From e4ee6ed9fc561b0981843ad8123340cf6ee74922 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 21 Jul 2025 14:56:36 +0100
Subject: [PATCH 01/12] Add TOC and overview

---
 .../asset-criticality.md                      |   5 +-
 .../advanced-entity-analytics/entity-store.md |   4 +-
 .../monitor-privileged-user-activitites.md    |  13 ++
 .../advanced-entity-analytics/overview.md     | 174 ++++++++++++++++++
 ...privileged-user-monitoring-requirements.md |  13 ++
 .../privileged-user-monitoring-setup.md       |  14 ++
 .../privileged-user-monitoring.md             |   2 +-
 .../view-analyze-risk-score-data.md           |  12 +-
 .../view-entity-details.md                    |   2 +-
 solutions/toc.yml                             |   7 +-
 10 files changed, 237 insertions(+), 9 deletions(-)
 create mode 100644 solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
 create mode 100644 solutions/security/advanced-entity-analytics/overview.md
 create mode 100644 solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
 create mode 100644 solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md

diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md
index 3a09beae6f..fe366285c0 100644
--- a/solutions/security/advanced-entity-analytics/asset-criticality.md
+++ b/solutions/security/advanced-entity-analytics/asset-criticality.md
@@ -66,7 +66,10 @@ You can view, assign, change, or unassign asset criticality from the following p
     :::
 
 
-If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities) of the Entity Analytics dashboard:
+If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the **Entities** section on the following pages:
+
+* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 :::{image} /solutions/images/security-entities-section.png
 :alt: Entities section
diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md
index 35c84824d7..a798aec6bf 100644
--- a/solutions/security/advanced-entity-analytics/entity-store.md
+++ b/solutions/security/advanced-entity-analytics/entity-store.md
@@ -42,8 +42,10 @@ To enable the entity store:
 1. Find **Entity Store** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 2. On the **Entity Store** page, turn the toggle on.
 
-Once you enable the entity store, the Entity Analytics dashboard displays the [**Entities**](../dashboards/entity-analytics-dashboard.md#entity-entities) section.
+Once you enable the entity store, the **Entities** section appears on the following pages:
 
+* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 ## Clear entity store data [clear-entity-store]
 
