds support in {{elastic-defend}} for installing eBPF event probes on Linux endpoints when cgroup2 is mounted in a non-standard location or not mounted at all.
+* Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
+* Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.
+* Fixes a bug where Linux capabilities were included in {{elastic-endpoint}} network events despite being disabled.
+* Fixes an issue where {{elastic-defend}} would incorrectly calculate throughput capacity when sending documents to output. This may have limited event throughput on extremely busy endpoints.
+* Improves the reliability of local {{elastic-defend}} administrative shell commands. In rare cases, a command could fail to execute due to issues with interprocess communication.
+* Fixes an issue in {{elastic-defend}} where host isolation could auto-release incorrectly. Host isolation now only releases when {{elastic-endpoint}} becomes orphaned. Intermittent {{elastic-agent}} connectivity changes no longer alter the host isolation state.
+* Fixes a bug in {{elastic-defend}} where Linux endpoints would report `process.executable` as a relative, instead of absolute, path.
+* Fixes an improper status in process remediation, when a cancelled process cannot be stopped because it's being debugged.
+* Fixes an issue in {{elastic-defend}} installation logging where only the first character of install paths (usually 'C') was logged.
+* Prevents {{elastic-endpoint}} from stopping system-critical processes or threads.
+* Fixes an issue to improve reliability of health status reporting between {{elastic-endpoint}} and {{agent}}.
+* Fixes a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count` and `process.args`, leading to false positives.
+* Fixes an issue in {{elastic-defend}} that could result in a crash if a specified {{ls}} output configuration contained a certificate that couldn't be parsed.
+
+
 ## 9.1.5 [elastic-security-9.1.5-release-notes]
 
 ### Features and enhancements [elastic-security-9.1.5-features-enhancements]

From 4ff5320440bd83c4bfb3e1eea553af3acee2ae6f Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 13 Oct 2025 15:14:26 +0100
Subject: [PATCH 2/9] Adds Security RNs

---
 release-notes/elastic-security/index.md | 54 ++++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 484a5d5478..603d7245ad 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -31,6 +31,43 @@ To check for security updates, go to [Security announcements for the Elastic sta
 ## 9.2.0 [elastic-security-9.2.0-release-notes]
 
