From 5f970d801f9d0c6d9ff789c4c59cf522dab73fe4 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 12:04:24 +0000
Subject: [PATCH 01/10] ers requirements

---
 .../serverless/security-ers-requirements.md   | 56 -------------------
 raw-migrated-files/toc.yml                    |  1 -
 .../entity-risk-scoring-requirements.md       | 44 ++++++++++-----
 3 files changed, 30 insertions(+), 71 deletions(-)
 delete mode 100644 raw-migrated-files/docs-content/serverless/security-ers-requirements.md

diff --git a/raw-migrated-files/docs-content/serverless/security-ers-requirements.md b/raw-migrated-files/docs-content/serverless/security-ers-requirements.md
deleted file mode 100644
index 4dc1c101f6..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-ers-requirements.md
+++ /dev/null
@@ -1,56 +0,0 @@
-# Entity risk scoring requirements [security-ers-requirements]
-
-To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-
-This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.
-
-
-## Entity risk scoring [security-ers-requirements-entity-risk-scoring]
-
-
-### User roles [security-ers-requirements-user-roles]
-
-To turn on the risk scoring engine, you need either the appropriate [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges:
-
-**Predefined roles**
-
-* Platform engineer
-* Detections admin
-* Admin
-
-**Custom role privileges**
-
-| Cluster | Index | {{kib}} |
-| --- | --- | --- |
-| * `manage_index_templates`<br>* `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
-
-
-### Known limitations [security-ers-requirements-known-limitations]
-
-* The risk scoring engine uses an internal user role to score all hosts and users. After you turn on the risk scoring engine, all alerts in the project will contribute to host and user risk scores.
-* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
-
-
-## Asset criticality [security-ers-requirements-asset-criticality]
-
-
-### User roles [security-ers-requirements-user-roles-1]
-
-To use asset criticality, you need either the appropriate [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges:
-
-**Predefined roles**
-
-| Action | Predefined role |
-| --- | --- |
-| View asset criticality | * Viewer<br>* Tier 1 analyst<br> |
-| View, assign, change, or unassign asset criticality | * Editor<br>* Tier 2 analyst<br>* Tier 3 analyst<br>* Threat intelligence analyst<br>* Rule author<br>* SOC manager<br>* Endpoint operations analyst<br>* Platform engineer<br>* Detections admin<br>* Endpoint policy manager<br> |
-
-**Custom role privileges**
-
-Custom roles need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
-
-| Action | Index privilege |
-| --- | --- |
-| View asset criticality | `read` |
-| View, assign, or change asset criticality | `read` and `write` |
-| Unassign asset criticality | `delete` |
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 5f8477b7ba..52785400b2 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -274,7 +274,6 @@ toc:
       - file: docs-content/serverless/security-endpoint-management-req.md
       - file: docs-content/serverless/security-endpoints-page.md
       - file: docs-content/serverless/security-environment-variable-capture.md
-      - file: docs-content/serverless/security-ers-requirements.md
       - file: docs-content/serverless/security-event-filters.md
       - file: docs-content/serverless/security-examine-osquery-results.md
       - file: docs-content/serverless/security-get-started-with-kspm.md
diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
index bfc15bfac0..5f36bce937 100644
--- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -6,13 +6,6 @@ mapped_urls:
 
 # Entity risk scoring requirements
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/ers-requirements.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-ers-requirements.md
-
 To use entity risk scoring, asset criticality, and entity store, your role must have certain cluster, index, and {{kib}} privileges. These features require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
 
 This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
@@ -20,17 +13,28 @@ This page covers the requirements and guidelines for using the entity risk scori
 
 ## Entity risk scoring [_entity_risk_scoring]
 
+In {{stack}}, to turn on the risk scoring engine, you need the appropriate [privileges](#_privileges).
 
-### Privileges [_privileges]
+In serverless, to turn on the risk scoring engine, you need either the appropriate [predefined Security user role](#ers_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges).
 