diff --git a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
new file mode 100644
index 0000000000..23a1503efa
--- /dev/null
+++ b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
@@ -0,0 +1,13 @@
+---
+applies_to:
+  stack: preview 9.1
+  serverless:
+    security: preview
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Monitor privileged user activities
+
+This page is a placeholder for future documentation.
diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
new file mode 100644
index 0000000000..9ae4a511c5
--- /dev/null
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -0,0 +1,174 @@
+---
+applies_to:
+  stack: ga 9.1
+  serverless:
+    security: ga
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Entity analytics overview
+
+The **Entity analytics** page provides a centralized view of emerging insider threats—including host risk, user risk, service risk, and anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats.
+
+To access the page, find **Entity analytics** → **Overview** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+
+::::{admonition} Requirements
+This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
+::::
+
+
+The  **Entity analytics** page includes the following sections:
+
+* [Entity KPIs (key performance indicators)](#entity-kpis)
+* [User Risk Scores](#entity-user-risk-scores)
+* [Host Risk Scores](#entity-host-risk-scores)
+* [Service Risk Scores](#service-risk-scores)
+* [Entities](#entity-entities)
+* [Anomalies](#entity-anomalies)
+
+
+## Entity KPIs (key performance indicators) [entity-kpis]
+
+This section displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or **Anomalies** table.
+
+
+## User Risk Scores [entity-user-risk-scores]
+
+::::{admonition} Requirements
+To display user risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
+
+::::
+
+
+This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+
+:::{image} /solutions/images/security-user-score-data.png
+:alt: User risk table
+:screenshot:
+:::
+
+Interact with the table to filter data, view more details, and take action:
+
+* Select the **User risk level** menu to filter the chart by the selected level.
+* Click **View all** to display all user risk information on the **Users** page.
+* Click a user name link to open the entity details flyout.
+* Hover over a user name link to display inline actions: **Add to timeline** ({icon}`timeline`) and **Copy to Clipboard** ({icon}`copy_clipboard`).
+* Click the number link in the **Alerts** column to view the alerts on the **Alerts** page. Hover over the number and select **Investigate in timeline** ({icon}`timeline`) to launch Timeline with a query that includes the associated user name value.
+
+For more information about user risk scores, refer to [](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md).
+
+
+## Host Risk Scores [entity-host-risk-scores]
+
+::::{admonition} Requirements
+To display host risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
+::::
+
+
+This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+
+:::{image} /solutions/images/security-host-score-data.png
+:alt: Host risk scores table
+:screenshot:
+:::
+
+Interact with the table to filter data, view more details, and take action:
+
+* Select the **Host risk level** menu to filter the chart by the selected level.
+* Click **View all** to display all host risk information on the **Hosts** page.
+* Click a host name link to open the entity details flyout.
+* Hover over a host name link to display inline actions: **Add to timeline** ({icon}`timeline`) and **Copy to Clipboard** ({icon}`copy_clipboard`).
+* Click the number link in the **Alerts** column to view the alerts on the **Alerts** page. Hover over the number and select **Investigate in timeline** ({icon}`timeline`) to launch Timeline with a query that includes the associated host name value.
+
+For more information about host risk scores, refer to [](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md).
+
+
+## Service Risk Scores
+
+::::{admonition} Requirements
+To display service risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
+::::
+
+This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+
+:::{image} /solutions/images/security-service-risk-scores.png
+:alt: Service risk scores table
+:screenshot:
+:::
+
+
+Interact with the table to filter data, view more details, and take action:
+
+* Select the **Service risk level** menu to filter the chart by the selected level.
+* Click a service name link to open the service details flyout.
+* Hover over a service name link to display inline actions: **Add to timeline** ({icon}`timeline`) and **Copy to Clipboard** ({icon}`copy_clipboard`).
+* Click the number link in the **Alerts** column to view the alerts on the **Alerts** page. Hover over the number and select **Investigate in timeline** ({icon}`timeline`) to launch Timeline with a query that includes the associated service name value.
+
+For more information about service risk scores, refer to [](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md).
+
+
+## Entities [entity-entities]
+
+
+::::{admonition} Requirements
+To display the **Entities** section, you must [enable the entity store](/solutions/security/advanced-entity-analytics/entity-store.md#enable-entity-store).
+::::
+
+
+This section provides a centralized view of all hosts, users, and services in your environment. It displays entities from the [entity store](/solutions/security/advanced-entity-analytics/entity-store.md), which meet any of the following criteria:
+
+* Have been observed by {{elastic-sec}}
+* Have an asset criticality assignment
+* Have been added to {{elastic-sec}} through an integration, such Active Directory or Okta
+
+::::{note}
+The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_<space-id>`, `.entities.v1.latest.security_host_<space-id>`, and `.entities.v1.latest.security_service_<space-id>` indices to see all the fields for each entity in the entity store.
+::::
+
+
+:::{image} /solutions/images/security-entities-section.png
+:alt: Entities section
+:screenshot:
+:::
+
+Entity data from different sources appears in the **Entities** section based on the following timelines:
+
+* When you first enable the entity store, only data stored in the last 24 hours is processed. After that, data is processed continuously.
+* Observed events from the {{elastic-sec}} default data view are processed in near real-time.
+* Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time.
+* The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to [Active Directory Entity Analytics](https://docs.elastic.co/en/integrations/entityanalytics_ad), [Microsoft Entra ID Entity Analytics](https://docs.elastic.co/en/integrations/entityanalytics_entra_id), and [Okta Entity Analytics](https://docs.elastic.co/en/integrations/entityanalytics_okta) for more details.
+
+Interact with the table to filter data and view more details:
+
+* Select the **Risk level** dropdown to filter the table by the selected user, host, or service risk level.
+* Select the **Criticality** dropdown to filter the table by the selected asset criticality level.
+* Select the **Source** dropdown to filter the table by the data source.
+* Click the **View details** icon ({icon}`expand` ) to open the entity details flyout.
+
+
+
+## Anomalies [entity-anomalies]
+
+Anomaly detection jobs identify suspicious or irregular behavior patterns. The **Anomalies** table displays the total number of anomalies identified by these prebuilt {{ml}} jobs (named in the **Anomaly name** column).
+
+::::{admonition} Requirements
+To display anomaly results, you must [install and run](/explore-analyze/machine-learning/anomaly-detection/ml-ad-run-jobs.md) one or more [prebuilt anomaly detection jobs](/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md). You cannot add custom anomaly detection jobs to the **Entity analytics** page.
+::::
+
+
+:::{image} /solutions/images/security-anomalies-table.png
+:alt: Anomalies table
+:screenshot:
+:::
+
+Interact with the table to view more details:
+
+* Click **View all host anomalies** to go to the **Anomalies** table on the **Hosts** page.
+* Click **View all user anomalies** to go to the **Anomalies** table on the **Users** page.
+* Click **View all** to display and manage all machine learning jobs on the **Anomaly Detection Jobs** page.
+
+::::{tip}
+To learn more about {{ml}}, refer to [](/explore-analyze/machine-learning.md)
+::::
\ No newline at end of file
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
new file mode 100644
index 0000000000..ec21f458a2
--- /dev/null
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -0,0 +1,13 @@
+---
+applies_to:
+  stack: preview 9.1
+  serverless:
+    security: preview
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Privileged user monitoring requirements
+
+This page is a placeholder for future documentation.
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
new file mode 100644
index 0000000000..01591c0242
--- /dev/null
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -0,0 +1,14 @@
+---
+navigation_title: Set up privileged user monitoring
+applies_to:
+  stack: preview 9.1
+  serverless:
+    security: preview
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Set up and manage privileged user monitoring
+
+This page is a placeholder for future documentation.
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
index 60cafde3b3..8b8fbb05ab 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
@@ -2,7 +2,7 @@
 applies_to:
   stack: preview 9.1
   serverless:
-    security: preview 9.1
+    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
index 788e767eab..fff35d046b 100644
--- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
+++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
@@ -15,7 +15,7 @@ products:
 
 The {{security-app}} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {{security-app}} to view and analyze risk score data:
 
-* [Entity Analytics dashboard](#entity-analytics-dashboard)
+* [Entity Analytics overview](#entity-analytics-overview)
 * [Alerts page](#alerts-page)
 * [Alert details flyout](#alert-details-flyout)
 * [Hosts and Users pages](#hosts-users-pages)
@@ -28,11 +28,15 @@ We recommend that you prioritize [alert triaging](#alert-triaging) to identify a
 
 
 
-## Entity Analytics dashboard [entity-analytics-dashboard]
+## Entity Analytics overview [entity-analytics-overview]
 
-From the Entity Analytics dashboard, you can access entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
+In the Entity Analytics overview, you can view entity key performance indicators (KPIs), risk scores, and levels. You can also click the number link in the **Alerts** column to investigate and analyze the alerts on the Alerts page.
 
