elastic · natasha-moore-elastic · Jul 29, 2025 · Jul 16, 2025 · Jul 17, 2025 · Jul 17, 2025
@@ -16,6 +16,13 @@ Review the deprecated functionality for {{elastic-sec}}. While deprecations have
 % **Action**<br> Steps for mitigating deprecation impact.
 % ::::
 
+## 9.1.0 [elastic-security-9.1.0-deprecations]
+
+::::{dropdown} Removes default quick prompts
+Removes default quick prompts from the Security AI Assistant.
+For more information, refer to [#225536]({{kib-pull}}225536).
+::::
+
 ## 9.0.0 [elastic-security-900-deprecations]
 
 ::::{dropdown} Removes Defend for Containers (D4C)

@@ -27,6 +27,101 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+## 9.1.0 [elastic-security-9.1.0-release-notes]
+
+### Features and enhancements [elastic-security-9.1.0-features-enhancements]
+
+* Adds an option to update the `kibana.alert.workflow_status` field for alerts associated with attack discoveries [#225029]({{kib-pull}}225029).
+* The rule execution gaps functionality is now generally available [#224657]({{kib-pull}}224657).
+* Adds the Security Entity Analytics privileged user monitoring feature [#224638]({{kib-pull}}224638).
+* Adds the ability to bulk fill gaps [#224585]({{kib-pull}}224585).
+* Automatic migration is now generally available [#224544]({{kib-pull}}224544).
+* Adds a name field to the automatic migration UI [#223860]({{kib-pull}}223860).
+* Adds simplified bulk editing for alert suppression [#223090]({{kib-pull}}223090).
+* Adds a human-readable incremental ID to cases, making referencing cases easier [#222874]({{kib-pull}}222874).
+* Adds the ability to change rule migration execution settings when re-processing a migration [#222542]({{kib-pull}}222542).
+* Adds `runscript` response action support for Microsoft Defender for Endpoint–enrolled hosts [#222377]({{kib-pull}}222377).
+* Updates automatic migration API schema [#219597]({{kib-pull}}219597).
+* Adds `siemV3` role migration to support the new Security **Global Artifact Management** privilege [#219566]({{kib-pull}}219566).
+* Adds automatic saving of attack discoveries, with search and filter capabilities [#218906]({{kib-pull}}218906).
+* Adds the ability to edit highlighted fields in the alert details flyout [#216740]({{kib-pull}}216740).
+* Adds API endpoints for the Entity Analytics privileged user monitoring feature [#215663]({{kib-pull}}215663).
+* Adds the onboarding flow for the Asset Inventory feature [#212315]({{kib-pull}}212315).
+* Adds the XSOAR connector [#212049]({{kib-pull}}212049).
+* Adds a custom script selector for choosing scripts to execute when using the `runscript` response action [#204965]({{kib-pull}}204965).
+* Updates {{elastic-sec}} Labs Knowledge Base content [#227125]({{kib-pull}}227125).
+* Displays which fields are customized for prebuilt rules [#225939]({{kib-pull}}225939).
+* Bumps default Gemini model [#225917]({{kib-pull}}225917).
+* Groups vulnerabilities by resource and cloud account using IDs instead of names [#225492]({{kib-pull}}225492).
+* Adds prompt tiles to the Security AI Assistant [#224981]({{kib-pull}}224981).
+* Adds support for collapsible sections in integrations READMEs [#223916]({{kib-pull}}223916).
+* Adds advanced policy settings in {{elastic-defend}} to enable collection of file origin information for File, Process, and DLL (ImageLoad) events [#223882]({{kib-pull}}223882), [#222030]({{kib-pull}}222030).
+* Adds the `ecs@mappings` component to the transform destination index template [#223878]({{kib-pull}}223878).
+* Adds the ability to revert prebuilt rules to their base version [#223301]({{kib-pull}}223301).
+* Adds an {{elastic-defend}} advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collection [#222197]({{kib-pull}}222197).
+* Updates the risk severity color map to match the new design [#222061]({{kib-pull}}222061).
+* Updates the asset criticality status color map to match the new design [#222024]({{kib-pull}}222024).
+* Updates the highlighted fields button styling in the alert details flyout [#221862]({{kib-pull}}221862).
+* Adds support for content connectors in {{elastic-sec}} and {{observability}} [#221856]({{kib-pull}}221856).
+* Expands CVE ID search to all search parameters, not just names [#221099]({{kib-pull}}221099).
+* Improves alert searching and filtering by including additional ECS data stream fields [#220447]({{kib-pull}}220447).
+* Updates default model IDs for Amazon Bedrock and OpenAI connectors [#220146]({{kib-pull}}220146).
+* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers[#219984]({{kib-pull}}219984).
+* Adds pinning and settings to the **Table** tab in the alert and event details flyouts [#218686]({{kib-pull}}218686).
+* Updates the data view selector in the event analyzer [#218183]({{kib-pull}}218183).
+* Updates the data view selector in the global header [#216685]({{kib-pull}}216685).
+* Updates UI handling for multiple CVEs and package fields [#216411]({{kib-pull}}216411).
+* Adds the Security AI prompts integration [#216106]({{kib-pull}}216106).
+* Adds support for grouping multi-value fields in Cloud Security [#215913]({{kib-pull}}215913).