-To turn on the risk scoring engine, you need the following privileges:
+
+### Privileges [_privileges]
 
 | Cluster | Index | {{kib}} |
 | --- | --- | --- |
-| * `manage_index_templates`<br>* `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
+| - `manage_index_templates`<br>- `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
+
+### Predefined roles [ers_roles]
+
+* Platform engineer
+* Detections admin
+* Admin
 
 
 ### {{es}} resource guidelines [_es_resource_guidelines]
+```yaml {applies_to}
+stack:
+```
 
 Follow these guidelines to ensure clusters have adequate memory to handle data volume:
 
@@ -40,15 +44,18 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 
 ### Known limitations [_known_limitations]
 
-The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores.
+* The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores.
+* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
 
 
 ## Asset criticality [_asset_criticality]
 
+In {{stack}}, to use asset criticality, you need the appropriate [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
+
+In serverless, to use asset criticality, you need you need either the appropriate [predefined Security user role](#ac_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_2).
 
 ### Privileges [_privileges_2]
 
-To use asset criticality, you need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
 
 | Action | Index privilege |
 | --- | --- |
@@ -56,14 +63,23 @@ To use asset criticality, you need the following privileges for the `.asset-crit
 | View, assign, or change asset criticality | `read` and `write` |
 | Unassign asset criticality | `delete` |
 
+### Predefined roles [ac_roles]
+
+| Action | Predefined role |
+| --- | --- |
+| View asset criticality | - Viewer<br>- Tier 1 analyst<br> |
+| View, assign, change, or unassign asset criticality | - Editor<br>- Tier 2 analyst<br>- Tier 3 analyst<br>- Threat intelligence analyst<br>- Rule author<br>- SOC manager<br>- Endpoint operations analyst<br>- Platform engineer<br>- Detections admin<br>- Endpoint policy manager<br> |
+
 
 ## Entity store [_entity_store]
 
 
 ### Privileges [_privileges_3]
 
-To use the entity store, you need the following privileges:
+To enable the entity store, you need the following privileges:
 
 | Cluster | Index | {{kib}} |
 | --- | --- | --- |
-| * `manage_enrich`<br>* `manage_index_templates`<br>* `manage_ingest_pipelines`<br>* `manage_transform`<br> | * `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`<br>* `read` and `manage` for `risk-score.risk-score-*`<br>* `read` and `manage` for `.entities.v1.latest.*`<br>* `read` and `view_index_metadata` for all {{elastic-sec}} indices<br> | **All** for the **Security** and **Saved Objects Management** features |
+| - `manage_enrich`<br>- `manage_index_templates`<br>- `manage_ingest_pipelines`<br>- `manage_transform`<br> | - `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`<br>- `read` and `manage` for `risk-score.risk-score-*`<br>- `read` and `manage` for `.entities.v1.latest.*`<br>- `read` and `view_index_metadata` for all {{elastic-sec}} indices<br> | **All** for the **Security** and **Saved Objects Management** features |
+
+% pending info about user roles / custom role privileges needed for entity store in serverless
\ No newline at end of file

From af42c488a70fe20cb438427c6d4583bcc8ebb5cc Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 12:18:16 +0000
Subject: [PATCH 02/10] turn on ers

---
 .../security-turn-on-risk-engine.md           | 53 -------------------
 raw-migrated-files/toc.yml                    |  1 -
 .../turn-on-risk-scoring-engine.md            | 20 +++----
 3 files changed, 6 insertions(+), 68 deletions(-)
 delete mode 100644 raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md

