From d9358619d331d51db79df9b2653108626afa4918 Mon Sep 17 00:00:00 2001
From: Nicholas Berlin <nicholas.berlin@elastic.co>
Date: Wed, 3 Dec 2025 16:21:40 -0500
Subject: [PATCH] Update linux.advanced.kernel.capture_mode message

---
 .../management/pages/policy/models/advanced_policy_schema.ts    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
index 2de6fc084f507..365e77d06d23d 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
+++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@@ -1214,7 +1214,7 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
       'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.kernel.capture_mode',
       {
         defaultMessage:
-          "Control whether kprobes or eBPF are used to gather data. Options are 'kprobe', 'ebpf', or 'auto'. 'auto' uses eBPF if possible, otherwise it uses 'kprobe'. Default: auto.",
+          "Control whether kprobes, eBPF or Quark is used to gather data. Options are 'kprobe', 'ebpf', 'quark' or 'auto'. 'auto' uses 'quark' if possible (and supported), then tries legacy 'ebpf', and otherwise it uses 'kprobe'. 'quark' is suported by Endpoint versions 8.19.9, 9.1.9, 9.2.3, and newer, not 9.0. Default: auto.",
       }
     ),
   },