elastic · nastasha-solomon · Jan 21, 2025 · Jan 6, 2025 · Jan 8, 2025 · Jan 8, 2025
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.17.1, {elastic-sec} version 8.17.1>>
 * <<release-notes-8.17.0, {elastic-sec} version 8.17.0>>
 * <<release-notes-8.16.2, {elastic-sec} version 8.16.2>>
 * <<release-notes-8.16.1, {elastic-sec} version 8.16.1>>

@@ -1,6 +1,52 @@
 [[release-notes-header-8.17.0]]
 == 8.17
 
+[discrete]
+[[release-notes-8.17.1]]
+=== 8.17.1
+
+[discrete]
+[[known-issue-8.17.1]]
+==== Known issues
+
+// tag::known-issue[]
+[discrete]
+.Duplicate alerts can be produced from manually running threshold rules 
+[%collapsible]
+====
+*Details* +
+On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.
+====
+// end::known-issue[]
+
+// tag::known-issue[]
+[discrete]
+.Manually running custom query rules with suppression could suppress more alerts than expected
+[%collapsible]
+====
+*Details* +
+On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. 
+====
+// end::known-issue[]
+
+[discrete]
+[[bug-fixes-8.17.1]]
+==== Bug fixes
+* Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]).
+* Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari ({kibana-pull}203993[#203993]).
+* Adds role-based access control to the Automatic Import APIs ({kibana-pull}203882[#203882]).
+* Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned ({kibana-pull}203820[#203820]).
+* Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using `AND` or `OR` conditions ({kibana-pull}201776[#201776]).
+* Fixes incompatibility issues with {elastic-defend}. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a `CRITICAL_PROCESS_DIED` bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict.
++
+Affected users who are unable to upgrade should set one or both of the following in their {elastic-defend} advanced policy, depending on their version:
+
+** `windows.advanced.events.process.creation_flags: false` (8.13.0 - 8.16.1)
+** `windows.advanced.memory_protection.shellcode_trampoline_detection: false` (8.12.0 - 8.16.2)
+* Fixes an {elastic-defend} bug that could cause the Windows API event call stack enrichment to fail for processes that started before {elastic-defend} and if another security product was present and hooking system DLLs.
+* Fixes an {elastic-defend} bug that caused Windows API events involving `mswsock.dll` to be mislabeled with the `proxy_call` behavior.
+* Fixes an {elastic-defend} bug that caused the **Open Elastic Security** button in the Windows Security Center to be non-functional. Now, you're informed that {elastic-defend} is managed by your system administrator.
+
 [discrete]
 [[release-notes-8.17.0]]
 === 8.17.0