diff --git a/raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md b/raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md
deleted file mode 100644
index a9312fc005..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-navigation_title: "Turn on risk scoring"
----
-
-# Turn on the risk scoring engine [security-turn-on-risk-engine]
-
-
-::::{admonition} Requirements
-:class: note
-
-To use entity risk scoring, you must have the appropriate user role. For more information, refer to [Entity risk scoring requirements](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md).
-
-::::
-
-
-
-## Preview risky entities [security-turn-on-risk-engine-preview-risky-entities]
-
-You can preview risky entities before installing the risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
-
-::::{note}
-The preview is limited to two risk scores per serverless project.
-
-::::
-
-
-To preview risky entities, go to **Project settings** → **Management** → **Entity Risk Score**:
-
-:::{image} ../../../images/serverless-preview-risky-entities.png
-:alt: Preview of risky entities
-:class: screenshot
-:::
-
-
-## Turn on the risk engine [security-turn-on-risk-engine-turn-on-the-risk-engine]
-
-::::{note}
-To view risk score data, you must have alerts generated in your environment.
-
-::::
-
-
-If you’re installing the risk scoring engine for the first time:
-
-1. Go to **Project settings** → **Management** → **Entity Risk Score**.
-2. On the **Entity Risk Score** page, turn the toggle on.
-
-You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
-
-:::{image} ../../../images/serverless-turn-on-risk-engine.png
-:alt: Turn on entity risk scoring
-:class: screenshot
-:::
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 52785400b2..fa5b5d213d 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -318,7 +318,6 @@ toc:
       - file: docs-content/serverless/security-triage-alerts-with-elastic-ai-assistant.md
       - file: docs-content/serverless/security-trusted-applications.md
       - file: docs-content/serverless/security-tune-detection-signals.md
-      - file: docs-content/serverless/security-turn-on-risk-engine.md
       - file: docs-content/serverless/security-ui.md
       - file: docs-content/serverless/security-view-alert-details.md
       - file: docs-content/serverless/security-visual-event-analyzer.md
diff --git a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
index 2d00a3e696..6a777fc6df 100644
--- a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
+++ b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
@@ -6,29 +6,18 @@ mapped_urls:
 
 # Turn on the risk scoring engine
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/turn-on-risk-engine.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$upgrade-risk-engine$$$
 
 ::::{important}
-To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to [Entity risk scoring requirements](/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md).
+To use entity risk scoring, your role must have the appropriate user role or privileges. For more information, refer to [Entity risk scoring requirements](/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md).
 ::::
 
 
-
 ## Preview risky entities [_preview_risky_entities]
 
 You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
 
 ::::{note}
-The preview is limited to two risk scores per {{kib}} instance.
+The preview is limited to two risk scores per {{kib}} instance or serverless project.
 ::::
 
 
@@ -44,7 +33,7 @@ To preview risky entities, find **Entity Risk Score** in the navigation menu or
 
 ::::{note}
 * To view risk score data, you must have alerts generated in your environment.
-* If you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 8.11 or newer, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine).
+* In {{stack}}, if you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 8.11 or newer, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine).
 
 ::::
 
@@ -63,6 +52,9 @@ You can also choose to include `Closed` alerts in risk scoring calculations and
 
 
 ## Upgrade to the latest risk engine [upgrade-risk-engine]
+```yaml {applies_to}
+stack:
+```
 
 If you upgraded to 8.11 from an earlier {{stack}} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as:
 

From b6ba02349bc92045cbbb974d3bab4d67f9399aee Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 12:52:12 +0000
Subject: [PATCH 03/10] ml reqs

---
 .../serverless/security-ml-requirements.md       | 16 ----------------
 raw-migrated-files/toc.yml                       |  1 -
 .../machine-learning-job-rule-requirements.md    | 11 ++---------
 3 files changed, 2 insertions(+), 26 deletions(-)
 delete mode 100644 raw-migrated-files/docs-content/serverless/security-ml-requirements.md

