diff --git a/docs/serverless/advanced-entity-analytics/ers-req.mdx b/docs/serverless/advanced-entity-analytics/ers-req.mdx
index ab3d202de6..989b3ef8ea 100644
--- a/docs/serverless/advanced-entity-analytics/ers-req.mdx
+++ b/docs/serverless/advanced-entity-analytics/ers-req.mdx
@@ -13,38 +13,26 @@ This page covers the requirements for using the entity risk scoring and asset cr
### User roles
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
+To turn on the risk scoring engine, you need either the appropriate predefined Security user role or a custom role with the right privileges:
-
- To turn on the risk scoring engine, you need one of the following Security user roles:
+**Predefined roles**
- * Platform engineer
- * Detections admin
- * Admin
-
+* Platform engineer
+* Detections admin
+* Admin
-
- To turn on the risk scoring engine, you need either the appropriate predefined Security user role or a custom role with the right privileges:
+**Custom role privileges**
- **Predefined roles**
-
- * Platform engineer
- * Detections admin
- * Admin
-
- **Custom role privileges**
-
-
-
-
- * `manage_index_templates`
- * `manage_transform`
-
- `all` privilege for `risk-score.risk-score-*`
- **Read** for the **Security** feature
-
-
-
+
+
+
+ * `manage_index_templates`
+ * `manage_transform`
+
+ `all` privilege for `risk-score.risk-score-*`
+ **Read** for the **Security** feature
+
+
### Known limitations
@@ -57,74 +45,50 @@ To use the asset criticality feature, turn on the `securitySolution:enableAssetC
### User roles
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
-
-
- The following Security user roles allow you to view an entity's asset criticality:
-
- * Viewer
- * Tier 1 analyst
-
- The following Security user roles allow you to view, assign, change, or unassign an entity's asset criticality:
-
- * Editor
- * Tier 2 analyst
- * Tier 3 analyst
- * Threat intelligence analyst
- * Rule author
- * SOC manager
- * Endpoint operations analyst
- * Platform engineer
- * Detections admin
- * Endpoint policy manager
-
-
-
- To use asset criticality, you need either the appropriate predefined Security user role or a custom role with the right privileges:
-
- **Predefined roles**
-
-
-
- View asset criticality
-
- * Viewer
- * Tier 1 analyst
-
-
-
- View, assign, change, or unassign asset criticality
-
- * Editor
- * Tier 2 analyst
- * Tier 3 analyst
- * Threat intelligence analyst
- * Rule author
- * SOC manager
- * Endpoint operations analyst
- * Platform engineer
- * Detections admin
- * Endpoint policy manager
-
-
-
-
- **Custom role privileges**
-
- Custom roles need the following privileges for the `.asset-criticality.asset-criticality-` index:
-
-
-
- View asset criticality
- `read`
-
-
- View, assign, or change asset criticality
- `read` and `write`
-
-
- Unassign asset criticality
- `delete`
-
-
-
\ No newline at end of file
+To use asset criticality, you need either the appropriate predefined Security user role or a custom role with the right privileges:
+
+**Predefined roles**
+
+
+
+ View asset criticality
+
+ * Viewer
+ * Tier 1 analyst
+
+
+
+ View, assign, change, or unassign asset criticality
+
+ * Editor
+ * Tier 2 analyst
+ * Tier 3 analyst
+ * Threat intelligence analyst
+ * Rule author
+ * SOC manager
+ * Endpoint operations analyst
+ * Platform engineer
+ * Detections admin
+ * Endpoint policy manager
+
+
+
+
+**Custom role privileges**
+
+Custom roles need the following privileges for the `.asset-criticality.asset-criticality-` index:
+
+
+
+ View asset criticality
+ `read`
+
+
+ View, assign, or change asset criticality
+ `read` and `write`
+
+
+ Unassign asset criticality
+ `delete`
+
+
diff --git a/docs/serverless/edr-install-config/defend-feature-privs.mdx b/docs/serverless/edr-install-config/defend-feature-privs.mdx
index dbf24654da..b93e647db1 100644
--- a/docs/serverless/edr-install-config/defend-feature-privs.mdx
+++ b/docs/serverless/edr-install-config/defend-feature-privs.mdx
@@ -7,80 +7,72 @@ tags: ["security","defend","reference","manage"]
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
+You can create user roles and define privileges to manage feature access in ((elastic-sec)). This allows you to use the principle of least privilege while managing access to ((elastic-defend))'s features.
-
- Coming soon
-
+Configure roles and privileges in **Stack Management** → **Custom Roles**. For more details on using this UI, refer to .
-
- You can create user roles and define privileges to manage feature access in ((elastic-sec)). This allows you to use the principle of least privilege while managing access to ((elastic-defend))'s features.
