Elastic Security known issues
Known issues are significant defects or limitations that may impact your implementation. These issues are actively being worked on and will be addressed in a future release. Review the Elastic Security known issues to help you make informed decisions, such as upgrading to a new version.
Installing an Elastic Defend integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions
Elastic Stack versions: 9.0.0
On April 10, 2025, it was discovered that when you install a new Elastic Defend integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.
Workaround
To resolve this issue, before you add an Elastic Defend integration to a policy in Fleet, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.
The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules
Elastic Stack versions: 9.0.0
On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check #1021.