-If you have enabled the [entity store](entity-store.md), the dashboard also displays the [**Entities** section](../dashboards/entity-analytics-dashboard.md#entity-entities), where you can view all hosts, users, and services along with their risk and asset criticality data.
+If you have enabled the [entity store](entity-store.md), you'll also get access to the **Entities** section, where you can view all hosts, users, and services along with their risk and asset criticality data.
+
+Access the Entity Analytics overview from the following pages:
+* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
+* [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 
 ## Alert triaging [alert-triaging]
diff --git a/solutions/security/advanced-entity-analytics/view-entity-details.md b/solutions/security/advanced-entity-analytics/view-entity-details.md
index 08fac00af9..38da248e91 100644
--- a/solutions/security/advanced-entity-analytics/view-entity-details.md
+++ b/solutions/security/advanced-entity-analytics/view-entity-details.md
@@ -10,7 +10,7 @@ applies_to:
 You can lean more about an entity (host, user, or service) from the entity details flyout, which is available throughout the {{elastic-sec}} app. To access this flyout, click on an entity name in places such as:
 
 * The Alerts table
-* The Entity Analytics dashboard
+* The Entity Analytics overview
 * The **Users** and user details pages
 * The **Hosts** and host details pages
 
diff --git a/solutions/toc.yml b/solutions/toc.yml
index 7d0b23cd6d..b90e3fbf08 100644
--- a/solutions/toc.yml
+++ b/solutions/toc.yml
@@ -659,6 +659,7 @@ toc:
           - file: security/explore/users-page.md
       - file: security/advanced-entity-analytics.md
         children:
+          - file: security/advanced-entity-analytics/overview.md 
           - file: security/advanced-entity-analytics/entity-risk-scoring.md
             children:
               - file: security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -673,6 +674,10 @@ toc:
               - file: security/advanced-entity-analytics/anomaly-detection.md
               - file: security/advanced-entity-analytics/optimizing-anomaly-results.md
               - file: security/advanced-entity-analytics/behavioral-detection-use-cases.md
-          - hidden: security/advanced-entity-analytics/privileged-user-monitoring.md
+          - file: security/advanced-entity-analytics/privileged-user-monitoring.md
+            children:
+              - file: security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+              - file: security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+              - file: security/advanced-entity-analytics/monitor-privileged-user-activitites.md
       - file: security/asset-management.md
       - file: security/apis.md
\ No newline at end of file

From 1a94a19db2d99bcc36044fe17f0fffb74eead8f5 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 21 Jul 2025 15:02:27 +0100
Subject: [PATCH 02/12] callout formatting

---
 .../advanced-entity-analytics/overview.md     | 33 +++++++++----------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index 9ae4a511c5..e79fa2eb26 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -14,9 +14,9 @@ The **Entity analytics** page provides a centralized view of emerging insider th
 
 To access the page, find **Entity analytics** → **Overview** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
-::::{admonition} Requirements
+:::{admonition} Requirements
 This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
-::::
+:::
 
 
 The  **Entity analytics** page includes the following sections:
@@ -36,10 +36,9 @@ This section displays the total number of critical hosts, critical users, and an
 
 ## User Risk Scores [entity-user-risk-scores]
 
-::::{admonition} Requirements
+:::{admonition} Requirements
 To display user risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
-
-::::
+:::
 
 
 This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
@@ -62,9 +61,9 @@ For more information about user risk scores, refer to [](/solutions/security/adv
 
 ## Host Risk Scores [entity-host-risk-scores]
 
-::::{admonition} Requirements
+:::{admonition} Requirements
 To display host risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
-::::
+:::
 
 
 This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
@@ -87,9 +86,9 @@ For more information about host risk scores, refer to [](/solutions/security/adv
 
 ## Service Risk Scores
 
-::::{admonition} Requirements
+:::{admonition} Requirements
 To display service risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
-::::
+:::
 
 This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
@@ -112,9 +111,9 @@ For more information about service risk scores, refer to [](/solutions/security/
 ## Entities [entity-entities]
 
 
-::::{admonition} Requirements
+:::{admonition} Requirements
 To display the **Entities** section, you must [enable the entity store](/solutions/security/advanced-entity-analytics/entity-store.md#enable-entity-store).
-::::
+:::
 
 
 This section provides a centralized view of all hosts, users, and services in your environment. It displays entities from the [entity store](/solutions/security/advanced-entity-analytics/entity-store.md), which meet any of the following criteria:
@@ -123,9 +122,9 @@ This section provides a centralized view of all hosts, users, and services in yo
 * Have an asset criticality assignment
 * Have been added to {{elastic-sec}} through an integration, such Active Directory or Okta
 
-::::{note}
+:::{note}
 The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_<space-id>`, `.entities.v1.latest.security_host_<space-id>`, and `.entities.v1.latest.security_service_<space-id>` indices to see all the fields for each entity in the entity store.
-::::
+:::
 
 
 :::{image} /solutions/images/security-entities-section.png
@@ -153,9 +152,9 @@ Interact with the table to filter data and view more details:
 
 Anomaly detection jobs identify suspicious or irregular behavior patterns. The **Anomalies** table displays the total number of anomalies identified by these prebuilt {{ml}} jobs (named in the **Anomaly name** column).
 
-::::{admonition} Requirements
+:::{admonition} Requirements
 To display anomaly results, you must [install and run](/explore-analyze/machine-learning/anomaly-detection/ml-ad-run-jobs.md) one or more [prebuilt anomaly detection jobs](/reference/data-analysis/machine-learning/ootb-ml-jobs-siem.md). You cannot add custom anomaly detection jobs to the **Entity analytics** page.
-::::
+:::
 
 
 :::{image} /solutions/images/security-anomalies-table.png
@@ -169,6 +168,6 @@ Interact with the table to view more details:
 * Click **View all user anomalies** to go to the **Anomalies** table on the **Users** page.
 * Click **View all** to display and manage all machine learning jobs on the **Anomaly Detection Jobs** page.
 
