[Security] 9.0.8 release notes (#3282)

natasha-moore-elastic · nicholasberlin · florent-leborgne · web-flow · commit 92f39865ef93 · 2025-10-06T11:25:01.000Z
Resolves #3226: adds the 9.0.8 Security and Endpoint release notes. Preview: [9.0.8](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3282/release-notes/elastic-security#elastic-security-9.0.8-release-notes) --------- Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com> Co-authored-by: florent-leborgne <florent.leborgne@elastic.co> Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
@@ -168,6 +168,22 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes a bug in {{elastic-defend}} where Linux network events would have source and destination byte counts swapped.
 * Fixes an issue where {{elastic-defend}} may incorrectly set the artifact channel in policy responses, and adds `manifest_type` to policy responses.
 
+## 9.0.8 [elastic-security-9.0.8-release-notes]
+
+### Features and enhancements [elastic-security-9.0.8-features-enhancements]
+* Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start Elastic Agent service.
+
+### Fixes [elastic-security-9.0.8-fixes]
+* Removes `null` in confirmation dialog when bulk editing index patterns for rules [#236572]({{kib-pull}}236572).
+* Fixes the URL passed to detection rule actions via the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067).
+* Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
+* Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.
+* Removes `.process.thread.capabilities.permitted` and `.process.thread.capabilities.effective` from Linux network events in {{elastic-defend}}.
+* Fixes an issue in {{elastic-defend}} where host isolation could auto-release incorrectly. Host isolation now only releases when {{elastic-endpoint}} becomes orphaned. Intermittent {{elastic-agent}} connectivity changes no longer alter the host isolation state.
+* Improves the reliability of local {{elastic-defend}} administrative shell commands. In rare cases, a command could fail to execute due to issue with interprocess communication.
+* Fixes an issue where {{elastic-defend}} would incorrectly calculate throughput capacity when sending documents to output.  This may have limited event throughput on extremely busy endpoints.
+* Fixes an issue in {{elastic-defend}} installation logging where only the first character of install paths (usually 'C') would be logged.
+
 ## 9.0.7 [elastic-security-9.0.7-release-notes]
 
 ### Fixes [elastic-security-9.0.7-fixes]
