From 77098ab5ab414fa70f1785d3a1765518d6023fc0 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 8 Sep 2025 14:48:15 +0100
Subject: [PATCH 1/3] Entity analytics workflow + privmon

---
 .../security/advanced-entity-analytics.md     |  2 +-
 .../asset-criticality.md                      |  2 +-
 .../advanced-entity-analytics/entity-store.md |  2 +-
 .../monitor-privileged-user-activitites.md    |  2 ++
 .../advanced-entity-analytics/overview.md     |  2 ++
 ...privileged-user-monitoring-requirements.md | 22 ++++++++++++++++---
 .../privileged-user-monitoring-setup.md       |  2 ++
 .../privileged-user-monitoring.md             |  2 ++
 .../view-analyze-risk-score-data.md           |  2 +-
 .../configure-advanced-settings.md            |  3 +--
 .../get-started/elastic-security-ui.md        |  1 -
 11 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics.md b/solutions/security/advanced-entity-analytics.md
index 26ae4885fc..4a2a0c6d5c 100644
--- a/solutions/security/advanced-entity-analytics.md
+++ b/solutions/security/advanced-entity-analytics.md
@@ -19,5 +19,5 @@ Advanced Entity Analytics provides the following key capabilities:
 
 * [](advanced-entity-analytics/entity-risk-scoring.md)
 * [](advanced-entity-analytics/advanced-behavioral-detections.md)
-* {applies_to}`stack: preview 9.1` {applies_to}`serverless: unavailable`	
+* {applies_to}`stack: preview 9.1` {applies_to}`serverless: preview`	
  [](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md)
diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md
index e2478ef2d6..f37d2a9966 100644
--- a/solutions/security/advanced-entity-analytics/asset-criticality.md
+++ b/solutions/security/advanced-entity-analytics/asset-criticality.md
@@ -68,7 +68,7 @@ You can view, assign, change, or unassign asset criticality from the following p
 
 If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the **Entities** section on the following pages:
 
-* {applies_to}`stack: ga 9.1` {applies_to}`serverless: unavailable` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 :::{image} /solutions/images/security-entities-section.png
diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md
index 8044ef5ca5..a798aec6bf 100644
--- a/solutions/security/advanced-entity-analytics/entity-store.md
+++ b/solutions/security/advanced-entity-analytics/entity-store.md
@@ -44,7 +44,7 @@ To enable the entity store:
 
 Once you enable the entity store, the **Entities** section appears on the following pages:
 
-* {applies_to}`stack: ga 9.1` {applies_to}`serverless: unavailable` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 ## Clear entity store data [clear-entity-store]
diff --git a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
index d9bb30d993..f398f40ed6 100644
--- a/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
+++ b/solutions/security/advanced-entity-analytics/monitor-privileged-user-activitites.md
@@ -1,6 +1,8 @@
 ---
 applies_to:
   stack: preview 9.1
+  serverless:
+    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/overview.md b/solutions/security/advanced-entity-analytics/overview.md
index 870ea6e515..6d579bb90c 100644
--- a/solutions/security/advanced-entity-analytics/overview.md
+++ b/solutions/security/advanced-entity-analytics/overview.md
@@ -1,6 +1,8 @@
 ---
 applies_to:
   stack: ga 9.1
+  serverless:
+    security: ga
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
index 87cc6cd8ac..6ec5aace8b 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -1,6 +1,8 @@
 ---
 applies_to:
   stack: preview 9.1
+  serverless:
+    security: preview
 products:
   - id: security
   - id: cloud-serverless
@@ -10,11 +12,15 @@ products:
 
 This page covers the requirements for using the privileged user monitoring feature, as well as its known limitations.
 
-* Privileged user monitoring feature requires the appropriate [subscription](https://www.elastic.co/pricing).
+The privileged user monitoring feature requires:
+  * {applies_to}`stack: ` The appropriate [subscription](https://www.elastic.co/subscriptions)
+  * {applies_to}`serverless: ` The appropriate [feature tier](https://www.elastic.co/pricing/serverless-security)
 
-* To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring).
+To enable this feature, turn on the `securitySolution:enablePrivilegedUserMonitoring` [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#access-privileged-user-monitoring).
 
-* To use these features , your role must have certain [privileges](#privmon_privs).
+To use this feature, you need:
+  * {applies_to}`stack: ` A role with the appropriate [privileges](#privmon_privs)
+  * {applies_to}`serverless: ` Either the appropriate [predefined Security user role](#privmon_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#privmon_privs)
 
 ## Privileges [privmon_privs]
 
@@ -23,6 +29,16 @@ This page covers the requirements for using the privileged user monitoring featu
 | Enable the privileged user monitoring feature | N/A | **All** for the **Security** feature |
 | View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | **Read** for the **Security** feature |
 
+## Predefined roles [privmon_roles]
+```yaml {applies_to}
+serverless: 
+```
+
+| Action | Predefined role |
+| --- | --- |
+| Enable privileged user monitoring | - Platform engineer<br>- Admin |
+| View the Privileged user monitoring dashboard | - Tier 1 analyst<br>- Tier 2 analyst<br>- Tier 3 analyst<br>- Rule author<br>- SOC manager<br>- Platform engineer<br>- Detections admin<br>- Admin |
+
 ## Known limitations
 
 * Currently, none of the privileged user monitoring visualizations support [cross-cluster search](/solutions/search/cross-cluster-search.md) as part of the data that they query from. 
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
index 9029ba77c2..863f86f381 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-setup.md
@@ -2,6 +2,8 @@
 navigation_title: Set up privileged user monitoring
 applies_to:
   stack: preview 9.1
+  serverless:
+    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
index 72833189c8..a799f8947f 100644
--- a/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
+++ b/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md
@@ -1,6 +1,8 @@
 ---
 applies_to:
   stack: preview 9.1
+  serverless:
+    security: preview
 products:
   - id: security
   - id: cloud-serverless
diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
index a29641bd03..fff35d046b 100644
--- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
+++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
@@ -35,7 +35,7 @@ In the Entity Analytics overview, you can view entity key performance indicators
 If you have enabled the [entity store](entity-store.md), you'll also get access to the **Entities** section, where you can view all hosts, users, and services along with their risk and asset criticality data.
 