-::::{tip}
+:::{tip}
 To learn more about {{ml}}, refer to [](/explore-analyze/machine-learning.md)
-::::
\ No newline at end of file
+:::
\ No newline at end of file

From fa1e51cf9d6c546aebdd9d66d6929a3f3ed8806a Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 21 Jul 2025 17:12:49 +0100
Subject: [PATCH 03/12] adds some privmon content

---
 .../monitor-privileged-user-activitites.md    | 26 +++++++++-
 ...privileged-user-monitoring-requirements.md | 34 ++++++++++++-
 .../privileged-user-monitoring-setup.md       | 50 ++++++++++++++++++-
 .../privileged-user-monitoring.md             |  6 ++-
 4 files changed, 112 insertions(+), 4 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
index 23a1503efa..4aab94b4c1 100644
--- a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
+++ b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
@@ -10,4 +10,28 @@ products:
 
 # Monitor privileged user activities
 
-This page is a placeholder for future documentation.
+After you [set up privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md), you can start monitoring your privileged users' activity using the different panels on the **Privileged user monitoring** dashboard.
+
+## Risk levels of privileged users
+
+When entity risk scoring is enabled, this panel shows the percentages and numbers of privileged users exhibiting risky behaviors that trigger alerts, grouped by their risk levels. This helps you assess how much risk administrative and other privileged users are contributing to your environment’s overall risk posture.
+
+## Privileged users
+
+This panel represents an inventory of privileged users, sourced from your provided [data sources](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md#manage-data-sources). It gives a rich catalog of users that may be valuable to investigate, and provides additional information, including user risk scores and asset criticality assignment. This table also serves as a window into the users that are currently being monitored for their privileged status from the configured data sources.
+
+## Top privileged access detection anomalies
+
+The [Privileged Access Detection](integration-docs://reference/pad.md) package contains multiple {{ml}} jobs that can detect anomalous privileged user activity across various systems, such as Windows, Linux, and Okta system logs. You can install this package directly from the **Privileged user monitoring** dashboard and access the related {{ml}} jobs for any additional configuration.
+
+Once you install the package, this panel displays a heatmap of the top privileged access detection anomalies performed by your defined privileged users. You can investigate these anomalies further by reviewing details for individual users or by navigating to the Anomaly Explorer.
+
+## Privileged user activity
+
+This panel contains the following tabs:
+
+* **Granted rights**: Monitor when rights are granted. This helps you detect behavior such as over-provisioning or potential insider threats. It also highlights possible misuse of administrative privileges or violations of least-privilege policies.
+
+* **Account switches**: Track when privileged users switch accounts. This can help you proactively identify potential lateral movement or unauthorized access.
+
+* **Authentications**: Review authentication events for privileged users. Frequent authentication shows how actively these privileges are being used, while repeated failed authentication events can indicate attempted unauthorized access.
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
index ec21f458a2..083a36f51b 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -10,4 +10,36 @@ products:
 
 # Privileged user monitoring requirements
 
-This page is a placeholder for future documentation.
+This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations.
+
+* Privileged user monitoring feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
+
+* To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` advanced setting.
+
+* To use these features in {{stack}}, your role must have certain [privileges](#privmon_privs). In {{serverless-short}}, you need an appropriate [predefined user role](#privmon_roles) or a custom role with the right [privileges](#privmon_privs).
+
+## Privileges [privmon_privs]
+
+| Action | Index Privileges | Kibana Privileges |
+| ------ | ---------------- | ----------------- |
+| View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - security data view indices | **Read** for the **Security** feature |
+| Enable the privileged user monitoring feature | TBD | **Read** for the **Security** feature |
+
+
+## Predefined roles [privmon_roles]
+```yaml {applies_to}
+serverless: all
+```
+
+| Action | Predefined role |
+| ------ | --------------- |
+| TBD | TBD |
+| TBD | TBD |
+
+
+## Known limitations
+
+* Currently, none of the privileged user monitoring visualizations support [cross-cluster search](/solutions/search/cross-cluster-search.md) as part of the data that they query from. 
+
+* You can define up to 10,000 privileged users per data source.
+
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
index 01591c0242..53d05e3086 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -11,4 +11,52 @@ products:
 
 # Set up and manage privileged user monitoring
 
-This page is a placeholder for future documentation.
+:::{admonition} Requirements
+To use privileged user monitoring, you must:
+
+* Have the appropriate user role or privileges
+* Turn on the required advanced setting
+
+For more information, refer to [Privileged user monitoring requirements](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md).
+:::
+
+Before you can start monitoring privileged users, you need to define which users in your environment are considered privileged.
+
+Privileged users typically include accounts with elevated access rights that allow them to configure security settings, manage user permissions, or access sensitive data. 
+
+## Define privileged users
+
+You can define privileged users in the following ways:
+
+* [Select an existing index](#privmon-index) or create a new custom index with privileged user data.
+* [Bulk-upload](#privmon-upload) a list of privileged users using a CSV or TXT file. 
+* Use the Entity analytics APIs to [mark individual users as privileged]({{kib-apis}}/operation/operation-createprivmonuser) or [bulk-upload multiple privileged users]({{kib-apis}}/operation/operation-privmonbulkuploaduserscsv).
+
+To get started, find the **Privileged user monitoring** page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+
+### Select or create an index [privmon-index]
+
+1. On the **Privileged user monitoring** page, click **Index**.
+2. From the **Select index** popup, you can create new or choose existing indices as your data source.
+3. Select **Add privileged users**.
+
+All user names, specified in the `user.name` field in your selected indices, will be defined as privileged users.
+
+### Import a list of privileged users from a text file [privmon-upload]
+
+1. On the **Privileged user monitoring** page, click **File**.
+2. Select or drag and drop the file you want to import. The maximum file size is 1 MB.
+3. Select **Add privileged user**.
+
+:::{note}
+* Any lines that don’t follow the required file structure will be highlighted, and those users won't be added. We recommend that you fix any invalid lines and re-upload the file.
+
+* You can only import one file as a data source. Any users previously imported through a text file are overwritten.
+:::
+
+After setting up your privileged users, you can start [monitoring their activity](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md) and related insights on the **Privileged user monitoring** page.
+
+You can update the selected data sources at any time by selecting **Manage data sources**.
+
+## Manage data sources
+
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
index 8b8fbb05ab..92609494e0 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
@@ -10,4 +10,8 @@ products:
 
 # Privileged user monitoring
 
-This page is a placeholder for future documentation.
+Privileged user monitoring allows you to track the activity of users with elevated permissions, such as system administrators or users with access to sensitive data. These accounts are often targets for attackers who try to gain elevated privileges and access critical systems. To reduce this risk, it’s important to monitor and audit privileged users’ behavior regularly. 
+
+Use privileged user monitoring to proactively identify suspicious activities, such as over-provisioning of rights or malicious insider threats, before they cause damage.
+
+The Privileged user monitoring page gives you a centralized, high-level view of privileged users’ activity. It helps you identify suspicious behavior, prioritize investigations, and quickly access the data you need to respond.