 ### Features and enhancements [elastic-security-9.2.0-features-enhancements]
+
+* Adds the Security Entity Analytics risk score reset feature [#237829]({{kib-pull}}237829).
+* Introduces a Security risk scoring AI Assistant tool [#233647]({{kib-pull}}233647).
+* Uses {{esql}} for calculating entity risk scores [#237871]({{kib-pull}}237871).
+* Updates the entity source saved object schema to support integrations sync markers and index [#236457]({{kib-pull}}236457).
+* Enables privileged user monitoring advanced setting by default [#237436]({{kib-pull}}237436).
+* Enables discovering privileged users from the Entity Analytics Okta integration [#237129]({{kib-pull}}237129).
+* Adds the data view picker to the **Privileged user monitoring** dashboard page [#233264]({{kib-pull}}233264).
+* Implements minor UI changes on **Privileged user monitoring** dashboard page [#231921]({{kib-pull}}231921).
+* Populates the `entity.attributes.Privileged` field in the entity store for users [#237038]({{kib-pull}}237038).
+* Adds public APIs for attack discovery and attack discovery schedules [#236736]({{kib-pull}}236736).
+* Introduces total execution time for automatic migrations [#236147]({{kib-pull}}236147).
+* Adds the **Update missing index pattern** functionality to the automatic migrations **Translated rules** page [#233258]({{kib-pull}}233258).
+* Introduces new API endpoints for dashboard automatic migration [#229112]({{kib-pull}}229112).
+* Adds support for creating new cloud connectors and reusing cloud connector between integrations. Supported integrations: CSPM and Asset Inventory [#235442]({{kib-pull}}235442).
+* Adds saved object infrastructure for cloud connectors and implements end-to-end persistence flow for creating integrations with cloud connector support [#230137]({{kib-pull}}230137).
+* Automatic troubleshooting is now generally available [#234853]({{kib-pull}}234853).
+* Updates the automatic troubleshooting feature to detect warnings and failures in {{elastic-defend}} policy responses and suggest possible remediations [#231908]({{kib-pull}}231908).
+* Adds an advanced setting to keep the alert suppression window active after closing an alert, preventing new alerts during that period [#231079]({{kib-pull}}231079).
+* Adds `DOES NOT MATCH` capability to indicator match rules [#227084]({{kib-pull}}227084).
+* Adds the `customized_fields` and `has_base_version` fields to the `rule_source` object schema [#234793]({{kib-pull}}234793).
+* Enables the auto-extract observables toggle in the alerts table for both row and bulk actions when adding alerts to a case [#235433]({{kib-pull}}235433).
+* Enables the new data view picker [#234101]({{kib-pull}}234101).
+* Adds a `managed` property to data views, marking Kibana-managed data views with a **Managed** tag [#223451]({{kib-pull}}223451).
+* Adds support for specifying a reason when closing an alert [#226590]({{kib-pull}}226590).
+* Adds a source event ID link to the alert flyout's **Highlighted fields** section, allowing you to quickly preview the event that triggered the alert [#224451]({{kib-pull}}224451).
+* Updates the indicator details flyout's UI to be more consistent with the alert details flyout [#230593]({{kib-pull}}230593).
+* Restricts **Value report** page access to `admin` and `soc_manager` roles in the Security Analytics Complete {{serverless-short}} feature tier [#234377]({{kib-pull}}234377).
+* Implements the **Value report** page for the Elastic AI SOC Engine (EASE) {{serverless-short}} project type [#228877]({{kib-pull}}228877).
+* Adds conversation sharing functionality to the Security AI Assistant, allowing you to share conversations with team members [#230614]({{kib-pull}}230614).
+* Adds a non-CVE reference link list to the vulnerability details flyout [#225601]({{kib-pull}}225601).
+* Adds support for using the `runscript` response action on SentinelOne-enrolled hosts [#234492]({{kib-pull}}234492).
+* Adds support for using the `cancel` response action on MDE-enrolled hosts [#230399]({{kib-pull}}230399).
+* Adds support for trusted applications advanced mode [#230111]({{kib-pull}}230111).
+* Introduces the {{elastic-defend}} **Endpoint Exceptions** sub-feature privilege [#233433]({{kib-pull}}233433).
+* Adds an {{elastic-defend}} advanced policy setting that allows you to disable the firewall anti-tamper plugin or move it into detect-only mode [#236431]({{kib-pull}}236431).
+* Adds two new {{elastic-defend}} advanced policy settings that allow you to opt out of collecting ransomware diagnostics on macOS [#235193]({{kib-pull}}235193).
 * Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start {{agent}} service.
 * Updates the `endpoint-package` submodule.
 * Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control by the end user.
@@ -44,7 +81,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Includes `origin_url`, `origin_referrer_url`, and `Ext.windows.zone_identifier` fields by default to Windows image load and process events, if the information can be retrieved.
 * Improves {{elastic-defend}} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Ldap-Client) to create new event types that prebuilt endpoint rules can use to detect malicious LDAP activity.
 * Adds more Linux diagnostic process `ptrace` events.
-* Improves reporting reliability and accuracy of the {{elastic-defend}}'s {{es}} connection.
+* Improves reporting reliability and accuracy of {{elastic-defend}}'s {{es}} connection.
 * Enriches {{elastic-defend}} macOS network connect events with `network.direction`. Possible values are `ingress` and `egress`.
 * Improves {{elastic-defend}} malware scan queue efficiency by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
 * Adds an {{elastic-defend}} advanced policy setting `windows.advanced.events.security.event_disabled` that lets users disable security event collection per event ID.
@@ -55,6 +92,21 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds {{elastic-defend}} support for diagnostic DNS events on Linux.
 
