From ab7367cd2e53cc002e07c4aa91678404cb8e921f Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Tue, 4 Feb 2025 12:56:39 -0500
Subject: [PATCH 1/9] First draft

---
 docs/release-notes.asciidoc      |  1 +
 docs/release-notes/8.16.asciidoc | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc
index d3bb176350..8741f46102 100644
--- a/docs/release-notes.asciidoc
+++ b/docs/release-notes.asciidoc
@@ -5,6 +5,7 @@ This section summarizes the changes in each release.
 
 * <<release-notes-8.17.1, {elastic-sec} version 8.17.1>>
 * <<release-notes-8.17.0, {elastic-sec} version 8.17.0>>
+* <<release-notes-8.16.4, {elastic-sec} version 8.16.4>>
 * <<release-notes-8.16.3, {elastic-sec} version 8.16.3>>
 * <<release-notes-8.16.2, {elastic-sec} version 8.16.2>>
 * <<release-notes-8.16.1, {elastic-sec} version 8.16.1>>
diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index ce1ddfd289..8c69a6bbba 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -1,6 +1,31 @@
 [[release-notes-header-8.16.0]]
 == 8.16
 
+[discrete]
+[[release-notes-8.16.4]]
+=== 8.16.4
+
+[discrete]
+[[features-8.16.4]]
+==== New features
+* Enables `advanced.malware.max_file_size_bytes` option.
+
+[discrete]
+[[enhancements-8.16.4]]
+==== Enhancements
+* Enhanced the performance of network events monitoring for better CPU utilization and responsiveness.
+
+[discrete]
+[[bug-fixes-8.16.4]]
+==== Bug fixes
+* "Select a Connector" popup does not show up after the user selects any connector and then cancels it from Endpoint Insights ({kibana-pull}208969[#208969]).
+* Adds missing fields to input manifest templates ({kibana-pull}208768[#208768]).
+* Adds missing fields into AWS S3 manifest ({kibana-pull}208080[#208080]).
+* Allows Elastic Defend to detect/prevent malware process/image load from webdave server.
+* Enhanced the performance of network events monitoring for better CPU utilization and responsiveness.
+* Fixed the issue on Windows when promiscuous mode is enabled the Defend could be parsing other computer's network traffic, which is unnecessary.
+* When the Defend get-file response action was used to retrieve a Windows Alternate Data Stream, the resulting upload.zip would contain a checksum error making it unusable by most zip tools. This is now fixed.
+
 [discrete]
 [[release-notes-8.16.3]]
 === 8.16.3

From 3ec15caf72949133e6465f3a2d55be3de94477e7 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Tue, 4 Feb 2025 22:40:52 -0500
Subject: [PATCH 2/9] More updates

---
 docs/release-notes/8.16.asciidoc | 41 +++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index 8c69a6bbba..404175cd07 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -1,6 +1,30 @@
 [[release-notes-header-8.16.0]]
 == 8.16
 
+[discrete]
+[[known-issue-8.16.4]]
+==== Known issues
+
+// tag::known-issue[]
+[discrete]
+.Duplicate alerts can be produced from manually running threshold rules 
+[%collapsible]
+====
+*Details* +
+On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.
+====
+// end::known-issue[]
+
+// tag::known-issue[]
+[discrete]
+.Manually running custom query rules with suppression could suppress more alerts than expected
+[%collapsible]
+====
+*Details* +
+On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. 
+====
+// end::known-issue[]
+
 [discrete]
 [[release-notes-8.16.4]]
 === 8.16.4
@@ -8,23 +32,22 @@
 [discrete]
 [[features-8.16.4]]
 ==== New features
-* Enables `advanced.malware.max_file_size_bytes` option.
+* Adds the `advanced.malware.max_file_size_bytes` <<adv-policy-settings,advanced policy setting>>, which allows you to control the maximum file size for malware protection.
 
 [discrete]
 [[enhancements-8.16.4]]
 ==== Enhancements
-* Enhanced the performance of network events monitoring for better CPU utilization and responsiveness.
+* Enhances the performance of network events monitoring for better CPU utilization and responsiveness.
 