From 1c16496d80df88ff031e7ffa0f90aa98c3b896c6 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 21 Jul 2025 17:27:09 +0100
Subject: [PATCH 04/12] update panel name

---
 .../monitor-privileged-user-activitites.md                    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
index 4aab94b4c1..ed75f36b8c 100644
--- a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
+++ b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
@@ -20,11 +20,11 @@ When entity risk scoring is enabled, this panel shows the percentages and number
 
 This panel represents an inventory of privileged users, sourced from your provided [data sources](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md#manage-data-sources). It gives a rich catalog of users that may be valuable to investigate, and provides additional information, including user risk scores and asset criticality assignment. This table also serves as a window into the users that are currently being monitored for their privileged status from the configured data sources.
 
-## Top privileged access detection anomalies
+## Top privileged access anomalies
 
 The [Privileged Access Detection](integration-docs://reference/pad.md) package contains multiple {{ml}} jobs that can detect anomalous privileged user activity across various systems, such as Windows, Linux, and Okta system logs. You can install this package directly from the **Privileged user monitoring** dashboard and access the related {{ml}} jobs for any additional configuration.
 
-Once you install the package, this panel displays a heatmap of the top privileged access detection anomalies performed by your defined privileged users. You can investigate these anomalies further by reviewing details for individual users or by navigating to the Anomaly Explorer.
+Once you install the package, this panel displays a heatmap of the top privileged access anomalies performed by your defined privileged users. You can investigate these anomalies further by reviewing details for individual users or by navigating to the Anomaly Explorer.
 
 ## Privileged user activity
 

From 25038c93c1e6a9b1d951450db54ecbc08d08b55d Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 21 Jul 2025 17:36:28 +0100
Subject: [PATCH 05/12] tweak

---
 .../privileged-user-monitoring-setup.md                         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
index 53d05e3086..5ecf511e4a 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -54,7 +54,7 @@ All user names, specified in the `user.name` field in your selected indices, wil
 * You can only import one file as a data source. Any users previously imported through a text file are overwritten.
 :::
 
-After setting up your privileged users, you can start [monitoring their activity](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md) and related insights on the **Privileged user monitoring** page.
+After setting up your privileged users, you can start [monitoring their activity](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md) and related insights on the **Privileged user monitoring** dashboard.
 
 You can update the selected data sources at any time by selecting **Manage data sources**.
 

From c8eeb2595a9b8d23f4cb2f130a4417e28fb9ea2a Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Tue, 22 Jul 2025 13:41:52 +0100
Subject: [PATCH 06/12] adds more content

---
 .../security/advanced-entity-analytics.md     |  7 ++--
 .../monitor-privileged-user-activitites.md    |  6 ++--
 .../advanced-entity-analytics/overview.md     |  4 ++-
 ...privileged-user-monitoring-requirements.md |  2 +-
 .../privileged-user-monitoring-setup.md       | 32 ++++++++++++++++---
 .../privileged-user-monitoring.md             |  2 +-
 .../configure-advanced-settings.md            |  8 ++++-
 .../get-started/elastic-security-ui.md        | 16 ++++++++++
 8 files changed, 64 insertions(+), 13 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics.md b/solutions/security/advanced-entity-analytics.md
index 91bde5b11c..934aaf7c79 100644
--- a/solutions/security/advanced-entity-analytics.md
+++ b/solutions/security/advanced-entity-analytics.md
@@ -15,7 +15,8 @@ products:
 
 Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity’s environment. This feature combines the power of the SIEM detection engine and Elastic’s {{ml}} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts, users, and services.
 
-Advanced Entity Analytics provides two key capabilities:
+Advanced Entity Analytics provides the following key capabilities:
 
-* [Entity risk scoring](advanced-entity-analytics/entity-risk-scoring.md)
-* [Advanced behavioral detections](advanced-entity-analytics/advanced-behavioral-detections.md)
+* [](advanced-entity-analytics/entity-risk-scoring.md)
+* [](advanced-entity-analytics/advanced-behavioral-detections.md)
+* [](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md)
diff --git a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
index ed75f36b8c..f398f40ed6 100644
--- a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
+++ b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
@@ -10,7 +10,9 @@ products:
 
 # Monitor privileged user activities
 
-After you [set up privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md), you can start monitoring your privileged users' activity using the different panels on the **Privileged user monitoring** dashboard.
+After you [set up privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md), you can start monitoring your privileged users' activity using the different panels on the Privileged user monitoring dashboard.
+
+To get started, find **Privileged user monitoring** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 ## Risk levels of privileged users
 
@@ -22,7 +24,7 @@ This panel represents an inventory of privileged users, sourced from your provid
 
 ## Top privileged access anomalies
 
-The [Privileged Access Detection](integration-docs://reference/pad.md) package contains multiple {{ml}} jobs that can detect anomalous privileged user activity across various systems, such as Windows, Linux, and Okta system logs. You can install this package directly from the **Privileged user monitoring** dashboard and access the related {{ml}} jobs for any additional configuration.
+The [Privileged Access Detection](integration-docs://reference/pad.md) package contains multiple {{ml}} jobs that can detect anomalous privileged user activity across various systems, such as Windows, Linux, and Okta system logs. You can install this package directly from the Privileged user monitoring dashboard and access the related {{ml}} jobs for any additional configuration.
 
