From 40aee970c1c06dea634f8f7b41d8875bfb1b5e88 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Fri, 19 Dec 2025 11:47:42 -0500
Subject: [PATCH] First draft

---
 solutions/security/ai/attack-discovery.md            |  2 +-
 .../detect-and-alert/detections-requirements.md      | 12 ++++++------
 .../security/get-started/automatic-migration.md      |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md
index a1b34a5011..9131f73ceb 100644
--- a/solutions/security/ai/attack-discovery.md
+++ b/solutions/security/ai/attack-discovery.md
@@ -55,7 +55,7 @@ Ensure your role has:
 
 Ensure your role has:
 
-* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature.
+* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack Discover** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 
     ![attack-discovery-rules-rbac](/solutions/images/attack-discovery-rules-rbac.png "elasticsearch =60%x60%")
 
diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md
index ac7c8dac66..01a4268f38 100644
--- a/solutions/security/detect-and-alert/detections-requirements.md
+++ b/solutions/security/detect-and-alert/detections-requirements.md
@@ -60,12 +60,12 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j
 
 | Action | Cluster Privileges | Index Privileges | Kibana Privileges |
 | --- | --- | --- | --- |
-| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
-| Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
-| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
-| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
-| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules` feature. |
-| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` feature |
+| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
+| Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
+| Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
+| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions,  you don’t need `Actions and Connectors` privileges.<br> |
+| Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature <br><br>**NOTE:** Alerts are managed through {{es}} index privileges. To view the alert management flows requires at least the `Read` for the `Rules, Alerts, and Exceptions` feature. |
+| Manage exceptions | N/A | N/A | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules, Alerts, and Exceptions` feature |
 | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | - {applies_to}`stack: ga 9.0`: `All` for the `Security` feature<br><br> - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga`: `All` for the `Rules` and `Saved Objects Management` features |
 
 ### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections]
diff --git a/solutions/security/get-started/automatic-migration.md b/solutions/security/get-started/automatic-migration.md
index 879f494735..7bd55a5006 100644
--- a/solutions/security/get-started/automatic-migration.md
+++ b/solutions/security/get-started/automatic-migration.md
@@ -33,7 +33,7 @@ You can ingest your data before migrating your assets, or migrate your assets fi
 :::{applies-item} { "stack": "ga 9.3", "serverless": "ga" }
 **Requirements**
 
-* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > SIEM migrations** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature.
+* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > SIEM migrations** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 * A working [LLM connector](/explore-analyze/ai-features/llm-guides/llm-connectors.md).
 * {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription.
 * {{Stack}} users: {{ml}} must be enabled.