 [discrete]
 [[bug-fixes-8.16.4]]
 ==== Bug fixes
-* "Select a Connector" popup does not show up after the user selects any connector and then cancels it from Endpoint Insights ({kibana-pull}208969[#208969]).
-* Adds missing fields to input manifest templates ({kibana-pull}208768[#208768]).
-* Adds missing fields into AWS S3 manifest ({kibana-pull}208080[#208080]).
-* Allows Elastic Defend to detect/prevent malware process/image load from webdave server.
-* Enhanced the performance of network events monitoring for better CPU utilization and responsiveness.
-* Fixed the issue on Windows when promiscuous mode is enabled the Defend could be parsing other computer's network traffic, which is unnecessary.
-* When the Defend get-file response action was used to retrieve a Windows Alternate Data Stream, the resulting upload.zip would contain a checksum error making it unusable by most zip tools. This is now fixed.
+* Fixes an Attack discovery bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]).
+* Adds missing fields to input manifest templates for Automatic Import ({kibana-pull}208768[#208768]).
+* Adds fields that are missing in the `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]).
+* Allows {elastic-defend} to detect or prevent malware process or image loads from WebDAV servers.
+* Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. 
+* Fixes a bug with the `get-file` Endpoint response action. If the `get-file` response action was used to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
 
 [discrete]
 [[release-notes-8.16.3]]

From cf1a35bd60be6d4dbd01e19af8537c9bdd2395d4 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Fri, 7 Feb 2025 13:19:31 -0500
Subject: [PATCH 3/9] Same edits

---
 docs/release-notes/8.16.asciidoc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index 404175cd07..111df7289c 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -42,12 +42,14 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 [discrete]
 [[bug-fixes-8.16.4]]
 ==== Bug fixes
+* Fixes a bug with the structured log template to ensure it uses single quotes ({kibana-pull}209736[#209736]).
+* Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they're passed as a single string ({kibana-pull}209475[#209475]).
 * Fixes an Attack discovery bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]).
 * Adds missing fields to input manifest templates for Automatic Import ({kibana-pull}208768[#208768]).
 * Adds fields that are missing in the `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]).
 * Allows {elastic-defend} to detect or prevent malware process or image loads from WebDAV servers.
 * Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. 
-* Fixes a bug with the `get-file` Endpoint response action. If the `get-file` response action was used to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
+* Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
 
 [discrete]
 [[release-notes-8.16.3]]

From 2bb0d5a74d1df4bd91e7e153887cfd32a6c30ee5 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Fri, 7 Feb 2025 13:30:34 -0500
Subject: [PATCH 4/9] More defend fixes

---
 docs/release-notes/8.16.asciidoc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index 111df7289c..498a24accf 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -42,14 +42,15 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 [discrete]
 [[bug-fixes-8.16.4]]
 ==== Bug fixes
-* Fixes a bug with the structured log template to ensure it uses single quotes ({kibana-pull}209736[#209736]).
 * Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they're passed as a single string ({kibana-pull}209475[#209475]).
 * Fixes an Attack discovery bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]).
-* Adds missing fields to input manifest templates for Automatic Import ({kibana-pull}208768[#208768]).
-* Adds fields that are missing in the `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]).
+* Adds missing fields to Automatic Import's input manifest templates ({kibana-pull}208768[#208768]).
+* Ensures that Automatic Import's structured log template surrounds single backslashes with single quotes when the backslash is used as an escape character ({kibana-pull}209736[#209736]).
+* Adds fields that are missing from Automatic Import's `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]).
 * Allows {elastic-defend} to detect or prevent malware process or image loads from WebDAV servers.
 * Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. 
 * Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
+* Increases the maximum number of ETW buffers that {elastic-defend} can use.
 
 [discrete]
 [[release-notes-8.16.3]]

From 519a5c246582a76d35113b819fcc4ed919ac4063 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Fri, 7 Feb 2025 13:56:09 -0500
Subject: [PATCH 5/9] Heading fix

---
 docs/release-notes/8.16.asciidoc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index 498a24accf..ce31fb072f 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -1,6 +1,10 @@
 [[release-notes-header-8.16.0]]
 == 8.16
 
+[discrete]
+[[release-notes-8.16.4]]
+=== 8.16.4
+
 [discrete]
 [[known-issue-8.16.4]]
 ==== Known issues
@@ -25,10 +29,6 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 ====
 // end::known-issue[]
 