 Once you install the package, this panel displays a heatmap of the top privileged access anomalies performed by your defined privileged users. You can investigate these anomalies further by reviewing details for individual users or by navigating to the Anomaly Explorer.
 
diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index e79fa2eb26..bf9302310b 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -15,7 +15,9 @@ The **Entity analytics** page provides a centralized view of emerging insider th
 To access the page, find **Entity analytics** → **Overview** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 :::{admonition} Requirements
-This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
+* This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
+
+* To get access to this page, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring).
 :::
 
 
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
index 083a36f51b..6240bea781 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -14,7 +14,7 @@ This page covers the requirements for using the privileged user monitoring featu
 
 * Privileged user monitoring feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
 
-* To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` advanced setting.
+* To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring).
 
 * To use these features in {{stack}}, your role must have certain [privileges](#privmon_privs). In {{serverless-short}}, you need an appropriate [predefined user role](#privmon_roles) or a custom role with the right [privileges](#privmon_privs).
 
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
index 5ecf511e4a..c8f57c4b88 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -48,15 +48,39 @@ All user names, specified in the `user.name` field in your selected indices, wil
 2. Select or drag and drop the file you want to import. The maximum file size is 1 MB.
 3. Select **Add privileged user**.
 
-:::{note}
-* Any lines that don’t follow the required file structure will be highlighted, and those users won't be added. We recommend that you fix any invalid lines and re-upload the file.
+The file must contain at least one column, with each user record listed on a separate row:
+
+1. The first column specifies the privileged user's user name.
+2. An optional second column may specify a label, representing the user’s role, group, team, or similar.
+
+File structure example:
 
-* You can only import one file as a data source. Any users previously imported through a text file are overwritten.
+```txt
+superadmin
+admin01,Domain Admin
+sec_ops
+jdoe,IT Support
+```
+
+:::{note}
+Any lines that don’t follow the required file structure will be highlighted, and those users won't be added. We recommend that you fix any invalid lines and re-upload the file.
 :::
 
-After setting up your privileged users, you can start [monitoring their activity](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md) and related insights on the **Privileged user monitoring** dashboard.
+After setting up your privileged users, you can start [monitoring their activity](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md) and related insights on the Privileged user monitoring dashboard.
 
 You can update the selected data sources at any time by selecting **Manage data sources**.
 
 ## Manage data sources
 
+Use the **Manage data sources** page to update your selected data sources.
+
+You can use multiple data source types, such as an index and a CSV file, at the same time to define privileged users. Users defined through different data source types are monitored together.
+
+On this page, you can:
+
+* View, remove, and change indices after initially defining them
+* Import a new supported file with a list of privileged users
+
+   :::{note}
+   Importing a new file will overwrite any users added from a previous file. This doesn't affect users defined through other data source types.
+   :::
\ No newline at end of file
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
index 92609494e0..a799f8947f 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
@@ -14,4 +14,4 @@ Privileged user monitoring allows you to track the activity of users with elevat
 
 Use privileged user monitoring to proactively identify suspicious activities, such as over-provisioning of rights or malicious insider threats, before they cause damage.
 
-The Privileged user monitoring page gives you a centralized, high-level view of privileged users’ activity. It helps you identify suspicious behavior, prioritize investigations, and quickly access the data you need to respond.
+The [Privileged user monitoring dashboard](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md) gives you a centralized, high-level view of privileged users’ activity. It helps you identify suspicious behavior, prioritize investigations, and quickly access the data you need to respond.
diff --git a/solutions/security/get-started/configure-advanced-settings.md b/solutions/security/get-started/configure-advanced-settings.md
index c55aa271e3..b538511cc5 100644
--- a/solutions/security/get-started/configure-advanced-settings.md
+++ b/solutions/security/get-started/configure-advanced-settings.md
@@ -13,7 +13,7 @@ products:
 
 # Configure advanced settings [security-advanced-settings]
 
-The advanced settings determine:
+The advanced settings control the behavior of the {{security-app}}, such as:
 
 * Which indices {{elastic-sec}} uses to retrieve data
 * {{ml-cap}} anomaly score display threshold
@@ -212,3 +212,9 @@ To only exclude cold and frozen data from specific rules, add a [Query DSL filte
 ::::{important}
 Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {{esql}} rules may still fail if a frozen or cold shard that matches the rule’s specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule’s index patterns to only match indices containing hot tier data.
 ::::
+
+
+## Access privileged user monitoring
+
+The `securitySolution:enablePrivilegedUserMonitoring` setting allows you to access the [Entity analytics overview page](/solutions/security/advanced-entity-analytics/overview.md) and the [privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md) feature. This setting is turned off by default.
+
diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index 5013cfcf8d..907569cf5d 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -185,6 +185,22 @@ The Assets section allows you to manage the following features:
 
 * [Cloud security](/solutions/security/cloud.md)
 
+
+### Entity analytics
+```yaml {applies_to}
+stack: preview 9.1
+```
+
+:::{admonition} Requirements
+To access this section, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring).
+:::
+
+Expand this section to access the following pages:
+
+- [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md): Access a comprehensive overview of entity risk scores and anomalies identified by prebuilt {{anomaly-jobs}}.
+- [Privileged user monitoring](/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md): Set up your privileged users and monitor their activities to identify suspicious behavior. 
+
+
 ### {{ml-cap}} [security-ui-ml-cap]
 
 Manage {{ml}} jobs and settings. Refer to [{{ml-cap}} docs](/explore-analyze/machine-learning/anomaly-detection.md) for more information.