+
+ ((elastic-defend))'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space.
+
- Configure roles and privileges in **Stack Management** → **Custom Roles**. For more details on using this UI, refer to .
+To grant access, select **All** for the **Security** feature in the **((kib)) privileges** configuration UI, then turn on the **Customize sub-feature privileges** switch. For each of the following sub-feature privileges, select the type of access you want to allow:
-
- ((elastic-defend))'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space.
-
+* **All**: Users have full access to the feature, which includes performing all available actions and managing configuration.
+* **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege).
+* **None**: Users can't access or view the feature.
- To grant access, select **All** for the **Security** feature in the **((kib)) privileges** configuration UI, then turn on the **Customize sub-feature privileges** switch. For each of the following sub-feature privileges, select the type of access you want to allow:
-
- * **All**: Users have full access to the feature, which includes performing all available actions and managing configuration.
- * **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege).
- * **None**: Users can't access or view the feature.
-
-
-
- **Endpoint List**
- Access the Endpoints page, which lists all hosts running ((elastic-defend)), and associated integration details.
-
-
- **Trusted Applications**
- Access the Trusted applications page to remediate conflicts with other software, such as antivirus or endpoint security applications
-
-
- **Host Isolation Exceptions**
- Access the Host isolation exceptions page to add specific IP addresses that isolated hosts can still communicate with.
-
-
- **Blocklist**
- Access the Blocklist page to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious.
-
-
- **Event Filters**
- Access the Event Filters page to filter out endpoint events that you don't want stored in ((es)).
-
-
- **((elastic-defend)) Policy Management**
- Access the Policies page and ((elastic-defend)) integration policies to configure protections, event collection, and advanced policy features.
-
-
- **Response Actions History**
- Access the response actions history for endpoints.
-
-
- **Host Isolation**
- Allow users to isolate and release hosts.
-
-
- **Process Operations**
- Perform host process-related response actions, including `processes`, `kill-process`, and `suspend-process`.
-
-
- **File Operations**
- Perform file-related response actions in the response console.
-
-
- **Execute Operations**
-
- Perform shell commands and script-related response actions in the response console.
-
- The commands are run on the host using the same user account running the ((elastic-defend)) integration, which normally has full control over the system. Only grant this feature privilege to ((elastic-sec)) users who require this level of access.
-
-
-
-
- **Scan Operations**
- Perform folder scan response actions in the response console.
-
-
-
+
+
+ **Endpoint List**
+ Access the Endpoints page, which lists all hosts running ((elastic-defend)), and associated integration details.
+
+
+ **Trusted Applications**
+ Access the Trusted applications page to remediate conflicts with other software, such as antivirus or endpoint security applications
+
+
+ **Host Isolation Exceptions**
+ Access the Host isolation exceptions page to add specific IP addresses that isolated hosts can still communicate with.
+
+
+ **Blocklist**
+ Access the Blocklist page to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious.
+
+
+ **Event Filters**
+ Access the Event Filters page to filter out endpoint events that you don't want stored in ((es)).
+
+
+ **((elastic-defend)) Policy Management**
+ Access the Policies page and ((elastic-defend)) integration policies to configure protections, event collection, and advanced policy features.
+
+
+ **Response Actions History**
+ Access the response actions history for endpoints.
+
+
+ **Host Isolation**
+ Allow users to isolate and release hosts.
+
+
+ **Process Operations**
+ Perform host process-related response actions, including `processes`, `kill-process`, and `suspend-process`.
+
+
+ **File Operations**
+ Perform file-related response actions in the response console.
+
+
+ **Execute Operations**
+
+ Perform shell commands and script-related response actions in the response console.
+
+ The commands are run on the host using the same user account running the ((elastic-defend)) integration, which normally has full control over the system. Only grant this feature privilege to ((elastic-sec)) users who require this level of access.
+
+
+
+
+ **Scan Operations**
+ Perform folder scan response actions in the response console.
+
+
diff --git a/docs/serverless/explore/conf-map-ui.mdx b/docs/serverless/explore/conf-map-ui.mdx
index 146c1bae1d..0fa1b1d945 100644
--- a/docs/serverless/explore/conf-map-ui.mdx
+++ b/docs/serverless/explore/conf-map-ui.mdx
@@ -24,14 +24,8 @@ configure `source.geo` and `destination.geo` ECS fields for your indices.
## Permissions required
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
-
-
- To view the map, you need the appropriate predefined user role.
-
-
- To view the map, you need the appropriate predefined user role or a custom role with at least `Read` privileges for the `Maps` feature.
