From ebe3e41872b8c1fbf86b7fc37890d5560553cc7f Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Thu, 7 Aug 2025 11:07:45 +0100
Subject: [PATCH 1/3] [Security] 9.0.5 release notes

---
 release-notes/elastic-security/index.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 9407927ba8..5b33a18ee8 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -136,6 +136,15 @@ To check for security updates, go to [Security announcements for the Elastic sta
 * Fixes a bug in {{elastic-defend}} where Linux network events would have source and destination byte counts swapped.
 * Fixes an issue where {{elastic-defend}} may incorrectly set the artifact channel in policy responses, and adds `manifest_type` to policy responses.
 
+## 9.0.5 [elastic-security-9.0.5-release-notes]
+
+### Features and enhancements [elastic-security-9.0.5-features-enhancements]
+* Adds the `detection_rule_upgrade_status` object to snapshot telemetry schema [#223086]({{kib-pull}}223086).
+* To help identify which parts of `elastic-endpoint.exe` are using a significant amount of CPU, {{elastic-defend}} on Windows can now include CPU profiling data in diagnostics. To request CPU profiling data using the command line, refer to [{{agent}} command reference](/reference/fleet/agent-command-reference.md#_options). To request CPU profiling data using {{kib}}, check the **Collect additional CPU metrics** box when requesting {{agent}} diagnostics.
+
+### Fixes [elastic-security-9.0.5-fixes]
+* Fixes a bug where Security AI Assistant settings landed on the wrong page for users on the Basic license  [#229163]({{kib-pull}}229163).
+
 ## 9.0.4 [elastic-security-9.0.4-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.4-features-enhancements]

From d5df04482818a7e63030efcebffe5c645e85fb4e Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 11 Aug 2025 11:44:29 +0100
Subject: [PATCH 2/3] endpoint updates

---
 release-notes/elastic-security/index.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 5b33a18ee8..f608e52796 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -140,10 +140,17 @@ To check for security updates, go to [Security announcements for the Elastic sta
 
 ### Features and enhancements [elastic-security-9.0.5-features-enhancements]
 * Adds the `detection_rule_upgrade_status` object to snapshot telemetry schema [#223086]({{kib-pull}}223086).
-* To help identify which parts of `elastic-endpoint.exe` are using a significant amount of CPU, {{elastic-defend}} on Windows can now include CPU profiling data in diagnostics. To request CPU profiling data using the command line, refer to [{{agent}} command reference](/reference/fleet/agent-command-reference.md#_options). To request CPU profiling data using {{kib}}, check the **Collect additional CPU metrics** box when requesting {{agent}} diagnostics.
+* Reduces {{elastic-defend}} CPU when processing events from the System process on Windows.
+* Allows {{elastic-defend}} to automatically recover in some situations when it loses connectivity with {{agent}}.
+* Shortens the time it takes {{elastic-defend}} to recover from a `DEGRADED` status caused by communication issues with {{agent}}.
+* Due to an issue in macOS, {{elastic-defend}} would sometimes send network events without `user.name` populated. {{elastic-defend}} will now identify these events and populate `user.name` if necessary.
+* Reduces {{elastic-defend}} CPU usage for ETW events, API events, and Behavioral Protections. In some cases, this may be a significant reduction.
+
 
 ### Fixes [elastic-security-9.0.5-fixes]
 * Fixes a bug where Security AI Assistant settings landed on the wrong page for users on the Basic license  [#229163]({{kib-pull}}229163).
+* Fixes an issue in {{elastic-defend}} performance metrics that resulted in `endpoint_uptime_percent` always being 0 for behavioral rules.
+* Fixes an issue in {{elastic-defend}} that could result in a crash if a {{ls}} output configuration is specified containing a certificate that cannot not be parsed.
 
 ## 9.0.4 [elastic-security-9.0.4-release-notes]
 

From d40635ab0aed9fec5a54e13b36b8a97617abc271 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 11 Aug 2025 11:50:10 +0100
Subject: [PATCH 3/3] adds RM note to 9.0.4

---
 release-notes/elastic-security/index.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index f608e52796..36ceb66ec5 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -155,6 +155,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
 ## 9.0.4 [elastic-security-9.0.4-release-notes]
 
 ### Features and enhancements [elastic-security-9.0.4-features-enhancements]
+* Adds the `elastic_customized_total`, `elastic_noncustomized_total`, and `is_customized` fields to snapshot telemetry schema [#222370]({{kib-pull}}222370).
 * Improves logging of fatal exceptions in {{elastic-defend}}.
 
 ### Fixes [elastic-security-9.0.4-fixes]