From 6b72607bea6f57785dac2d1041d9c85a3bd8f0af Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Wed, 26 Nov 2025 15:22:06 +0000
Subject: [PATCH 1/3] [Security] 9.2.2 release notes

---
 release-notes/elastic-security/index.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 252ef8d469..53044ee0b9 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -27,6 +27,24 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+## 9.2.2 [elastic-security-9.2.2-release-notes]
+
+### Features and enhancements [elastic-security-9.2.2-features-enhancements]
+* Improves the alert details flyout by saving the selected threat intelligence time to local storage [#243571]({{kib-pull}}243571).
+* Improves the alert details flyout by saving the selected prevalence time to local storage [#243543]({{kib-pull}}243543).
+
+### Fixes [elastic-security-9.2.2-fixes]
+* Fixes response actions API (for {{elastic-defend}} agent types) not sending action to more than 10 agents [#243387]({{kib-pull}}243387).
+* Fixes an issue where clicking a rule link from an alert flyout inside a saved Timeline would also open the Timeline [#242313]({{kib-pull}}242313).
+* Fixes an issue where the "Top <_n_>" popover stayed open after opening the create case flyout. It now closes automatically when the new case flyout opens [#242045]({{kib-pull}}242045).
+* Fixes a UI issue when displaying {{esql}} queries in Timeline full screen mode [#242027]({{kib-pull}}242027).
+* Allows saving a Timeline with an adhoc data view [#240537]({{kib-pull}}240537).
+* Fixes an issue where alerts generated by threshold rules had non-functional source event links [#238707]({{kib-pull}}238707).
+* Adds support for multiple values in the Indicator details flyout's **Table** tab [#236110]({{kib-pull}}236110).
+* Prevents unnecessary policy reloads in {{elastic-defend}} when only the overall config version changes.
+* Fixes a bug where {{elastic-defend}} for Linux could fail to bootstrap with {{agent}}.
+* Generates already mounted events for device control.
+
 ## 9.2.1 [elastic-security-9.2.1-release-notes]
 
 ### Features and enhancements [elastic-security-9.2.1-features-enhancements]

From e68b3fb482129faa5582fecb336dbd4b2cdf37d7 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Mon, 1 Dec 2025 12:57:55 -0500
Subject: [PATCH 2/3] Update release-notes/elastic-security/index.md

---
 release-notes/elastic-security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 53044ee0b9..43ad1fe455 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -40,6 +40,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes a UI issue when displaying {{esql}} queries in Timeline full screen mode [#242027]({{kib-pull}}242027).
 * Allows saving a Timeline with an adhoc data view [#240537]({{kib-pull}}240537).
 * Fixes an issue where alerts generated by threshold rules had non-functional source event links [#238707]({{kib-pull}}238707).
+* Ignores `resource_already_exists_exception` for value list creation hook [#243642]({{kib-pull}}243642).
 * Adds support for multiple values in the Indicator details flyout's **Table** tab [#236110]({{kib-pull}}236110).
 * Prevents unnecessary policy reloads in {{elastic-defend}} when only the overall config version changes.
 * Fixes a bug where {{elastic-defend}} for Linux could fail to bootstrap with {{agent}}.

From fdd28eb882383d968f5ee10b60c730d6a2ad17f7 Mon Sep 17 00:00:00 2001
From: Benjamin Ironside Goldstein
 <91905639+benironside@users.noreply.github.com>
Date: Mon, 1 Dec 2025 13:35:29 -0500
Subject: [PATCH 3/3] Update release-notes/elastic-security/index.md

---
 release-notes/elastic-security/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 43ad1fe455..04e73fc0c3 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -36,7 +36,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 ### Fixes [elastic-security-9.2.2-fixes]
 * Fixes response actions API (for {{elastic-defend}} agent types) not sending action to more than 10 agents [#243387]({{kib-pull}}243387).
 * Fixes an issue where clicking a rule link from an alert flyout inside a saved Timeline would also open the Timeline [#242313]({{kib-pull}}242313).
-* Fixes an issue where the "Top <_n_>" popover stayed open after opening the create case flyout. It now closes automatically when the new case flyout opens [#242045]({{kib-pull}}242045).
+* Fixes an issue where the "Top <_n_>" popover stayed open after opening the create case flyout. It now closes automatically when the flyout opens [#242045]({{kib-pull}}242045).
 * Fixes a UI issue when displaying {{esql}} queries in Timeline full screen mode [#242027]({{kib-pull}}242027).
 * Allows saving a Timeline with an adhoc data view [#240537]({{kib-pull}}240537).
 * Fixes an issue where alerts generated by threshold rules had non-functional source event links [#238707]({{kib-pull}}238707).