From 428b41cd992ae1b4e2867e4da64b8c2236c47c69 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Tue, 22 Jul 2025 14:06:40 +0100
Subject: [PATCH 07/12] add missing applies

---
 solutions/security/advanced-entity-analytics.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/advanced-entity-analytics.md b/solutions/security/advanced-entity-analytics.md
index 934aaf7c79..d7e5116f35 100644
--- a/solutions/security/advanced-entity-analytics.md
+++ b/solutions/security/advanced-entity-analytics.md
@@ -19,4 +19,4 @@ Advanced Entity Analytics provides the following key capabilities:
 
 * [](advanced-entity-analytics/entity-risk-scoring.md)
 * [](advanced-entity-analytics/advanced-behavioral-detections.md)
-* [](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md)
+* {applies_to}`stack: preview 9.1` [](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md)

From 91eaa0bb67efe4fd3397d030cd15a1054cc30138 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Thu, 24 Jul 2025 15:41:02 +0100
Subject: [PATCH 08/12] adds link

---
 solutions/security/advanced-entity-analytics/overview.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index bf9302310b..125db184e1 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -43,7 +43,7 @@ To display user risk scores, you must [turn on the risk scoring engine](/solutio
 :::
 
 
-This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are [calculated](solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-user-score-data.png
 :alt: User risk table
@@ -68,7 +68,7 @@ To display host risk scores, you must [turn on the risk scoring engine](/solutio
 :::
 
 
-This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are [calculated](solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-host-score-data.png
 :alt: Host risk scores table
@@ -92,7 +92,7 @@ For more information about host risk scores, refer to [](/solutions/security/adv
 To display service risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
 :::
 
-This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are calculated using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are [calculated](solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-service-risk-scores.png
 :alt: Service risk scores table

From f37609b437bf0d8635f8aed2efb6351b3fafaad7 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Thu, 24 Jul 2025 15:45:36 +0100
Subject: [PATCH 09/12] add missing slash

---
 solutions/security/advanced-entity-analytics/overview.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index 125db184e1..5bcef2e367 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -43,7 +43,7 @@ To display user risk scores, you must [turn on the risk scoring engine](/solutio
 :::
 
 
-This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are [calculated](solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays user risk score data for your environment, including the total number of users, and the five most recently recorded user risk scores, with their associated user names, risk data, and number of detection alerts. User risk scores are [calculated](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-user-score-data.png
 :alt: User risk table
@@ -68,7 +68,7 @@ To display host risk scores, you must [turn on the risk scoring engine](/solutio
 :::
 
 
-This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are [calculated](solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are [calculated]/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-host-score-data.png
 :alt: Host risk scores table
@@ -92,7 +92,7 @@ For more information about host risk scores, refer to [](/solutions/security/adv
 To display service risk scores, you must [turn on the risk scoring engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md).
 :::
 
-This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are [calculated](solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays service risk score data for your environment, including the total number of services, and the five most recently recorded service risk scores, with their associated service names, risk data, and number of detection alerts. Service risk scores are [calculated](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-service-risk-scores.png
 :alt: Service risk scores table

From 22eed0ca2439def44b6b5dcdcfb54a318f4b3ba2 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Fri, 25 Jul 2025 12:51:21 +0100
Subject: [PATCH 10/12] Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
---
 solutions/security/advanced-entity-analytics/overview.md      | 2 +-
 .../privileged-user-monitoring-requirements.md                | 2 +-
 .../privileged-user-monitoring-setup.md                       | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index 5bcef2e367..6d579bb90c 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -68,7 +68,7 @@ To display host risk scores, you must [turn on the risk scoring engine](/solutio
 :::
 
 
-This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are [calculated]/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
+This section displays host risk score data for your environment, including the total number of hosts, and the five most recently recorded host risk scores, with their associated host names, risk data, and number of detection alerts. Host risk scores are [calculated](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md#how-is-risk-score-calculated) using a weighted sum on a scale of 0 (lowest) to 100 (highest).
 
 :::{image} /solutions/images/security-host-score-data.png
 :alt: Host risk scores table
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
index 6240bea781..085b65f4d2 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -22,7 +22,7 @@ This page covers the requirements for using the privileged user monitoring featu
 
 | Action | Index Privileges | Kibana Privileges |
 | ------ | ---------------- | ----------------- |
-| View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - security data view indices | **Read** for the **Security** feature |
+| View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | **Read** for the **Security** feature |
 | Enable the privileged user monitoring feature | TBD | **Read** for the **Security** feature |
 
 
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
index c8f57c4b88..863f86f381 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -78,8 +78,8 @@ You can use multiple data source types, such as an index and a CSV file, at the
 
 On this page, you can:
 
-* View, remove, and change indices after initially defining them
-* Import a new supported file with a list of privileged users
+* View, remove, and change indices after initially defining them.
+* Import a new supported file with a list of privileged users.
 
    :::{note}
    Importing a new file will overwrite any users added from a previous file. This doesn't affect users defined through other data source types.

From e3b973ec52be9accb3281e7f4b3b2f6f6bf61362 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 25 Jul 2025 14:57:28 +0100
Subject: [PATCH 11/12] update privs

---
 .../privileged-user-monitoring-requirements.md                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
index 085b65f4d2..e310429f5c 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -22,8 +22,8 @@ This page covers the requirements for using the privileged user monitoring featu
 
 | Action | Index Privileges | Kibana Privileges |
 | ------ | ---------------- | ----------------- |
+| Enable the privileged user monitoring feature | N/A | **All** for the **Security** feature |
 | View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | **Read** for the **Security** feature |
-| Enable the privileged user monitoring feature | TBD | **Read** for the **Security** feature |
 
 
 ## Predefined roles [privmon_roles]

From c5ee1c01e213513fddeb65f2ae0dcdcecec6e07b Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 25 Jul 2025 16:26:10 +0100
Subject: [PATCH 12/12] remove serverless references

