Documents SIEM readiness page

[benironside]

Summary

Documents the new SIEM Readiness launchpad feature in Elastic Sec. Fixes #5513

Generative AI disclosure

1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?

• [ x] Yes Claude 4.6 / Cursor
• No

[github-actions]

🔍 Preview links for changed docs

• solutions/security/get-started/elastic-security-ui.md
• solutions/security/get-started/siem-readiness.md

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[nastasha-solomon]

Nice job!

[JordanSh]

We should add that for Serverless, ILMs do not exist, its DSL only

[JordanSh]

We might need to mention that the stats for ingested docs and thus also failure rates are missing in serverless

[smriti0321]

Application/SaaS is the 5th category of data, please mention it in here and also describe the 5 categories under Data coverage section. @benironside

[JordanSh]

SIEM Readiness Page — Required Privileges

Kibana Privileges

Privilege	Required For
securitySolution	Access to the page and all SIEM readiness APIs
rules-read	Coverage tab — viewing enabled detection rules
integrations-read (Fleet)	Coverage tab — viewing installed integrations and their status

Elasticsearch Index Privileges

These must be granted on the relevant indices (logs-*, metrics-*, or whichever indices the user's data lives in):

Privilege	Required For
read	Coverage tab — category detection and MITRE ATT&CK doc counts
view_index_metadata	All tabs — reading index settings, mappings, data stream metadata, and data quality results
monitor	Continuity tab — ingest pipeline stats (nodes.stats). Quality tab — index stats

Elasticsearch Cluster Privileges

Privilege	Required For
monitor	Continuity tab — fetching ingest pipeline statistics from node stats
read_ilm	Retention tab — reading ILM lifecycle policies

Per-Tab Breakdown

Tab	Kibana Privileges	ES Index Privileges	ES Cluster Privileges
Coverage	securitySolution, rules-read, integrations-read	read, view_index_metadata	—
Quality	securitySolution	read, view_index_metadata, monitor	—
Continuity	securitySolution	view_index_metadata	monitor
Retention	securitySolution	view_index_metadata	read_ilm

Notes

• A user with only the built-in viewer role will be able to access the page but will see empty or incomplete data in most tabs. The Kibana-level securitySolution privilege is satisfied, but the underlying Elasticsearch calls require additional index and cluster privileges.
• The Fleet integrations API is the only call that returns an explicit 403 error. All other APIs silently return empty or partial results when the user lacks privileges.
• The Quality tab also requires monitor (or manage) per index for the auto-check feature to fetch index stats and for quality results to be saved and retrieved.
• The Cases integration (creating/viewing cases from any tab) uses its own authorization model and works for any user with case access in Security Solution.

Dismissing Smriti's review since I incorporated her request and she validated it over Slack/