diff --git a/raw-migrated-files/docs-content/serverless/security-ml-requirements.md b/raw-migrated-files/docs-content/serverless/security-ml-requirements.md
deleted file mode 100644
index 630fe4bd0a..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-ml-requirements.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# {{ml-cap}} job and rule requirements [security-ml-requirements]
-
-To run and create {{ml}} jobs and rules, you need the appropriate [user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
-
-Additionally, for [custom roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), to configure [alert suppression](../../../solutions/security/detect-and-alert/suppress-detection-alerts.md) for {{ml}} rules, your role needs the following index privilege:
-
-* `read` permission for the `.ml-anomalies-*` index
-
-For more information, go to [Set up {{ml-features}}](../../../explore-analyze/machine-learning/setting-up-machine-learning.md).
-
-::::{important} 
-Some roles give access to the results of *all* {{anomaly-jobs}}, irrespective of whether the user has access to the source indices. Likewise, a user who has full or read-only access to {{ml-features}} within a given {{kib}} space can view the results of *all* {{anomaly-jobs}} that are visible in that space. You must carefully consider who is given these roles and feature privileges; {{anomaly-job}} results may propagate field values that contain sensitive information from the source indices to the results.
-
-::::
-
-
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index fa5b5d213d..77b7b9d624 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -290,7 +290,6 @@ toc:
       - file: docs-content/serverless/security-llm-connector-guides.md
       - file: docs-content/serverless/security-llm-performance-matrix.md
       - file: docs-content/serverless/security-machine-learning.md
-      - file: docs-content/serverless/security-ml-requirements.md
       - file: docs-content/serverless/security-osquery-placeholder-fields.md
       - file: docs-content/serverless/security-osquery-response-action.md
       - file: docs-content/serverless/security-overview-dashboard.md
diff --git a/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md b/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md
index dc2618bc81..57825d0fed 100644
--- a/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md
+++ b/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md
@@ -6,14 +6,7 @@ mapped_urls:
 
 # Machine learning job and rule requirements
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/ml-requirements.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-ml-requirements.md
-
-To run and create {{ml}} jobs and rules, you need all of these:
+To run and create {{ml}} jobs and rules in serverless, you need the appropriate [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles). In {{stack}}, you need all of these:
 
 * The [appropriate license](https://www.elastic.co/subscriptions)
 * There must be at least one {{ml}} node in your cluster
@@ -26,7 +19,7 @@ Additionally, to configure [alert suppression](/solutions/security/detect-and-al
 For more information, go to [Set up {{ml-features}}](/explore-analyze/machine-learning/setting-up-machine-learning.md).
 
 ::::{important} 
-The `machine_learning_admin` and `machine_learning_user` built-in roles give access to the results of *all* {{anomaly-jobs}}, irrespective of whether the user has access to the source indices. Likewise, a user who has full or read-only access to {{ml-features}} within a given {{kib}} space can view the results of *all* {{anomaly-jobs}} that are visible in that space. You must carefully consider who is given these roles and feature privileges; {{anomaly-job}} results may propagate field values that contain sensitive information from the source indices to the results.
+Some roles (for example, in {{stack}}, the `machine_learning_admin` and `machine_learning_user` built-in roles) give access to the results of *all* {{anomaly-jobs}}, irrespective of whether the user has access to the source indices. Likewise, a user who has full or read-only access to {{ml-features}} within a given {{kib}} space can view the results of *all* {{anomaly-jobs}} that are visible in that space. You must carefully consider who is given these roles and feature privileges; {{anomaly-job}} results may propagate field values that contain sensitive information from the source indices to the results.
 
 ::::
 

From de5b9200079e72f379c9e0cbd5cc0277c7a12efb Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 13:10:44 +0000
Subject: [PATCH 04/10] anomaly detection

---
 .../serverless/security-machine-learning.md   | 68 -------------------
 raw-migrated-files/toc.yml                    |  1 -
 .../anomaly-detection.md                      | 10 +--
 3 files changed, 2 insertions(+), 77 deletions(-)
 delete mode 100644 raw-migrated-files/docs-content/serverless/security-machine-learning.md