-
+
+To view the map, you need the appropriate predefined user role or a custom role with at least `Read` privileges for the `Maps` feature.
diff --git a/docs/serverless/investigate/case-permissions.mdx b/docs/serverless/investigate/case-permissions.mdx
index cdde4ec9b9..4d2fd23081 100644
--- a/docs/serverless/investigate/case-permissions.mdx
+++ b/docs/serverless/investigate/case-permissions.mdx
@@ -8,80 +8,63 @@ tags: [ 'serverless', 'security', 'reference','manage' ]
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
+To access cases, you need either the appropriate predefined Security user role or a custom role with the right privileges.
-
- User roles define feature privileges at different levels to manage feature access. To access cases, you must have the appropriate user role.
+You can create custom roles and define feature privileges at different levels to manage feature access in ((kib)). ((kib)) privileges grant access to features within a specified ((kib)) space, and you can grant full or partial access. For more information, refer to .
-
- To send cases to external systems, you need the Security Analytics Complete .
-
+
+To send cases to external systems, you need the Security Analytics Complete .
+
-
- Certain feature tiers and roles might be required to manage case attachments. For example, to add alerts to cases, you must have a role that allows managing alerts.
-
-
+
+Certain feature tiers and roles might be required to manage case attachments. For example, to add alerts to cases, you must have a role that allows managing alerts.
+
-
+To grant access to cases in a custom role, set the privileges for the **Cases** and **((connectors-feature))** features as follows:
- To access cases, you need either the appropriate predefined Security user role or a custom role with the right privileges.
+
+
+
+ Give full access to manage cases and settings
+
+
+ * **All** for the **Cases** feature under **Security**
+ * **All** for the **((connectors-feature))** feature under **Management**
- You can create custom roles and define feature privileges at different levels to manage feature access in ((kib)). ((kib)) privileges grant access to features within a specified ((kib)) space, and you can grant full or partial access. For more information, refer to .
+
+ Roles without **All** privileges for the **((connectors-feature))** feature cannot create, add, delete, or modify case connectors.
-
- To send cases to external systems, you need the Security Analytics Complete .
-
-
-
- Certain feature tiers and roles might be required to manage case attachments. For example, to add alerts to cases, you must have a role that allows managing alerts.
-
-
- To grant access to cases in a custom role, set the privileges for the **Cases** and **((connectors-feature))** features as follows:
-
-
-
-
- Give full access to manage cases and settings
-
-
- * **All** for the **Cases** feature under **Security**
- * **All** for the **((connectors-feature))** feature under **Management**
-
-
- Roles without **All** privileges for the **((connectors-feature))** feature cannot create, add, delete, or modify case connectors.
-
- By default, **All** for the **Cases** feature allows you to delete cases, delete alerts and comments from cases, and edit case settings. You can customize the sub-feature privileges to limit feature access.
-
-
-
-
-
- Give assignee access to cases
-
-
- **All** for the **Cases** feature under **Security**
-
-
- Before a user can be assigned to a case, they must log into ((kib)) at least
- once, which creates a user profile.
-
-
-
-
- Give view-only access for cases
-
- **Read** for the **Security** feature and **All** for the **Cases** feature
-
-
- You can customize the sub-feature privileges to allow access to deleting cases, deleting alerts and comments from cases, and viewing or editing case settings.
-
-
-
-
- Revoke all access to cases
-
- **None** for the **Cases** feature under **Security**
-
-
-
-
+ By default, **All** for the **Cases** feature allows you to delete cases, delete alerts and comments from cases, and edit case settings. You can customize the sub-feature privileges to limit feature access.
+
+
+
+
+
+ Give assignee access to cases
+
+
+ **All** for the **Cases** feature under **Security**
+
+
+ Before a user can be assigned to a case, they must log into ((kib)) at least
+ once, which creates a user profile.
+
+
+
+
+ Give view-only access for cases
+
+ **Read** for the **Security** feature and **All** for the **Cases** feature
+
+
+ You can customize the sub-feature privileges to allow access to deleting cases, deleting alerts and comments from cases, and viewing or editing case settings.
+
+
+
+
+ Revoke all access to cases
+
+ **None** for the **Cases** feature under **Security**
+
+
+
diff --git a/docs/serverless/rules/detections-permissions-section.mdx b/docs/serverless/rules/detections-permissions-section.mdx
index d16d62a054..9a4baf451d 100644
--- a/docs/serverless/rules/detections-permissions-section.mdx
+++ b/docs/serverless/rules/detections-permissions-section.mdx
@@ -19,121 +19,109 @@ configure value list
## Enable and access detections
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
-
-
- To use the Detections feature, it must be enabled and you must have the appropriate predefined Security user role to access rules and alerts. If your role doesn't have the privileges needed to enable this feature, you can request someone who has these privileges to visit your ((kib)) space, which will turn it on for you.
