elastic · yctercero · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025
@@ -22,7 +22,9 @@ For a demo, refer to the following video (click to view).
 
 ## Role-based access control (RBAC) for Attack Discovery [attack-discovery-rbac]
 
-You need the `Attack Discovery: All` privilege to use Attack Discovery.
+You need the `Attack Discovery: All` privileges to use Attack Discovery.
+
+{applies_to}`serverless: ` Your role must also have `Rules: All` privileges to use Attack Discovery.
 
 ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png)
 

@@ -24,6 +24,7 @@ The Detection rule monitoring dashboard provides visualizations to help you moni
 To access this dashboard and its data, you must have:
 
 * At least `Read` [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for both the **Analytics > Dashboard** and **Security > Security** {{kib}} features.
+* {applies_to}`serverless: ` Your role must also have `Security > Rules: All` privilege.
 * At least `read` [index privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges) for the `.kibana-event-log-*` index.
 
 ::::

@@ -55,17 +55,33 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j
 
 
 ### Custom role privileges [security-detections-requirements-custom-role-privileges]
-The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access).
+The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access).
-The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access).
+
+```yaml {applies_to}
+stack: ga
+serverless: ga
-The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access).
+
+```yaml {applies_to}
+stack: ga
+serverless: ga
 
 | Action | Cluster Privileges | Index Privileges | Kibana Privileges |
 | --- | --- | --- | --- |
-| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature |
-| Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature |
-| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | `All` for the `Security` feature |
-| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `All` for the `Security` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
-| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | `Read` for the `Security` feature |
-| Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | `All` for the `Security` and `Saved Objects Management` features |
+| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
+| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `Read` for the `Security` feature<br><br>{applies_to}`serverless: ` `Read` for the `Rules` feature<br><br>**NOTE:** Alerts are managed through the ES privileges. To view the alert management flows requires at least the `Read` for th `Rules` feature. |
+| Manage exceptions | N/A | N/A | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature |
+| Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | {applies_to}`stack: ` `All` for the `Security` and `Saved Objects Management` features<br><br>{applies_to}`serverless: `  `All` for the `Rules` and `Saved Objects Management` features |
+| Manage [timelines](/solutions/security/investigate/timeline.md) | N/A | N/A | `All` for the `Timelines` feature |
+| Manage [notes](/solutions/security/investigate/notes.md) | N/A | N/A | `All` for the `Notes` feature |
+| Manage [cases](/solutions/security/investigate/cases.md) | N/A | N/A | `All` for the `Cases` feature |
+
+### Predefined roles [ers_roles]
-### Predefined roles [ers_roles]
+### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]
-### Predefined roles [ers_roles]
+### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]
+```yaml {applies_to}
+serverless: all
-serverless: all
+serverless: ga
-serverless: all
+serverless: ga
+```
 
+| Action | Predefined role |
-| Action | Predefined role |
+
+You can use following [predefined roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table) in {{serverless-short}} projects to access the Detections feature, including rules, alerts, and exceptions. 
+
-| Action | Predefined role |
+
+You can use following [predefined roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table) in {{serverless-short}} projects to access the Detections feature, including rules, alerts, and exceptions. 
+
+| --- | --- |
+| Manage rules | - Threat Intelligence Analyst<br>- Tier 3 Analyst<br>- Detections Eng<br>- SOC Manager<br>- Endpoint Policy Manager<br>- Tier 3 Analyst<br>- Platform Engineer<br>- Editor |
+| Rules read only | - Tier 1 Analyst<br>- Tier 2 Analyst<br>- Viewer<br>- Endpoint Operations Analyst |
+| Manage alerts | - All roles except for Viewer |
+| Manage exceptions and value lists | - Threat Intelligence Analyst<br>- Tier 3 Analyst<br>- Detections Eng<br>- SOC Manager<br>- Endpoint Policy Manager<br>- Tier 3 Analyst<br>- Platform Engineer<br>- Editor |
+| Exceptions and value lists read only | - Tier 1 Analyst<br>- Tier 2 Analyst<br>- Viewer<br>- Endpoint Operations Analyst |
 
 ### Authorization [alerting-auth-model]
 

@@ -17,7 +17,8 @@ For rule migrations, if comparable Elastic-authored rules exist, Automatic Migra
 You can ingest your data before migrating your assets, or migrate your assets first in which case the tool will recommend which data sources you need to power your migrated rules.
 
 ::::{admonition} Requirements
-* The `SIEM migrations: All` Security sub-feature privilege.
+* The `SIEM migrations: All` Security sub-feature privileges.
+* {applies_to}`serverless: ` Your role must also have `Rules: All` privilege.
 * A working [LLM connector](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md).
 * {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription.
 * {{Stack}} users: {{ml}} must be enabled.

@@ -21,7 +21,7 @@ Configure the `securitySolution:maxUnassociatedNotes` [advanced setting](/soluti
 
 ## Grant access to notes [notes-privileges]
 
-You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**.
+You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. To view more details on SIEM requirements, see [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md).
 
 ## View and add notes to alerts and events [notes-alerts-events]
 

@@ -27,7 +27,7 @@ In addition to Timelines, you can create and attach Timeline templates to [detec
 
 ## Grant access to Timeline [timeline-privileges]
 
-You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**.
+You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. To view more details on SIEM requirements, see [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md).
 
 ## Create new or open existing Timeline [open-create-timeline]