 Access the Entity Analytics overview from the following pages:
-* {applies_to}`stack: ga 9.1` {applies_to}`serverless: unavailable` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
+* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 
diff --git a/solutions/security/get-started/configure-advanced-settings.md b/solutions/security/get-started/configure-advanced-settings.md
index 056c9dd79d..bb52bdf40e 100644
--- a/solutions/security/get-started/configure-advanced-settings.md
+++ b/solutions/security/get-started/configure-advanced-settings.md
@@ -216,8 +216,7 @@ Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, i
 
 ## Access privileged user monitoring
 ```yaml {applies_to}
-stack: preview 9.1
-serverless: unavailable
+stack: ga 9.1
 ```
 
 The `securitySolution:enablePrivilegedUserMonitoring` setting allows you to access the [Entity analytics overview page](/solutions/security/advanced-entity-analytics/overview.md) and the [privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md) feature. This setting is turned off by default.
diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index 2920425c19..907569cf5d 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -189,7 +189,6 @@ The Assets section allows you to manage the following features:
 ### Entity analytics
 ```yaml {applies_to}
 stack: preview 9.1
-serverless: unavailable
 ```
 
 :::{admonition} Requirements

From 5adfbb7c5eee8df1d6b68b0ed29267d20fba2a3d Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 12 Sep 2025 14:32:47 +0100
Subject: [PATCH 2/3] fix applies tags

---
 .../security/advanced-entity-analytics/asset-criticality.md     | 2 +-
 solutions/security/advanced-entity-analytics/entity-store.md    | 2 +-
 .../advanced-entity-analytics/view-analyze-risk-score-data.md   | 2 +-
 solutions/security/get-started/configure-advanced-settings.md   | 1 +
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/solutions/security/advanced-entity-analytics/asset-criticality.md b/solutions/security/advanced-entity-analytics/asset-criticality.md
index f37d2a9966..acd2037061 100644
--- a/solutions/security/advanced-entity-analytics/asset-criticality.md
+++ b/solutions/security/advanced-entity-analytics/asset-criticality.md
@@ -68,7 +68,7 @@ You can view, assign, change, or unassign asset criticality from the following p
 
 If you have enabled the [entity store](entity-store.md), you can also view asset criticality assignments in the **Entities** section on the following pages:
 
-* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 :::{image} /solutions/images/security-entities-section.png
diff --git a/solutions/security/advanced-entity-analytics/entity-store.md b/solutions/security/advanced-entity-analytics/entity-store.md
index a798aec6bf..0b8076142b 100644
--- a/solutions/security/advanced-entity-analytics/entity-store.md
+++ b/solutions/security/advanced-entity-analytics/entity-store.md
@@ -44,7 +44,7 @@ To enable the entity store:
 
 Once you enable the entity store, the **Entities** section appears on the following pages:
 
-* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md)
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 ## Clear entity store data [clear-entity-store]
diff --git a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
index fff35d046b..3156dae947 100644
--- a/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
+++ b/solutions/security/advanced-entity-analytics/view-analyze-risk-score-data.md
@@ -35,7 +35,7 @@ In the Entity Analytics overview, you can view entity key performance indicators
 If you have enabled the [entity store](entity-store.md), you'll also get access to the **Entities** section, where you can view all hosts, users, and services along with their risk and asset criticality data.
 
 Access the Entity Analytics overview from the following pages:
-* {applies_to}`stack: ga 9.1` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` [Entity analytics](/solutions/security/advanced-entity-analytics/overview.md) 
 * [Entity analytics dashboard](/solutions/security/dashboards/entity-analytics-dashboard.md)
 
 
diff --git a/solutions/security/get-started/configure-advanced-settings.md b/solutions/security/get-started/configure-advanced-settings.md
index bb52bdf40e..a406d918a1 100644
--- a/solutions/security/get-started/configure-advanced-settings.md
+++ b/solutions/security/get-started/configure-advanced-settings.md
@@ -217,6 +217,7 @@ Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, i
 ## Access privileged user monitoring
 ```yaml {applies_to}
 stack: ga 9.1
+serverless: ga
 ```
 
 The `securitySolution:enablePrivilegedUserMonitoring` setting allows you to access the [Entity analytics overview page](/solutions/security/advanced-entity-analytics/overview.md) and the [privileged user monitoring](/solutions/security/advanced-entity-analytics/privileged-user-monitoring.md) feature. This setting is turned off by default.

From e7affe50ad7464adf0c8764f02ed063a698d2847 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 12 Sep 2025 14:38:28 +0100
Subject: [PATCH 3/3] fix applies tags

---
 solutions/security/get-started/elastic-security-ui.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index 907569cf5d..856ce3bf65 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -188,7 +188,8 @@ The Assets section allows you to manage the following features:
 
 ### Entity analytics
 ```yaml {applies_to}
-stack: preview 9.1
+stack: ga 9.1
+serverless: ga
 ```
 
 :::{admonition} Requirements