-[discrete]
-[[release-notes-8.16.4]]
-=== 8.16.4
-
 [discrete]
 [[features-8.16.4]]
 ==== New features

From 0f3fbcc86af3e92ddb89660b8aca006f19fe05a7 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:42:48 -0500
Subject: [PATCH 6/9] Update docs/release-notes/8.16.asciidoc

Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
---
 docs/release-notes/8.16.asciidoc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index ce31fb072f..09122bd771 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -51,6 +51,9 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 * Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. 
 * Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
 * Increases the maximum number of ETW buffers that {elastic-defend} can use.
+* Fixes a bug in {elastic-defend} where a combination of "descendent of process" event filters and unenriched events would not match other event filters.
+* Fixes an issue where {elastic-defend} was not correctly populating `event.created` for process events on Windows.
+* When aggregating events, {elastic-defend} was using the final event's timestamp for the aggregated event. This was a bug. Now, {elastic-defend} will use the first event's timestamp as originally intended.
 
 [discrete]
 [[release-notes-8.16.3]]

From 60a42465ec9f5d485733bb48d8d1050423077625 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:42:58 -0500
Subject: [PATCH 7/9] Update docs/release-notes/8.16.asciidoc

Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
---
 docs/release-notes/8.16.asciidoc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index 09122bd771..24d9382f8c 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -37,7 +37,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 [discrete]
 [[enhancements-8.16.4]]
 ==== Enhancements
-* Enhances the performance of network events monitoring for better CPU utilization and responsiveness.
+* Enhances the performance of {elastic-defend} network events monitoring for better CPU utilization and responsiveness.
+* Add byte counts to Linux {elastic-defend} network disconnect events.
 
 [discrete]
 [[bug-fixes-8.16.4]]

From a46e9d0a742df4d9752b94ff7d9db344ea2b6b55 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Mon, 10 Feb 2025 10:46:04 -0500
Subject: [PATCH 8/9] Update docs/release-notes/8.16.asciidoc

---
 docs/release-notes/8.16.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index 24d9382f8c..e5b05a6e41 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -44,7 +44,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 [[bug-fixes-8.16.4]]
 ==== Bug fixes
 * Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they're passed as a single string ({kibana-pull}209475[#209475]).
-* Fixes an Attack discovery bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]).
+* Fixes an AI Assistant bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]).
 * Adds missing fields to Automatic Import's input manifest templates ({kibana-pull}208768[#208768]).
 * Ensures that Automatic Import's structured log template surrounds single backslashes with single quotes when the backslash is used as an escape character ({kibana-pull}209736[#209736]).
 * Adds fields that are missing from Automatic Import's `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]).

From 88b08b101af736ce5ad41ebbb266faf960dceee8 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 10 Feb 2025 11:57:39 -0500
Subject: [PATCH 9/9] Minor edits

---
 docs/release-notes/8.16.asciidoc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc
index e5b05a6e41..dbd253ce7e 100644
--- a/docs/release-notes/8.16.asciidoc
+++ b/docs/release-notes/8.16.asciidoc
@@ -38,7 +38,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 [[enhancements-8.16.4]]
 ==== Enhancements
 * Enhances the performance of {elastic-defend} network events monitoring for better CPU utilization and responsiveness.
-* Add byte counts to Linux {elastic-defend} network disconnect events.
+* Adds byte counts to Linux {elastic-defend} network disconnect events.
 
 [discrete]
 [[bug-fixes-8.16.4]]
@@ -53,8 +53,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 * Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive  would contain a checksum error that made it unusable by most zip tools.
 * Increases the maximum number of ETW buffers that {elastic-defend} can use.
 * Fixes a bug in {elastic-defend} where a combination of "descendent of process" event filters and unenriched events would not match other event filters.
-* Fixes an issue where {elastic-defend} was not correctly populating `event.created` for process events on Windows.
-* When aggregating events, {elastic-defend} was using the final event's timestamp for the aggregated event. This was a bug. Now, {elastic-defend} will use the first event's timestamp as originally intended.
+* Fixes an issue where {elastic-defend} wasn't correctly populating `event.created` for process events on Windows.
+* When aggregating events, {elastic-defend} was using the final event's timestamp for the aggregated event, which was a bug. Now, {elastic-defend} will use the first event's timestamp as originally intended.
 
 [discrete]
 [[release-notes-8.16.3]]