---
 .../security/advanced-entity-analytics.md      |  3 ++-
 .../asset-criticality.md                       |  2 +-
 .../advanced-entity-analytics/entity-store.md  |  2 +-
 .../monitor-privileged-user-activitites.md     |  2 --
 .../advanced-entity-analytics/overview.md      |  2 --
 .../privileged-user-monitoring-requirements.md | 18 ++----------------
 .../privileged-user-monitoring-setup.md        |  2 --
 .../privileged-user-monitoring.md              |  2 --
 .../view-analyze-risk-score-data.md            |  2 +-
 .../get-started/configure-advanced-settings.md |  4 ++++
 .../get-started/elastic-security-ui.md         |  1 +
 11 files changed, 12 insertions(+), 28 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics.md b/solutions/security/advanced-entity-analytics.md
index d7e5116f35..26ae4885fc 100644
--- a/solutions/security/advanced-entity-analytics.md
+++ b/solutions/security/advanced-entity-analytics.md
@@ -19,4 +19,5 @@ Advanced Entity Analytics provides the following key capabilities:
 
 * [](advanced-entity-analytics/entity-risk-scoring.md)
 * [](advanced-entity-analytics/advanced-behavioral-detections.md)
-* {applies_to}`stack: preview 9.1` [](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md)
+* {applies_to}`stack: preview 9.1` {applies_to}`serverless: unavailable`	
+ [](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md)
diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md
index fe366285c0..951bde9055 100644
--- a/solutions/security/advanced-entity-analytics/asset-criticality.md
+++ b/solutions/security/advanced-entity-analytics/asset-criticality.md
@@ -68,7 +68,7 @@ You can view, assign, change, or unassign asset criticality from the following p
 
 If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the **Entities** section on the following pages:
 
-* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: unavailable` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 :::{image} /solutions/images/security-entities-section.png
diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md
index a798aec6bf..8044ef5ca5 100644
--- a/solutions/security/advanced-entity-analytics/entity-store.md
+++ b/solutions/security/advanced-entity-analytics/entity-store.md
@@ -44,7 +44,7 @@ To enable the entity store:
 
 Once you enable the entity store, the **Entities** section appears on the following pages:
 
-* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: unavailable` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 ## Clear entity store data [clear-entity-store]
diff --git a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
index f398f40ed6..d9bb30d993 100644
--- a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
+++ b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
@@ -1,8 +1,6 @@
 ---
 applies_to:
   stack: preview 9.1
-  serverless:
-    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index 6d579bb90c..870ea6e515 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -1,8 +1,6 @@
 ---
 applies_to:
   stack: ga 9.1
-  serverless:
-    security: ga
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
index e310429f5c..87cc6cd8ac 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -1,8 +1,6 @@
 ---
 applies_to:
   stack: preview 9.1
-  serverless:
-    security: preview
 products:
   - id: security
   - id: cloud-serverless
@@ -12,11 +10,11 @@ products:
 
 This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations.
 
-* Privileged user monitoring feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}.
+* Privileged user monitoring feature requires the appropriate [subscription](https://www.elastic.co/pricing).
 
 * To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring).
 
-* To use these features in {{stack}}, your role must have certain [privileges](#privmon_privs). In {{serverless-short}}, you need an appropriate [predefined user role](#privmon_roles) or a custom role with the right [privileges](#privmon_privs).
+* To use these features , your role must have certain [privileges](#privmon_privs).
 
 ## Privileges [privmon_privs]
 
@@ -25,18 +23,6 @@ This page covers the requirements for using the privileged user monitoring featu
 | Enable the privileged user monitoring feature | N/A | **All** for the **Security** feature |
 | View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | **Read** for the **Security** feature |
 
-
-## Predefined roles [privmon_roles]
-```yaml {applies_to}
-serverless: all
-```
-
-| Action | Predefined role |
-| ------ | --------------- |
-| TBD | TBD |
-| TBD | TBD |
-
-
 ## Known limitations
 
 * Currently, none of the privileged user monitoring visualizations support [cross-cluster search](/solutions/search/cross-cluster-search.md) as part of the data that they query from. 
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
index 863f86f381..9029ba77c2 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -2,8 +2,6 @@
 navigation_title: Set up privileged user monitoring
 applies_to:
   stack: preview 9.1
-  serverless:
-    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
index a799f8947f..72833189c8 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
@@ -1,8 +1,6 @@
 ---
 applies_to:
   stack: preview 9.1
-  serverless:
-    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
index fff35d046b..a29641bd03 100644
--- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
+++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
@@ -35,7 +35,7 @@ In the Entity Analytics overview, you can view entity key performance indicators
 If you have enabled the [entity store](entity-store.md), you'll also get access to the **Entities** section, where you can view all hosts, users, and services along with their risk and asset criticality data.
 
 Access the Entity Analytics overview from the following pages:
-* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: unavailable` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 
diff --git a/solutions/security/get-started/configure-advanced-settings.md b/solutions/security/get-started/configure-advanced-settings.md
index b538511cc5..7a42054219 100644
--- a/solutions/security/get-started/configure-advanced-settings.md
+++ b/solutions/security/get-started/configure-advanced-settings.md
@@ -215,6 +215,10 @@ Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, i
 
 
 ## Access privileged user monitoring
+```yaml {applies_to}
+stack: preview 9.1
+serverless: unavailable
+```
 
 The `securitySolution:enablePrivilegedUserMonitoring` setting allows you to access the [Entity analytics overview page](/solutions/security/advanced-entity-analytics/overview.md) and the [privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md) feature. This setting is turned off by default.
 
diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index 907569cf5d..2920425c19 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -189,6 +189,7 @@ The Assets section allows you to manage the following features:
 ### Entity analytics
 ```yaml {applies_to}
 stack: preview 9.1
+serverless: unavailable
 ```
 
 :::{admonition} Requirements