 ### Fixes [elastic-security-9.2.0-fixes]
+
+* Fixes an issue where the names of the `Security solution default` and `Security solution alerts` data views were displayed incorrectly [#238354]({{kib-pull}}238354).
+* Fixes an issue where the navigation manu overlapped expandable flyouts [#236655]({{kib-pull}}236655).
+* Ensures the data view picker icon is always vertically centered [#236379]({{kib-pull}}236379).
+* Integrates data view logic into host KPIs charts [#236084]({{kib-pull}}236084).
+* Fixes integrations RAG in automatic migration rule translations [#234211]({{kib-pull}}234211).
+* Removes the feature flag for privileged user monitoring [#233960]({{kib-pull}}233960).
+* Returns a 500 response code if there is an error during privileged user monitoring engine initialization [#234368]({{kib-pull}}234368).
+* Ensures that privileged user `@timestamp` and `event.ingested` fields are updated when a privileged user is updated [#233735]({{kib-pull}}233735).
+* Fixes a bug in privileged user monitoring index synchronization where stale users weren't removed after index pattern changes [#229789]({{kib-pull}}229789).
+* Updates the privileged user monitoring UI to replace hard-coded CSS values with the EUI theme [#225307]({{kib-pull}}225307).
+* Fixes incorrect threat enrichment for partially matched `AND` condition in indicator match rules [#230773]({{kib-pull}}230773).
+* Adds a validation error to prevent users from setting a custom action interval shorter than the rule's check interval [#229976]({{kib-pull}}229976).
+* Fixes accessibility issues on the **Benchmarks** page [#229521]({{kib-pull}}229521).
+* Simplifies the Cloud Security Posture Misconfigurations data view by removing redundancy in the index pattern definition [#227995]({{kib-pull}}227995).
 * Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within Malware Protections to avoid invalid watchdog firings.
 * Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
 * Addresses CVE-2025-##### in {{elastic-defend}} on Windows, which could allow a low-privilege attacker to delete arbitrary files on the system. On Windows versions before 25H2, this could result in local privilege escalation.

From 0534dd13fb6a4f033a0395a7926231b72af0ad93 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 13 Oct 2025 15:29:57 +0100
Subject: [PATCH 3/9] updates section ID

---
 release-notes/elastic-security/breaking-changes.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/release-notes/elastic-security/breaking-changes.md b/release-notes/elastic-security/breaking-changes.md
index 57ddc72ee8..bb90d15765 100644
--- a/release-notes/elastic-security/breaking-changes.md
+++ b/release-notes/elastic-security/breaking-changes.md
@@ -15,7 +15,7 @@ Breaking changes can impact your Elastic applications, potentially disrupting no
 % **Action**<br> Steps for mitigating deprecation impact.
 % ::::
 
-## 9.2.0 [elastic-security-900-breaking-changes]
+## 9.2.0 [elastic-security-920-breaking-changes]
 ::::{dropdown} Changes invalid category for Gatekeeper
 
 Changes `event.category` from `security` to `configuration` for Gatekeeper on macOS.
@@ -26,7 +26,7 @@ Changes `event.category` from `security` to `configuration` for Gatekeeper on ma
 
 ::::
 
-## 9.0.7 [elastic-security-900-breaking-changes]
+## 9.0.7 [elastic-security-907-breaking-changes]
 ::::{dropdown} Changes invalid category for Gatekeeper
 
 Changes `event.category` from `security` to `configuration` for Gatekeeper on macOS.