diff --git a/raw-migrated-files/docs-content/serverless/security-machine-learning.md b/raw-migrated-files/docs-content/serverless/security-machine-learning.md
deleted file mode 100644
index 29e47cff9a..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-machine-learning.md
+++ /dev/null
@@ -1,68 +0,0 @@
-# Detect anomalies [security-machine-learning]
-
-[{{ml-cap}}](../../../explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role. Refer to [Machine learning job and rule requirements](../../../solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
-
-You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
-
-
-## Manage {{ml}} jobs [manage-jobs]
-
-If you have the `machine_learning_admin` role, you can use the **ML job settings** interface on the **Alerts***, ***Rules**, and **Rule Exceptions** pages to view, start, and stop {{elastic-sec}} {{ml}} jobs.
-
-:::{image} ../../../images/serverless--detections-machine-learning-ml-ui.png
-:alt: ML job settings UI on the Alerts page
-:class: screenshot
-:::
-
-
-### Manage {{ml}} detection rules [manage-ml-rules]
-
-You can also check the status of {{ml}} detection rules, and start or stop their associated {{ml}} jobs:
-
-* On the **Rules** page, the **Last response** column displays the rule’s current [status](../../../solutions/security/detect-and-alert/manage-detection-rules.md#rule-status). An indicator icon (![Error](../../../images/serverless-warning.svg "")) also appears if a required {{ml}} job isn’t running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule’s details page.
-
-    :::{image} ../../../images/serverless--detections-machine-learning-rules-table-ml-job-error.png
-    :alt: Rules table {{ml}} job error
-    :class: screenshot
-    :::
-
-* On a rule’s details page, check the **Definition** section to confirm whether the required {{ml}} jobs are running. Switch the toggles on or off to run or stop each job.
-
-    :::{image} ../../../images/serverless--troubleshooting-rules-ts-ml-job-stopped.png
-    :alt: Rule details page with ML job stopped
-    :class: screenshot
-    :::
-
-
-
-### Prebuilt jobs [included-jobs]
-
-{{elastic-sec}} comes with prebuilt {{ml}} {{anomaly-jobs}} for automatically detecting host and network anomalies. The jobs are displayed in the `Anomaly Detection` interface. They are available when either:
-
-* You ship data using [Beats](https://www.elastic.co/products/beats) or the [{{agent}}](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md), and {{kib}} is configured with the required index patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*` in **Project settings** → **Management** → **Index Management**).
-
-Or
-
-* Your shipped data is ECS-compliant, and {{kib}} is configured with the shipped data’s index patterns in **Project settings** → **Management** → **Index Management**.
-
-Or
-
-* You install one or more of the [Advanced Analytics integrations](../../../solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md#security-behavioral-detection-use-cases-elastic-integrations-for-behavioral-detection-use-cases).
-
-[Prebuilt job reference](asciidocalypse://docs/docs-content/docs/reference/security/prebuilt-jobs.md) describes all available {{ml}} jobs and lists which ECS fields are required on your hosts when you are not using {{beats}} or the {{agent}} to ship your data. For information on tuning anomaly results to reduce the number of false positives, see [Optimizing anomaly results](../../../solutions/security/advanced-entity-analytics/optimizing-anomaly-results.md).
-
-::::{note}
-Machine learning jobs look back and analyze two weeks of historical data prior to the time they are enabled. After jobs are enabled, they continuously analyze incoming data. When jobs are stopped and restarted within the two-week time frame, previously analyzed data is not processed again.
-
-::::
-
-
-
-## View detected anomalies [view-anomalies]
-
-To view the `Anomalies` table widget and `Max Anomaly Score By Job` details, the user must have the `machine_learning_admin` or `machine_learning_user` role.
-
-::::{note}
-To adjust the `score` threshold that determines which anomalies are shown, you can modify the **`securitySolution:defaultAnomalyScore`** advanced setting.
-
-::::
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 77b7b9d624..a09d956d64 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -289,7 +289,6 @@ toc:
       - file: docs-content/serverless/security-linux-file-monitoring.md
       - file: docs-content/serverless/security-llm-connector-guides.md
       - file: docs-content/serverless/security-llm-performance-matrix.md
-      - file: docs-content/serverless/security-machine-learning.md
       - file: docs-content/serverless/security-osquery-placeholder-fields.md
       - file: docs-content/serverless/security-osquery-response-action.md
       - file: docs-content/serverless/security-overview-dashboard.md
diff --git a/solutions/security/advanced-entity-analytics/anomaly-detection.md b/solutions/security/advanced-entity-analytics/anomaly-detection.md
index 5bd91ff9d2..7b8d3aba8c 100644
--- a/solutions/security/advanced-entity-analytics/anomaly-detection.md
+++ b/solutions/security/advanced-entity-analytics/anomaly-detection.md
@@ -6,21 +6,15 @@ mapped_urls:
 
