forgot that the docs will go out to both ECH and serverless

yctercero · yctercero · commit 778dcb9dc466 · 2025-11-10T20:08:06.000-08:00
diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md
@@ -22,7 +22,9 @@ For a demo, refer to the following video (click to view).
 
 ## Role-based access control (RBAC) for Attack Discovery [attack-discovery-rbac]
 
-You need the `Attack Discovery: All` and `Rules: All` privileges to use Attack Discovery.
+You need the `Attack Discovery: All` privileges to use Attack Discovery.
+
+{applies_to}`serverless: ` Your role must also have `Rules: All` privileges to use Attack Discovery.
 
 ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png)
 
diff --git a/solutions/security/dashboards/detection-rule-monitoring-dashboard.md b/solutions/security/dashboards/detection-rule-monitoring-dashboard.md
@@ -23,7 +23,8 @@ The Detection rule monitoring dashboard provides visualizations to help you moni
 ::::{admonition} Requirements
 To access this dashboard and its data, you must have:
 
-* At least `Read` [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for both the **Analytics > Dashboard**, **Security > Rules** and **Security > Security** {{kib}} features.
+* At least `Read` [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for both the **Analytics > Dashboard** and **Security > Security** {{kib}} features.
+* {applies_to}`serverless: ` Your role must also have `Security > Rules: All` privilege.
 * At least `read` [index privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges) for the `.kibana-event-log-*` index.
 
 ::::
diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md
@@ -59,13 +59,13 @@ The following table describes the required privileges to access the Detections f
 
 | Action | Cluster Privileges | Index Privileges | Kibana Privileges |
 | --- | --- | --- | --- |
-| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Rules` feature |
-If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Rules` feature |
-| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | `All` for the `Rules` feature |
-| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
-| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `Read` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through the ES privileges. To view the alert management flows requires at least the `Read` for th `Rules` feature. |
-| Manage exceptions | N/A | N/A | `All` for the `Rules` feature |
-| Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | `All` for the `Rules` and `Saved Objects Management` features |
+| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature<br><br>**Serverless**: `All` for the `Rules` feature |
+If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
+| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `Read` for the `Security` feature <br><br>{applies_to}`serverless: ` `All` for the `Rules` feature<br><br>**NOTE:** Alerts are managed through the ES privileges. To view the alert management flows requires at least the `Read` for th `Rules` feature. |
+| Manage exceptions | N/A | N/A | `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | `All` for the `Security` and `Saved Objects Management` features<br><br>{applies_to}`serverless: `  `All` for the `Rules` and `Saved Objects Management` features |
 | Manage [timelines](/solutions/security/investigate/timeline.md) | N/A | N/A | `All` for the `Timelines` feature |
 | Manage [notes](/solutions/security/investigate/notes.md) | N/A | N/A | `All` for the `Notes` feature |
 | Manage [cases](/solutions/security/investigate/cases.md) | N/A | N/A | `All` for the `Cases` feature |
diff --git a/solutions/security/get-started/automatic-migration.md b/solutions/security/get-started/automatic-migration.md
@@ -17,7 +17,8 @@ For rule migrations, if comparable Elastic-authored rules exist, Automatic Migra
 You can ingest your data before migrating your assets, or migrate your assets first in which case the tool will recommend which data sources you need to power your migrated rules.
 
 ::::{admonition} Requirements
-* The `SIEM migrations: All` and `Rules: All` Security sub-feature privileges.
+* The `SIEM migrations: All` Security sub-feature privileges.
+* {applies_to}`serverless: ` Your role must also have `Rules: All` privilege.
 * A working [LLM connector](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md).
 * {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription.
 * {{Stack}} users: {{ml}} must be enabled.
