[Security] 9.2.1 release notes (#3839)

natasha-moore-elastic · benironside · sdesalas · web-flow · commit e101a0000185 · 2025-11-11T14:06:28.000Z
Resolves #3732: adds the 9.2.1 Security and Endpoint release notes. Previews: * [9.2.1](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3839/release-notes/elastic-security#elastic-security-9.2.1-release-notes) * [Elastic Security known issues](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3839/release-notes/elastic-security/known-issues) [Elastic Cloud Serverless known issues](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3839/release-notes/elastic-cloud-serverless/known-issues) --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Steven de Salas <sdesalas@users.noreply.github.com>
diff --git a/release-notes/elastic-cloud-serverless/known-issues.md b/release-notes/elastic-cloud-serverless/known-issues.md
@@ -16,6 +16,22 @@ Known issues are significant defects or limitations that may impact your impleme
 
 ## Active
 
+
+
+::::{dropdown} Alerts aren't generated for rules with alert flapping off and an alert delay higher than 1
+
+**Details**
+
+On October 22, 2025, it was discovered that alerts aren't generated for rules that have **Alert flapping detection** turned off and the alert delay set to a value higher than 1.
+
+**Workaround**
+
+Set the alert delay value to 1 or turn on **Alert flapping detection**.
+
+::::
+
+## Resolved
+
 :::{dropdown} Entity store transform is unavailable 
 
 **Details**
@@ -29,22 +45,12 @@ Restart the entity store:
 2. On the **Entity Store** page, turn the toggle off.
 3. Turn the toggle back on.
 
-::::
-
-::::{dropdown} Alerts aren't generated for rules with alert flapping off and an alert delay higher than 1
-
-**Details**
-
-On October 22, 2025, it was discovered that alerts aren't generated for rules that have **Alert flapping detection** turned off and the alert delay set to a value higher than 1.
+**Resolved** 
 
-**Workaround**
-
-Set the alert delay value to 1 or turn on **Alert flapping detection**.
+This was resolved on November 4, 2025.
 
 ::::
 
-## Resolved
-
 :::{dropdown} CSPM and Asset Management integrations don't ingest data when deployed using agent-based technology if {{kib}} is hosted on AWS
 Applies to: {{serverless-short}} deployments hosted on AWS
 
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
@@ -27,6 +27,23 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 % *
 
+## 9.2.1 [elastic-security-9.2.1-release-notes]
+
+### Features and enhancements [elastic-security-9.2.1-features-enhancements]
+
+* Improves the startup log in {{elastic-defend}} to explain the details of unsigned policy.
+* Improves the accuracy of thread CPU usage reported in {{elastic-defend}} metrics documents.
+
+### Fixes [elastic-security-9.2.1-fixes]
+* Fixes an issue where the CSPM and Asset Discovery integrations failed to collect data when using agent-based deployment [#241390]({{kib-pull}}241390).
+* Fixes a react-query key collision that occurred when two different integration lookups shared the same key, which could cause errors when navigating between pages [#240517]({{kib-pull}}240517).
+* Fixes multiple issues searching installed rules by allowing partial matches on rule name and improving special character support [#237496]({{kib-pull}}237496).
+* Fixes an {{elastic-defend}} bug in Linux event collection where some long-running processes were not enriched.
+* Fixes multiple {{elastic-defend}} issues in malware protection for Linux where a deadlock could sometimes occur when containers and autofs were both active.
+* Fixes an {{elastic-defend}} issue that could cause the `get-file` and `execute` response actions to fail after many were issued with a single running instance of {{elastic-defend}}
+* Improves {{elastic-defend}} detection of file rename operations on Windows when performed over Server Message Block (SMB).
+* Fixes an {{elastic-defend}} issue on Windows where the `code_signature.thumbprint_sha256` field was missing under process and DLL events for certain event types.
+
 
 ## 9.2.0 [elastic-security-9.2.0-release-notes]
 
@@ -121,6 +138,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes an issue to improve reliability of health status reporting between {{elastic-endpoint}} and {{agent}}.
 * Fixes a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count`, and `process.args`, leading to false positives.
 * Fixes an issue in {{elastic-defend}} that could result in a crash if a specified {{ls}} output configuration contained a certificate that couldn't be parsed.
+* Fixes CVE-2025-37735 ([ESA-2025-23](https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272)) in {{elastic-defend}} on Windows which could allow a low-privilege attacker to delete arbitrary files on the system and potentially escalate privileges to SYSTEM. Windows 11 24H2 includes changes which make this issue harder to exploit.
 
 
 ## 9.1.7 [elastic-security-9.1.7-release-notes]
diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
@@ -31,6 +31,10 @@ Restart the entity store:
 2. On the **Entity Store** page, turn the toggle off.
 3. Turn the toggle back on.
 
+**Resolved**<br>
+
+Resolved in {{stack}} 9.2.1
+
 ::::
 
 :::{dropdown} CSPM and Asset Management integrations don't ingest data when deployed using agent-based technology if {{kib}} is hosted on AWS