 # Anomaly detection
 
-% What needs to be done: Align serverless/stateful
 
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/machine-learning.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-machine-learning.md
-
-[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate subscription, are using a **{{ess-trial}}[cloud deployment]**, or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
+[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role, subscription, are using a **{{ess-trial}}[cloud deployment]**, or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
 
 You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
 
 
 ## Manage {{ml}} jobs [manage-jobs]
 
-If you have the `machine_learning_admin` role, you can use the **ML job settings** interface on the **Alerts**, **Rules**, and **Rule Exceptions** pages to view, start, and stop {{elastic-sec}} {{ml}} jobs.
+If you have the appropriate role, you can use the **ML job settings** interface on the **Alerts**, **Rules**, and **Rule Exceptions** pages to view, start, and stop {{elastic-sec}} {{ml}} jobs.
 
 :::{image} ../../../images/security-ml-ui.png
 :alt: ML job settings UI on the Alerts page

From 14a741673655c62e183ae8c48c12cdfe76a19b00 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 13:26:02 +0000
Subject: [PATCH 05/10] fixes link

---
 .../security/advanced-entity-analytics/anomaly-detection.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/advanced-entity-analytics/anomaly-detection.md b/solutions/security/advanced-entity-analytics/anomaly-detection.md
index 7b8d3aba8c..4112eb0564 100644
--- a/solutions/security/advanced-entity-analytics/anomaly-detection.md
+++ b/solutions/security/advanced-entity-analytics/anomaly-detection.md
@@ -7,7 +7,7 @@ mapped_urls:
 # Anomaly detection
 
 
-[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role, subscription, are using a **{{ess-trial}}[cloud deployment]**, or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
+[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role, subscription, are using a [cloud deployment](https://cloud.elastic.co/registration?page=docs&placement=docs-body), or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
 
 You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
 

From b02ea633ce1886f6c636014c26b029a12b861944 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 13:38:03 +0000
Subject: [PATCH 06/10] use cases

---
 ...security-behavioral-detection-use-cases.md | 30 -------------------
 raw-migrated-files/toc.yml                    |  1 -
 .../behavioral-detection-use-cases.md         | 15 ++--------
 3 files changed, 2 insertions(+), 44 deletions(-)
 delete mode 100644 raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md

diff --git a/raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md b/raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md
deleted file mode 100644
index c9fed22015..0000000000
--- a/raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# Behavioral detection use cases [security-behavioral-detection-use-cases]
-
-Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment.
-
-The behavioral detection feature is built on {{elastic-sec}}'s foundational SIEM detection capabilities, leveraging {{ml}} algorithms to enable proactive threat detection and hunting.
-
-
-## Elastic integrations for behavioral detection use cases [security-behavioral-detection-use-cases-elastic-integrations-for-behavioral-detection-use-cases] 
-
-Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, {{ml}} jobs, and scripts.
-
-::::{admonition} Requirements
-:class: note
-
-* Behavioral detection integrations require the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-* To learn more about the requirements for using {{ml}} jobs, refer to [{{ml-cap}} job and rule requirements](../../../solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md).
-
-::::
-
-
-Here’s a list of integrations for various behavioral detection use cases:
-
-* [Data Exfiltration Detection](https://docs.elastic.co/en/integrations/ded)
-* [Domain Generation Algorithm Detection](https://docs.elastic.co/en/integrations/dga)
-* [Lateral Movement Detection](https://docs.elastic.co/en/integrations/lmd)
-* [Living off the Land Attack Detection](https://docs.elastic.co/en/integrations/problemchild)
-* [Network Beaconing Identification](https://docs.elastic.co/en/integrations/beaconing)
-
-To learn more about {{ml}} jobs enabled by these integrations, refer to [Prebuilt job reference](asciidocalypse://docs/docs-content/docs/reference/security/prebuilt-jobs.md).
-
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index a09d956d64..9e385d21f3 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -238,7 +238,6 @@ toc:
       - file: docs-content/serverless/security-alerts-run-osquery.md
       - file: docs-content/serverless/security-automated-response-actions.md
       - file: docs-content/serverless/security-automatic-import.md
-      - file: docs-content/serverless/security-behavioral-detection-use-cases.md
       - file: docs-content/serverless/security-benchmark-rules-kspm.md
       - file: docs-content/serverless/security-benchmark-rules.md
       - file: docs-content/serverless/security-blocklist.md
diff --git a/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md b/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md
index 874859143b..5564d6eec8 100644
--- a/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md
+++ b/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md
@@ -6,18 +6,6 @@ mapped_urls:
 