From 625301e5cf85b6a29c9a8dc6a65f587cfe7e6a21 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Tue, 14 Oct 2025 08:14:03 +0100
Subject: [PATCH 4/9] Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
---
 release-notes/elastic-security/index.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 603d7245ad..7461ac9bb6 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -35,21 +35,21 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds the Security Entity Analytics risk score reset feature [#237829]({{kib-pull}}237829).
 * Introduces a Security risk scoring AI Assistant tool [#233647]({{kib-pull}}233647).
 * Uses {{esql}} for calculating entity risk scores [#237871]({{kib-pull}}237871).
-* Updates the entity source saved object schema to support integrations sync markers and index [#236457]({{kib-pull}}236457).
+* Updates the entity source saved object schema to support integrations sync markers [#236457]({{kib-pull}}236457).
 * Enables privileged user monitoring advanced setting by default [#237436]({{kib-pull}}237436).
 * Enables discovering privileged users from the Entity Analytics Okta integration [#237129]({{kib-pull}}237129).
 * Adds the data view picker to the **Privileged user monitoring** dashboard page [#233264]({{kib-pull}}233264).
 * Implements minor UI changes on **Privileged user monitoring** dashboard page [#231921]({{kib-pull}}231921).
 * Populates the `entity.attributes.Privileged` field in the entity store for users [#237038]({{kib-pull}}237038).
 * Adds public APIs for attack discovery and attack discovery schedules [#236736]({{kib-pull}}236736).
-* Introduces total execution time for automatic migrations [#236147]({{kib-pull}}236147).
-* Adds the **Update missing index pattern** functionality to the automatic migrations **Translated rules** page [#233258]({{kib-pull}}233258).
-* Introduces new API endpoints for dashboard automatic migration [#229112]({{kib-pull}}229112).
-* Adds support for creating new cloud connectors and reusing cloud connector between integrations. Supported integrations: CSPM and Asset Inventory [#235442]({{kib-pull}}235442).
+* Displays total execution time for automatic migrations [#236147]({{kib-pull}}236147).
+* Adds **Update missing index pattern** option to the automatic migration **Translated rules** page [#233258]({{kib-pull}}233258).
+* Introduces new API endpoints for automatic migration of dashboards [#229112]({{kib-pull}}229112).
+* Adds a new deployment method, "cloud connector", for the CSPM and Asset Discovery integrations [#235442]({{kib-pull}}235442).
 * Adds saved object infrastructure for cloud connectors and implements end-to-end persistence flow for creating integrations with cloud connector support [#230137]({{kib-pull}}230137).
-* Automatic troubleshooting is now generally available [#234853]({{kib-pull}}234853).
+* Makes automatic troubleshooting generally available [#234853]({{kib-pull}}234853).
 * Updates the automatic troubleshooting feature to detect warnings and failures in {{elastic-defend}} policy responses and suggest possible remediations [#231908]({{kib-pull}}231908).
-* Adds an advanced setting to keep the alert suppression window active after closing an alert, preventing new alerts during that period [#231079]({{kib-pull}}231079).
+* Adds an advanced setting that keeps the alert suppression window active after you close an alert, preventing new alerts during that period [#231079]({{kib-pull}}231079).
 * Adds `DOES NOT MATCH` capability to indicator match rules [#227084]({{kib-pull}}227084).
 * Adds the `customized_fields` and `has_base_version` fields to the `rule_source` object schema [#234793]({{kib-pull}}234793).
 * Enables the auto-extract observables toggle in the alerts table for both row and bulk actions when adding alerts to a case [#235433]({{kib-pull}}235433).
@@ -70,8 +70,8 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds two new {{elastic-defend}} advanced policy settings that allow you to opt out of collecting ransomware diagnostics on macOS [#235193]({{kib-pull}}235193).
 * Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start {{agent}} service.
 * Updates the `endpoint-package` submodule.
-* Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control by the end user.
-* Increases the throughput of {{elastic-defend}} {{ls}} connections by increasing the maximum size it can upload at once.
+* Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control.
+* Increases the throughput of {{elastic-defend}}'s {{ls}} connections by increasing the maximum size it can upload at once.
 * Adds {{elastic-defend}} support for device control on macOS.
 * Updates the device control schema.
 * Adds architecture of PE file in malware alerts to {{elastic-defend}}.
@@ -103,7 +103,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Ensures that privileged user `@timestamp` and `event.ingested` fields are updated when a privileged user is updated [#233735]({{kib-pull}}233735).
 * Fixes a bug in privileged user monitoring index synchronization where stale users weren't removed after index pattern changes [#229789]({{kib-pull}}229789).
 * Updates the privileged user monitoring UI to replace hard-coded CSS values with the EUI theme [#225307]({{kib-pull}}225307).
-* Fixes incorrect threat enrichment for partially matched `AND` condition in indicator match rules [#230773]({{kib-pull}}230773).
+* Fixes incorrect threat enrichment for partially matched `AND` conditions in indicator match rules [#230773]({{kib-pull}}230773).
 * Adds a validation error to prevent users from setting a custom action interval shorter than the rule's check interval [#229976]({{kib-pull}}229976).
 * Fixes accessibility issues on the **Benchmarks** page [#229521]({{kib-pull}}229521).
 * Simplifies the Cloud Security Posture Misconfigurations data view by removing redundancy in the index pattern definition [#227995]({{kib-pull}}227995).
@@ -122,7 +122,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes an issue in {{elastic-defend}} installation logging where only the first character of install paths (usually 'C') was logged.
 * Prevents {{elastic-endpoint}} from stopping system-critical processes or threads.
 * Fixes an issue to improve reliability of health status reporting between {{elastic-endpoint}} and {{agent}}.
-* Fixes a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count` and `process.args`, leading to false positives.
+* Fixes a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count`, and `process.args`, leading to false positives.
 * Fixes an issue in {{elastic-defend}} that could result in a crash if a specified {{ls}} output configuration contained a certificate that couldn't be parsed.
 
