From 907759140f40d19c7d2aea90f471ce3d551cfe7e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 6 Nov 2025 14:46:27 +0000 Subject: [PATCH 1/5] [Security] 9.2.1 release notes --- release-notes/elastic-security/index.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md index 321a4973b7..38f11d5e51 100644 --- a/release-notes/elastic-security/index.md +++ b/release-notes/elastic-security/index.md @@ -27,6 +27,22 @@ To check for security updates, go to [Security announcements for the Elastic sta % * +## 9.2.1 [elastic-security-9.2.1-release-notes] + +### Features and enhancements [elastic-security-9.2.1-features-enhancements] + +* Improves the startup log in {{elastic-defend}} to explain the details of unsigned policy. +* Improves the accuracy of thread CPU usage reported in {{elastic-defend}} metrics documents. + +### Fixes [elastic-security-9.2.1-fixes] +* Fixes an issue where switching from agentless to agent-based cloud posture caused CSPM and Asset Inventory data to stop ingesting [#241390]({{kib-pull}}241390). +* Fixes a react-query key collision that occurred when two different integration lookups shared the same key, which could cause errors when navigating between pages [#240517]({{kib-pull}}240517). +* Fixes an {{elastic-defend}} bug in Linux event collection where some long-running processes were not enriched. +* Fixes multiple {{elastic-defend}} issues in malware protection for Linux where a deadlock could sometimes occur when containers and autofs were both active. +* Fixes an issue in {{elastic-defend}} that could cause the `get-file` and `execute` response actions to start failing after many are issued with a single running instance of {{elastic-defend}} +* Improves {{elastic-defend}} detection of file rename operations on Windows when performed over Server Message Block (SMB). +* Fixes an {{elastic-defend}} issue on Windows where the `code_signature.thumbprint_sha256` field was missing under process and DLL events for certain event types. + ## 9.2.0 [elastic-security-9.2.0-release-notes] From eecf376754f0aea945aa24c8ffbdbdef902bc4f4 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 6 Nov 2025 16:43:03 +0000 Subject: [PATCH 2/5] known issue fixed --- .../elastic-cloud-serverless/known-issues.md | 30 +++++++++++-------- .../elastic-security/known-issues.md | 4 +++ 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md index a69e2c620b..39ba4d8255 100644 --- a/release-notes/elastic-cloud-serverless/known-issues.md +++ b/release-notes/elastic-cloud-serverless/known-issues.md @@ -16,6 +16,22 @@ Known issues are significant defects or limitations that may impact your impleme ## Active + + +::::{dropdown} Alerts aren't generated for rules with alert flapping off and an alert delay higher than 1 + +**Details** + +On October 22, 2025, it was discovered that alerts aren't generated for rules that have **Alert flapping detection** turned off and the alert delay set to a value higher than 1. + +**Workaround** + +Set the alert delay value to 1 or turn on **Alert flapping detection**. + +:::: + +## Resolved + :::{dropdown} Entity store transform is unavailable **Details** @@ -29,22 +45,12 @@ Restart the entity store: 2. On the **Entity Store** page, turn the toggle off. 3. Turn the toggle back on. -:::: - -::::{dropdown} Alerts aren't generated for rules with alert flapping off and an alert delay higher than 1 - -**Details** - -On October 22, 2025, it was discovered that alerts aren't generated for rules that have **Alert flapping detection** turned off and the alert delay set to a value higher than 1. +**Resolved** -**Workaround** - -Set the alert delay value to 1 or turn on **Alert flapping detection**. +This was resolved on November 4, 2025. :::: -## Resolved - :::{dropdown} CSPM and Asset Management integrations don't ingest data when deployed using agent-based technology if {{kib}} is hosted on AWS Applies to: {{serverless-short}} deployments hosted on AWS diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md index 89f822ee47..9359e15898 100644 --- a/release-notes/elastic-security/known-issues.md +++ b/release-notes/elastic-security/known-issues.md @@ -31,6 +31,10 @@ Restart the entity store: 2. On the **Entity Store** page, turn the toggle off. 3. Turn the toggle back on. +**Resolved**