 # Behavioral detection use cases
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/behavioral-detection-use-cases.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$ml-integrations$$$
-
-$$$security-behavioral-detection-use-cases-elastic-integrations-for-behavioral-detection-use-cases$$$
 
 Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment.
 
@@ -29,7 +17,8 @@ The behavioral detection feature is built on {{elastic-sec}}'s foundational SIEM
 Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, {{ml}} jobs, and scripts.
 
 ::::{admonition} Requirements
-* Behavioral detection integrations require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
+* In {{stack}}, behavioral detection integrations require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
+* In serverless, behavioral detection integrations require the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md).
 * To learn more about the requirements for using {{ml}} jobs, refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md).
 
 ::::

From fe841711d1a5f5df7ac9c69dafe6cebb60d0d6e3 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 14:17:06 +0000
Subject: [PATCH 07/10] ers intro

---
 .../entity-risk-scoring-requirements.md                       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
index 5f36bce937..c69df92522 100644
--- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -6,7 +6,9 @@ mapped_urls:
 
 # Entity risk scoring requirements
 
-To use entity risk scoring, asset criticality, and entity store, your role must have certain cluster, index, and {{kib}} privileges. These features require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
+To use entity risk scoring, asset criticality, and entity store in {{stack}}, your role must have certain cluster, index, and {{kib}} privileges. In serverless, you need the appropriate user roles or a custom role with the right privileges.
+
+In {{stack}}, these features require a [Platinum subscription](https://www.elastic.co/pricing) or higher. In serverless, they require the Security Analytics Complete [project feature](deploy-manage/deploy/elastic-cloud/project-settings.md).
 
 This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
 

From a43e3cbd5e891325d26dc72f3cf164cf22571b5f Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 21 Feb 2025 14:27:31 +0000
Subject: [PATCH 08/10] edits

---
 .../entity-risk-scoring-requirements.md          | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
index c69df92522..ee54ceb141 100644
--- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -6,18 +6,19 @@ mapped_urls:
 
 # Entity risk scoring requirements
 
-To use entity risk scoring, asset criticality, and entity store in {{stack}}, your role must have certain cluster, index, and {{kib}} privileges. In serverless, you need the appropriate user roles or a custom role with the right privileges.
+This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
 
-In {{stack}}, these features require a [Platinum subscription](https://www.elastic.co/pricing) or higher. In serverless, they require the Security Analytics Complete [project feature](deploy-manage/deploy/elastic-cloud/project-settings.md).
+To use these features in {{stack}}, your role must have certain cluster, index, and {{kib}} privileges. In serverless, you need the appropriate user roles or a custom role with the right privileges.
 
-This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
+In {{stack}}, these features require a [Platinum subscription](https://www.elastic.co/pricing) or higher. In serverless, they require the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md).
 