 

From ac28ed4a8734f006d0c3401aa06c914d1c5764fa Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Tue, 14 Oct 2025 10:06:54 +0100
Subject: [PATCH 5/9] Address feedback

---
 release-notes/elastic-security/index.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 7461ac9bb6..1833c2c9af 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -45,8 +45,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Displays total execution time for automatic migrations [#236147]({{kib-pull}}236147).
 * Adds **Update missing index pattern** option to the automatic migration **Translated rules** page [#233258]({{kib-pull}}233258).
 * Introduces new API endpoints for automatic migration of dashboards [#229112]({{kib-pull}}229112).
-* Adds a new deployment method, "cloud connector", for the CSPM and Asset Discovery integrations [#235442]({{kib-pull}}235442).
-* Adds saved object infrastructure for cloud connectors and implements end-to-end persistence flow for creating integrations with cloud connector support [#230137]({{kib-pull}}230137).
+* Adds a new deployment method, "cloud connector", for the CSPM and Asset Discovery integrations [#235442]({{kib-pull}}235442), [#230137]({{kib-pull}}230137).
 * Makes automatic troubleshooting generally available [#234853]({{kib-pull}}234853).
 * Updates the automatic troubleshooting feature to detect warnings and failures in {{elastic-defend}} policy responses and suggest possible remediations [#231908]({{kib-pull}}231908).
 * Adds an advanced setting that keeps the alert suppression window active after you close an alert, preventing new alerts during that period [#231079]({{kib-pull}}231079).
@@ -57,7 +56,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds a `managed` property to data views, marking Kibana-managed data views with a **Managed** tag [#223451]({{kib-pull}}223451).
 * Adds support for specifying a reason when closing an alert [#226590]({{kib-pull}}226590).
 * Adds a source event ID link to the alert flyout's **Highlighted fields** section, allowing you to quickly preview the event that triggered the alert [#224451]({{kib-pull}}224451).
-* Updates the indicator details flyout's UI to be more consistent with the alert details flyout [#230593]({{kib-pull}}230593).
+* Updates the indicator details flyout's UI to be more consistent with the alert details flyout's UI [#230593]({{kib-pull}}230593).
 * Restricts **Value report** page access to `admin` and `soc_manager` roles in the Security Analytics Complete {{serverless-short}} feature tier [#234377]({{kib-pull}}234377).
 * Implements the **Value report** page for the Elastic AI SOC Engine (EASE) {{serverless-short}} project type [#228877]({{kib-pull}}228877).
 * Adds conversation sharing functionality to the Security AI Assistant, allowing you to share conversations with team members [#230614]({{kib-pull}}230614).

