From 29232e59ba066977f7520471f5e009a76e24ad1e Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Wed, 17 Dec 2025 18:25:17 -0500
Subject: [PATCH 1/4] First draft

---
 .../detect-and-alert/add-manage-exceptions.md | 33 +++++++++++++++++++
 .../detections-requirements.md                |  2 +-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/add-manage-exceptions.md b/solutions/security/detect-and-alert/add-manage-exceptions.md
index f57d3a0d16..63a72f6275 100644
--- a/solutions/security/detect-and-alert/add-manage-exceptions.md
+++ b/solutions/security/detect-and-alert/add-manage-exceptions.md
@@ -33,6 +33,39 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
 
 ::::
 
+## Requirements [exceptions-requirements]
+
+To use exceptions ensure your role has the appropriate access. 
+
+### Exceptions requirements
+
+::::{applies-switch}
+
+:::{applies-item} { "stack": "ga 9.0" }
+
+**Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Security** feature. 
+
+:::
+
+:::{applies-item} { "stack": "ga 9.3" }
+
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules** {{kib}} feature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` {{kib}} privileges for the **Security > Rules** {{kib}} feature.
+
+:::
+
+:::{applies-item} { "stack": "ga 9.4", "serverless": "ga" }
+
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules** {{kib}} feature and `Read` for the **Security > Rules > Exceptions** subfeature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` {{kib}} privileges for the **Security > Rules** {{kib}} feature and `All` for the **Security > Rules > Exceptions** subfeature.
+:::
+
+::::
+
+### {{elastic-endpoint}} exceptions requirements 
+
+- **View only access**: To view {{elastic-endpoint}} exceptions, your role needs at least `Read` {{kib}} privileges for the **Security > Security > Endpoint Exceptions** subfeature. 
+- **Manage access**: To create and manage {{elastic-endpoint}} exceptions, your role needs `All` {{kib}} privileges for the **Security > Security > Endpoint Exceptions** subfeature. 
 
 
 ## Add exceptions to a rule [detection-rule-exceptions]
diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md
index ac7c8dac66..4cc0cb4334 100644
--- a/solutions/security/detect-and-alert/detections-requirements.md
+++ b/solutions/security/detect-and-alert/detections-requirements.md
@@ -65,7 +65,7 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j
 | Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
 | Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
 | Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. |
-| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
+| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga`: `All` for the `Rules` feature and `All` for the `Exceptions` subfeature |
 | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` and `Saved Objects Management` features |
 
 ### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]

From 07c4fd9741b7d968ff4a7a12f69ef0cf3e52fa67 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Wed, 17 Dec 2025 18:36:17 -0500
Subject: [PATCH 2/4] Link to detection reqs page

---
 solutions/security/detect-and-alert/add-manage-exceptions.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/solutions/security/detect-and-alert/add-manage-exceptions.md b/solutions/security/detect-and-alert/add-manage-exceptions.md
index 63a72f6275..5043ae49ff 100644
--- a/solutions/security/detect-and-alert/add-manage-exceptions.md
+++ b/solutions/security/detect-and-alert/add-manage-exceptions.md
@@ -35,7 +35,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
 
 ## Requirements [exceptions-requirements]
 
-To use exceptions ensure your role has the appropriate access. 
+To use exceptions ensure your role has the appropriate access. To learn how to access other detection features, refer to [](/solutions/security/detect-and-alert/detections-requirements.md).
 
 ### Exceptions requirements
 
@@ -67,7 +67,6 @@ To use exceptions ensure your role has the appropriate access.
 - **View only access**: To view {{elastic-endpoint}} exceptions, your role needs at least `Read` {{kib}} privileges for the **Security > Security > Endpoint Exceptions** subfeature. 
 - **Manage access**: To create and manage {{elastic-endpoint}} exceptions, your role needs `All` {{kib}} privileges for the **Security > Security > Endpoint Exceptions** subfeature. 
 
-
 ## Add exceptions to a rule [detection-rule-exceptions]
 
 1. Do one of the following:

From d6f7add41e8fd446d9bfee88d2051116d3970a41 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 19 Dec 2025 15:07:32 -0500
Subject: [PATCH 3/4] Priv naming and minor edits

---
 .../security/detect-and-alert/add-manage-exceptions.md    | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/solutions/security/detect-and-alert/add-manage-exceptions.md b/solutions/security/detect-and-alert/add-manage-exceptions.md
index 5043ae49ff..d8f766422e 100644
--- a/solutions/security/detect-and-alert/add-manage-exceptions.md
+++ b/solutions/security/detect-and-alert/add-manage-exceptions.md
@@ -49,15 +49,15 @@ To use exceptions ensure your role has the appropriate access. To learn how to a
 
 :::{applies-item} { "stack": "ga 9.3" }
 
-- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules** {{kib}} feature.
-- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` {{kib}} privileges for the **Security > Rules** {{kib}} feature.
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` {{kib}} privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 
 :::
 
 :::{applies-item} { "stack": "ga 9.4", "serverless": "ga" }
 
-- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules** {{kib}} feature and `Read` for the **Security > Rules > Exceptions** subfeature.
-- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needs `All` {{kib}} privileges for the **Security > Rules** {{kib}} feature and `All` for the **Security > Rules > Exceptions** subfeature.
+- **View only access**: To view exceptions for individual and multiple rules, your role needs at least `Read` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature and `Read` for the **Security > Rules > Exceptions** subfeature.
+- **Manage access**: To create and manage exceptions for individual and multiple rules, your role needsat least `Read` {{kib}} privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature and `All` for the **Security > Rules > Exceptions** subfeature.
 :::
 
 ::::

From ccb7fba4e221b4052e7b00d2c9d0ca9af836cc8e Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 19 Dec 2025 15:12:21 -0500
Subject: [PATCH 4/4] Updates table

---
 solutions/security/detect-and-alert/detections-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md
index 4cc0cb4334..2cd09e9704 100644
--- a/solutions/security/detect-and-alert/detections-requirements.md
+++ b/solutions/security/detect-and-alert/detections-requirements.md
@@ -65,7 +65,7 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j
 | Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
 | Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
 | Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. |
-| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga`: `All` for the `Rules` feature and `All` for the `Exceptions` subfeature |
+| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3`: `All` for the `Rules` feature <br><br> - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga`: `Read` for the `Rules, Alerts, and Exceptions ` feature and `All` for the `Exceptions` subfeature |
 | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` and `Saved Objects Management` features |
 
 ### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]