 
 ## Entity risk scoring [_entity_risk_scoring]
 
-In {{stack}}, to turn on the risk scoring engine, you need the appropriate [privileges](#_privileges).
+To turn on the risk scoring engine, you need the following:
 
-In serverless, to turn on the risk scoring engine, you need either the appropriate [predefined Security user role](#ers_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges).
+* In {{stack}}, you need the appropriate [privileges](#_privileges).
+* In serverless, you need either the appropriate [predefined Security user role](#ers_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges).
 
 
 ### Privileges [_privileges]
@@ -52,9 +53,10 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 
 ## Asset criticality [_asset_criticality]
 
-In {{stack}}, to use asset criticality, you need the appropriate [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
+To use asset criticality, you need the following:
 
-In serverless, to use asset criticality, you need you need either the appropriate [predefined Security user role](#ac_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_2).
+* In {{stack}}, you need the appropriate [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
+* In serverless, you need either the appropriate [predefined Security user role](#ac_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
 
 ### Privileges [_privileges_2]
 

From a43722f88152580eb386f4e98bf26fa15e8bc5cd Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 24 Feb 2025 10:48:36 +0000
Subject: [PATCH 09/10] move privileges out of tables

---
 .../entity-risk-scoring-requirements.md       | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
index ee54ceb141..959c5b09f3 100644
--- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -23,9 +23,18 @@ To turn on the risk scoring engine, you need the following:
 
 ### Privileges [_privileges]
 
-| Cluster | Index | {{kib}} |
-| --- | --- | --- |
-| - `manage_index_templates`<br>- `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
+#### Cluster
+
+- `manage_index_templates`
+- `manage_transform`
+
+#### Index
+
+`All` privilege for `risk-score.risk-score-*`
+
+#### {{kib}}
+
+**Read** for the **Security** feature
 
 ### Predefined roles [ers_roles]
 
@@ -82,8 +91,23 @@ To use asset criticality, you need the following:
 
 To enable the entity store, you need the following privileges:
 
-| Cluster | Index | {{kib}} |
-| --- | --- | --- |
-| - `manage_enrich`<br>- `manage_index_templates`<br>- `manage_ingest_pipelines`<br>- `manage_transform`<br> | - `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`<br>- `read` and `manage` for `risk-score.risk-score-*`<br>- `read` and `manage` for `.entities.v1.latest.*`<br>- `read` and `view_index_metadata` for all {{elastic-sec}} indices<br> | **All** for the **Security** and **Saved Objects Management** features |
+#### Cluster
+
+- `manage_enrich`
+- `manage_index_templates`
+- `manage_ingest_pipelines`
+- `manage_transform`
+
+#### Index
+
+- `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`
+- `read` and `manage` for `risk-score.risk-score-*`
+- `read` and `manage` for `.entities.v1.latest.*`
+- `read` and `view_index_metadata` for all {{elastic-sec}} indices
+
+#### {{kib}}
+
+**All** for the **Security** and **Saved Objects Management** features 
+
 
 % pending info about user roles / custom role privileges needed for entity store in serverless
\ No newline at end of file

From 9131048f3cd068f85d3a8de8bf108a82ef377e9b Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 24 Feb 2025 15:50:15 +0000
Subject: [PATCH 10/10] Adds info about serverless entity store reqs

---
 .../entity-risk-scoring-requirements.md                  | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
index 959c5b09f3..5ae559e793 100644
--- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -86,10 +86,12 @@ To use asset criticality, you need the following:
 
 ## Entity store [_entity_store]
 
+To turn on the entity store, you need the following:
 
-### Privileges [_privileges_3]
+* In {{stack}}, you need the appropriate [privileges](#_privileges_3).
+* In serverless, you need either the Admin role or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_3).
 
-To enable the entity store, you need the following privileges:
+### Privileges [_privileges_3]
 
 #### Cluster
 
@@ -108,6 +110,3 @@ To enable the entity store, you need the following privileges:
 #### {{kib}}
 
 **All** for the **Security** and **Saved Objects Management** features 
-
-
-% pending info about user roles / custom role privileges needed for entity store in serverless
\ No newline at end of file