[Security] 9.0.7 release notes (#2915)

natasha-moore-elastic · web-flow · commit c1dd03a1058b · 2025-09-16T13:43:49.000Z
Resolves #2825: adds the 9.0.7 Security and Endpoint release notes. Preview: * [Elastic Security > 9.0.7](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2915/release-notes/elastic-security#elastic-security-9.0.7-release-notes) * [Breaking changes > 9.0.7](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2915/release-notes/elastic-security/breaking-changes#elastic-security-900-breaking-changes)
diff --git a/release-notes/elastic-security/breaking-changes.md b/release-notes/elastic-security/breaking-changes.md
@@ -15,6 +15,18 @@ Breaking changes can impact your Elastic applications, potentially disrupting no
 % **Action**<br> Steps for mitigating deprecation impact.
 % ::::
 
+## 9.0.7 [elastic-security-900-breaking-changes]
+::::{dropdown} Changes invalid category for Gatekeeper
+
+Changes `event.category` from `security` to `configuration` for Gatekeeper on macOS.
+
+**Impact**<br> Gatekeeper events on macOS are now labeled as `event.category == configuration`.
+
+**Action**<br> If you're deploying custom rules using `event.category == security` on macOS, change the query to `event.category == configuration`.
+
+::::
+
+
 ## 9.0.0 [elastic-security-900-breaking-changes]
 
 ::::{dropdown} Removes legacy security rules bulk endpoints
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
@@ -157,6 +157,15 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes a bug in {{elastic-defend}} where Linux network events would have source and destination byte counts swapped.
 * Fixes an issue where {{elastic-defend}} may incorrectly set the artifact channel in policy responses, and adds `manifest_type` to policy responses.
 
+## 9.0.7 [elastic-security-9.0.7-release-notes]
+
+### Fixes [elastic-security-9.0.7-fixes]
+* Prevents users without appropriate privileges from deleting notes [#233948]({{kib-pull}}233948).
+* Fixes a bug that prevented the **MITRE ATT&CK** section from appearing in the alert details flyout [#233805]({{kib-pull}}233805).
+* Updates {{kib}} MITRE ATT&CK data to v17.1 [#231375]({{kib-pull}}231375).
+* Fixes a bug where Linux capabilities were included in {{elastic-endpoint}} network events despite being disabled.
+* Makes the delivery of {{elastic-endpoint}} command line commands more robust. In rare cases, commands could previously fail due to interprocess communication issues.
+
 ## 9.0.6 [elastic-security-9.0.6-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.6-features-enhancements]