+ +Resolved in {{stack}} 9.2.1 + :::: :::{dropdown} CSPM and Asset Management integrations don't ingest data when deployed using agent-based technology if {{kib}} is hosted on AWS From 133cb34afe029bc9b6ced83d2aa0f952b8e1853a Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Fri, 7 Nov 2025 12:09:45 +0000 Subject: [PATCH 3/5] Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- release-notes/elastic-security/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md index 38f11d5e51..9c67752c97 100644 --- a/release-notes/elastic-security/index.md +++ b/release-notes/elastic-security/index.md @@ -35,11 +35,11 @@ To check for security updates, go to [Security announcements for the Elastic sta * Improves the accuracy of thread CPU usage reported in {{elastic-defend}} metrics documents. ### Fixes [elastic-security-9.2.1-fixes] -* Fixes an issue where switching from agentless to agent-based cloud posture caused CSPM and Asset Inventory data to stop ingesting [#241390]({{kib-pull}}241390). +* Fixes an issue where the CSPM and Asset Discovery integrations failed to collect data when using agent-based deployment [#241390]({{kib-pull}}241390). * Fixes a react-query key collision that occurred when two different integration lookups shared the same key, which could cause errors when navigating between pages [#240517]({{kib-pull}}240517). * Fixes an {{elastic-defend}} bug in Linux event collection where some long-running processes were not enriched. * Fixes multiple {{elastic-defend}} issues in malware protection for Linux where a deadlock could sometimes occur when containers and autofs were both active. -* Fixes an issue in {{elastic-defend}} that could cause the `get-file` and `execute` response actions to start failing after many are issued with a single running instance of {{elastic-defend}} +* Fixes an {{elastic-defend}} issue that could cause the `get-file` and `execute` response actions to fail after many were issued with a single running instance of {{elastic-defend}} * Improves {{elastic-defend}} detection of file rename operations on Windows when performed over Server Message Block (SMB). * Fixes an {{elastic-defend}} issue on Windows where the `code_signature.thumbprint_sha256` field was missing under process and DLL events for certain event types. From 3832b904df28b0a2719efdc384cfb61ec478a092 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 7 Nov 2025 12:16:40 +0000 Subject: [PATCH 4/5] apply suggestion --- release-notes/elastic-security/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md index 9c67752c97..5c42571cf7 100644 --- a/release-notes/elastic-security/index.md +++ b/release-notes/elastic-security/index.md @@ -137,6 +137,7 @@ To check for security updates, go to [Security announcements for the Elastic sta * Fixes an issue to improve reliability of health status reporting between {{elastic-endpoint}} and {{agent}}. * Fixes a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count`, and `process.args`, leading to false positives. * Fixes an issue in {{elastic-defend}} that could result in a crash if a specified {{ls}} output configuration contained a certificate that couldn't be parsed. +* Fixes CVE-2025-37735 ([ESA-2025-23](https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272)) in {{elastic-defend}} on Windows which could allow a low-privilege attacker to delete arbitrary files on the system and potentially escalate privileges to SYSTEM. Windows 11 24H2 includes changes which make this issue harder to exploit. ## 9.1.6 [elastic-security-9.1.6-release-notes] From 73f274cc5da3b4a03d5102f6d8ba10847ae07d22 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Fri, 7 Nov 2025 13:35:22 +0000 Subject: [PATCH 5/5] Update release-notes/elastic-security/index.md Co-authored-by: Steven de Salas --- release-notes/elastic-security/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md index 5c42571cf7..c8d3f5c8a5 100644 --- a/release-notes/elastic-security/index.md +++ b/release-notes/elastic-security/index.md @@ -37,6 +37,7 @@ To check for security updates, go to [Security announcements for the Elastic sta ### Fixes [elastic-security-9.2.1-fixes] * Fixes an issue where the CSPM and Asset Discovery integrations failed to collect data when using agent-based deployment [#241390]({{kib-pull}}241390). * Fixes a react-query key collision that occurred when two different integration lookups shared the same key, which could cause errors when navigating between pages [#240517]({{kib-pull}}240517). +* Fixes multiple issues searching installed rules by allowing partial matches on rule name and improving special character support [#237496]({{kib-pull}}237496). * Fixes an {{elastic-defend}} bug in Linux event collection where some long-running processes were not enriched. * Fixes multiple {{elastic-defend}} issues in malware protection for Linux where a deadlock could sometimes occur when containers and autofs were both active. * Fixes an {{elastic-defend}} issue that could cause the `get-file` and `execute` response actions to fail after many were issued with a single running instance of {{elastic-defend}}