+* Limits unassigned notes to a maximum of 100 per document instead of globally [#214922]({{kib-pull}}214922).
+* Updates the Detection rule monitoring dashboard to include rule gaps histogram [#214694]({{kib-pull}}214694).
+* Adds support for multiple CVEs and improves vulnerability data grid, flyout, and contextual flyout UI [#213039]({{kib-pull}}213039).
+* Adds support for the `MV_EXPAND` command for the {{esql}} rule type [#212675]({{kib-pull}}212675).
+* Updates the data view selector in Timelines [#210585]({{kib-pull}}210585).
+* Adds `unassigned` as an asset criticality level for bulk uploads [#208884]({{kib-pull}}208884).
+* Enables `isolate` and `release` response actions from the event details flyout [#206857]({{kib-pull}}206857).
+* Standardizes action triggers in alerts KPI visualizations [#206340]({{kib-pull}}206340).
+* Introduces space-awareness capabilities for {{elastic-defend}} and other {{elastic-sec}}-specific {{fleet}} features.
+* Adds {{elastic-defend}} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF.
+* Adds support for DNS events on macOS. Events can be controlled from the {{elastic-defend}} policy using the **DNS events** checkbox.
+* Adds TCC (Transparency Consent and Control) events to {{elastic-defend}} on macOS. Events are generated every time the TCC database is altered.
+* Adds `parent.command_line` to {{elastic-defend}} process events on macOS to keep in line with Linux and Windows.
+* Adds ETW visibility for WinHTTP and WinINet libraries.
+* Adds telemetry to assist detection of processes created in non-standard desktops.
+* Reduces {{elastic-defend}} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction.
+* {{elastic-defend}}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data.
+* Adds {{elastic-defend}} support for Elliptic Curve certificates and TLS output settings, including `supported_protocols`, `cipher_suites`, and `curve_types`.
+* Reduces {{elastic-defend}} CPU and memory usage for behavioral protections.
+
+### Fixes [elastic-security-9.1.0-fixes]
+
+* Fixes a bug where data wasn't fetched by the vulnerability expandable flyout in preview mode [#227262]({{kib-pull}}227262).
+* Fixes a bug where Timelines and investigations did not consistently use the default Security data view [#226314]({{kib-pull}}226314).
+* Fixes a bug where opening an alert deeplink didn't correctly load filters on the **Alerts** page [#225650]({{kib-pull}}225650).
+* Updates entity links to open in a flyout instead of leaving the current page [#225381]({{kib-pull}}225381).
+* Adds a title to the rule gap histogram in the Detection rule monitoring dashboard [#225274]({{kib-pull}}225274).
+* Fixes URL query handling for the asset inventory flyout [#225199]({{kib-pull}}225199).
+* Fixes a bug where pressing Escape with an alert details flyout open from a Timeline closed the Timeline instead of the flyout [#224352]({{kib-pull}}224352).
+* Fixes a bug where comma-separated `process.args` values didn't wrap properly in the alert details flyout's **Overview** tab [#223544]({{kib-pull}}223544).
+* Fixes wrapping for threat indicator match event renderer [#223164]({{kib-pull}}223164).
+* Fixes a z-index issue in the {{esql}} query editor within Timeline [#222841]({{kib-pull}}222841).
+* Fixes incorrect content displaying after tab switching in the integrations section on the **Get started** page [#222271]({{kib-pull}}222271).
+* Fixes the exception flyout to show the correct "Edit rule exception" title and button label when editing an exception item [#222248]({{kib-pull}}222248).
+* Retrieves active integrations from the installed integrations API [#218988]({{kib-pull}}218988).
+* Updates tooltips in the gap fills table [#218926]({{kib-pull}}218926).
+* Fixes AI Assistant prompt updates so UI changes reflect only successful updates [#217058]({{kib-pull}}217058).
+* Fixes error callout placement on the **Engine Status** tab of the **Entity Store** page [#216228]({{kib-pull}}216228).
+* Fixes alert severity ordering to display from highest severity to lowest [#215813]({{kib-pull}}215813).
+* Generalizes and consolidates custom {{fleet}} onboarding logic [#215561]({{kib-pull}}215561).
+* Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group [#215086]({{kib-pull}}215086).
+* Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions [#212316]({{kib-pull}}212316).
+* Refactors conversation pagination for the Security AI Assistant [#211831]({{kib-pull}}211831).
+* Fixes a bug where unmodified prebuilt rules installed before v8.18 didn't appear in the **Upgrade** table when the **Unmodified** filter was selected [#227859]({{kib-pull}}227859).
+* Improves UI copy for the "bulk update with conflicts" modal [#227803]({{kib-pull}}227803).
+* Fixes the artifact `channel` field and adds `manifest_type` in {{elastic-defend}} policy responses.
+* Fixes a bug in {{elastic-defend}} where the `fqdn` feature flag wasn't being persisted across system or endpoint restarts.
+* Fixes a crash in the {{elastic-defend}} scan response action and suppresses the end-user popup when running background malware scans.
+
 ## 9.0.3 [elastic-security-9.0.3-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.3-features-enhancements]