From e98ba94259c66875c6fe5157d0616e2a204f1daf Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Tue, 14 Oct 2025 15:49:12 +0100
Subject: [PATCH 6/9] Update release-notes/elastic-security/index.md

Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
---
 release-notes/elastic-security/index.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 1833c2c9af..8bb1599ee8 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -108,7 +108,6 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Simplifies the Cloud Security Posture Misconfigurations data view by removing redundancy in the index pattern definition [#227995]({{kib-pull}}227995).
 * Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within Malware Protections to avoid invalid watchdog firings.
 * Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
-* Addresses CVE-2025-##### in {{elastic-defend}} on Windows, which could allow a low-privilege attacker to delete arbitrary files on the system. On Windows versions before 25H2, this could result in local privilege escalation.
 * Adds support in {{elastic-defend}} for installing eBPF event probes on Linux endpoints when cgroup2 is mounted in a non-standard location or not mounted at all.
 * Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
 * Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.

From 26f3c3c8a9503b6163fe285b4b1b1806853ace78 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Wed, 15 Oct 2025 11:04:52 +0100
Subject: [PATCH 7/9] add EDR bugfix

---
 release-notes/elastic-security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 8bb1599ee8..0afef8bf05 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -106,6 +106,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Adds a validation error to prevent users from setting a custom action interval shorter than the rule's check interval [#229976]({{kib-pull}}229976).
 * Fixes accessibility issues on the **Benchmarks** page [#229521]({{kib-pull}}229521).
 * Simplifies the Cloud Security Posture Misconfigurations data view by removing redundancy in the index pattern definition [#227995]({{kib-pull}}227995).
+* Fixes an issue causing "missing authentication credentials" warnings in `TelemetryConfigWatcher` and `PolicyWatcher`, reducing unnecessary warning log entries in the `securitySolution` plugin.
 * Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within Malware Protections to avoid invalid watchdog firings.
 * Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
 * Adds support in {{elastic-defend}} for installing eBPF event probes on Linux endpoints when cgroup2 is mounted in a non-standard location or not mounted at all.

From 385f6df57ac93b27bf259980d367726ffeeaf3ed Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Wed, 15 Oct 2025 17:01:28 +0100
Subject: [PATCH 8/9] Adds missing note

---
 release-notes/elastic-security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 0afef8bf05..28d0da32b3 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -67,6 +67,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Introduces the {{elastic-defend}} **Endpoint Exceptions** sub-feature privilege [#233433]({{kib-pull}}233433).
 * Adds an {{elastic-defend}} advanced policy setting that allows you to disable the firewall anti-tamper plugin or move it into detect-only mode [#236431]({{kib-pull}}236431).
 * Adds two new {{elastic-defend}} advanced policy settings that allow you to opt out of collecting ransomware diagnostics on macOS [#235193]({{kib-pull}}235193).
+* Adds {{elastic-defend}} advanced policy setting to disable the filtering of file-backed volumes and CD-ROMs in the `device_control` plugin [#236620]({{kib-pull}}236620).
 * Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start {{agent}} service.
 * Updates the `endpoint-package` submodule.
 * Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control.

From aef094e1731990bb8c9c4921ab68c0e1b4cd15e9 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Wed, 15 Oct 2025 17:04:18 +0100
Subject: [PATCH 9/9] an

---
 release-notes/elastic-security/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 28d0da32b3..8f1068f48a 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -67,7 +67,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Introduces the {{elastic-defend}} **Endpoint Exceptions** sub-feature privilege [#233433]({{kib-pull}}233433).
 * Adds an {{elastic-defend}} advanced policy setting that allows you to disable the firewall anti-tamper plugin or move it into detect-only mode [#236431]({{kib-pull}}236431).
 * Adds two new {{elastic-defend}} advanced policy settings that allow you to opt out of collecting ransomware diagnostics on macOS [#235193]({{kib-pull}}235193).
-* Adds {{elastic-defend}} advanced policy setting to disable the filtering of file-backed volumes and CD-ROMs in the `device_control` plugin [#236620]({{kib-pull}}236620).
+* Adds an {{elastic-defend}} advanced policy setting to disable the filtering of file-backed volumes and CD-ROMs in the `device_control` plugin [#236620]({{kib-pull}}236620).
 * Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start {{agent}} service.
 * Updates the `endpoint-package` submodule.
 * Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control.