ers requirements

Author: natasha-moore-elastic

raw-migrated-files/docs-content/serverless/security-ers-requirements.md

@@ -274,7 +274,6 @@ toc:
       - file: docs-content/serverless/security-endpoint-management-req.md
       - file: docs-content/serverless/security-endpoints-page.md
       - file: docs-content/serverless/security-environment-variable-capture.md
-      - file: docs-content/serverless/security-ers-requirements.md
       - file: docs-content/serverless/security-event-filters.md
       - file: docs-content/serverless/security-examine-osquery-results.md
       - file: docs-content/serverless/security-get-started-with-kspm.md

raw-migrated-files/toc.yml

@@ -6,31 +6,35 @@ mapped_urls:
 
 # Entity risk scoring requirements
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/ers-requirements.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-ers-requirements.md
-
 To use entity risk scoring, asset criticality, and entity store, your role must have certain cluster, index, and {{kib}} privileges. These features require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
 
 This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
 
 
 ## Entity risk scoring [_entity_risk_scoring]
 
+In {{stack}}, to turn on the risk scoring engine, you need the appropriate [privileges](#_privileges).
 
-### Privileges [_privileges]
+In serverless, to turn on the risk scoring engine, you need either the appropriate [predefined Security user role](#ers_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges).
 
-To turn on the risk scoring engine, you need the following privileges:
+
+### Privileges [_privileges]
 
 | Cluster | Index | {{kib}} |
 | --- | --- | --- |
-| * `manage_index_templates`<br>* `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
+| - `manage_index_templates`<br>- `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
+
+### Predefined roles [ers_roles]
+
+* Platform engineer
+* Detections admin
+* Admin
 
 
 ### {{es}} resource guidelines [_es_resource_guidelines]
+```yaml {applies_to}
+stack:
+```
 
 Follow these guidelines to ensure clusters have adequate memory to handle data volume:
 
@@ -40,30 +44,42 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 
 ### Known limitations [_known_limitations]
 
-The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores.
+* The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores.
+* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
 
 
 ## Asset criticality [_asset_criticality]
 
+In {{stack}}, to use asset criticality, you need the appropriate [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
+
+In serverless, to use asset criticality, you need you need either the appropriate [predefined Security user role](#ac_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_2).
 
 ### Privileges [_privileges_2]
 
-To use asset criticality, you need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
 
 | Action | Index privilege |
 | --- | --- |
 | View asset criticality | `read` |
 | View, assign, or change asset criticality | `read` and `write` |
 | Unassign asset criticality | `delete` |
 
+### Predefined roles [ac_roles]
+
+| Action | Predefined role |
+| --- | --- |
+| View asset criticality | - Viewer<br>- Tier 1 analyst<br> |
+| View, assign, change, or unassign asset criticality | - Editor<br>- Tier 2 analyst<br>- Tier 3 analyst<br>- Threat intelligence analyst<br>- Rule author<br>- SOC manager<br>- Endpoint operations analyst<br>- Platform engineer<br>- Detections admin<br>- Endpoint policy manager<br> |
+
 
 ## Entity store [_entity_store]
 
 
 ### Privileges [_privileges_3]
 
-To use the entity store, you need the following privileges:
+To enable the entity store, you need the following privileges:
 
 | Cluster | Index | {{kib}} |
 | --- | --- | --- |
-| * `manage_enrich`<br>* `manage_index_templates`<br>* `manage_ingest_pipelines`<br>* `manage_transform`<br> | * `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`<br>* `read` and `manage` for `risk-score.risk-score-*`<br>* `read` and `manage` for `.entities.v1.latest.*`<br>* `read` and `view_index_metadata` for all {{elastic-sec}} indices<br> | **All** for the **Security** and **Saved Objects Management** features |
+| - `manage_enrich`<br>- `manage_index_templates`<br>- `manage_ingest_pipelines`<br>- `manage_transform`<br> | - `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`<br>- `read` and `manage` for `risk-score.risk-score-*`<br>- `read` and `manage` for `.entities.v1.latest.*`<br>- `read` and `view_index_metadata` for all {{elastic-sec}} indices<br> | **All** for the **Security** and **Saved Objects Management** features |
+
+% pending info about user roles / custom role privileges needed for entity store in serverless