-
-
- For instructions about using ((ml)) jobs and rules, refer to Machine learning job and rule requirements.
-
-
-
-
- To use the Detections feature, it must be enabled and you must have either the appropriate predefined Security user role or a custom role with privileges to access rules and alerts. If your role doesn't have the privileges needed to enable this feature, you can request someone who has these privileges to visit your ((kib)) space, which will turn it on for you.
-
-
- For instructions about using ((ml)) jobs and rules, refer to Machine learning job and rule requirements.
-
-
- ### Custom role privileges
-
- The following table describes the required custom role privileges to access the Detections feature, including rules and alerts. For more information on ((kib)) privileges, refer to .
-
-
-
- Enable detections in your space
- `manage`
-
- `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
-
- * `.alerts-security.alerts-`
- * `.lists-`
- * `.items-`
-
- `All` for the `Security` feature
-
-
-
- Enable detections in all spaces
-
- **NOTE:** To turn on detections, visit the Rules and Alerts pages for each space.
-
- `manage`
-
- `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:
-
- * `.alerts-security.alerts-`
- * `.lists-`
- * `.items-`
-
- `All` for the `Security` feature
-
-
- Preview rules
- N/A
-
- `read` for these indices:
-
- * `.preview.alerts-security.alerts-`
- * `.internal.preview.alerts-security.alerts--*`
-
- `All` for the `Security` feature
-
-
- Manage rules
- N/A
-
- `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
-
- * `.alerts-security.alerts-`
- * `.items-`
-
-
- `All` for the `Security` feature
-
- **NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:
-
- * To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
-
- * To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don't need `Actions and Connectors` privileges.
-
-
-
-
- Manage alerts
-
- **NOTE**: Allows you to manage alerts, but not modify rules.
-
- N/A
-
- `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
-
- * `.alerts-security.alerts-`
- * `.internal.alerts-security.alerts--*`
- * `.lists-`
- * `.items-`
-
- `Read` for the `Security` feature
-
-
-
- Create the `.lists` and `.items` data streams in your space
-
- **NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space.
-
- `manage`
-
- `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:
-
- * `.lists-`
- * `.items-`
-
- `All` for the `Security` and `Saved Objects Management` features
-
-
-
+To use the Detections feature, it must be enabled and you must have either the appropriate predefined Security user role or a custom role with privileges to access rules and alerts. If your role doesn't have the privileges needed to enable this feature, you can request someone who has these privileges to visit your ((kib)) space, which will turn it on for you.
+
+
+For instructions about using ((ml)) jobs and rules, refer to Machine learning job and rule requirements.
+
+
+### Custom role privileges
+
+The following table describes the required custom role privileges to access the Detections feature, including rules and alerts. For more information on ((kib)) privileges, refer to .
+
+
+
+ Enable detections in your space
+ `manage`
+
+ `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
+
+ * `.alerts-security.alerts-`
+ * `.lists-`
+ * `.items-`
+
+ `All` for the `Security` feature
+
+
+
+ Enable detections in all spaces
+
+ **NOTE:** To turn on detections, visit the Rules and Alerts pages for each space.
+
+ `manage`
+
+ `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:
+
+ * `.alerts-security.alerts-`
+ * `.lists-`
+ * `.items-`
+
+ `All` for the `Security` feature
+
+
+ Preview rules
+ N/A
+
+ `read` for these indices:
+
+ * `.preview.alerts-security.alerts-`
+ * `.internal.preview.alerts-security.alerts--*`
+
+ `All` for the `Security` feature
+
+
+ Manage rules
+ N/A
+
+ `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
+
+ * `.alerts-security.alerts-`
+ * `.items-`
+
+
+ `All` for the `Security` feature
+
+ **NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:
+
+ * To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
+
+ * To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don't need `Actions and Connectors` privileges.
+
+
+
+
+ Manage alerts
+
+ **NOTE**: Allows you to manage alerts, but not modify rules.
+
+ N/A
+
+ `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
+
+ * `.alerts-security.alerts-`
+ * `.internal.alerts-security.alerts--*`
+ * `.lists-`
+ * `.items-`
+
+ `Read` for the `Security` feature
+
+
+
+ Create the `.lists` and `.items` data streams in your space
+
+ **NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space.
+
+ `manage`
+
+ `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:
+
+ * `.lists-`
+ * `.items-`
+
+ `All` for the `Security` and `Saved Objects Management` features
+
+
diff --git a/docs/serverless/sec-requirements.mdx b/docs/serverless/sec-requirements.mdx
index 36d55bfe46..9245321622 100644
--- a/docs/serverless/sec-requirements.mdx
+++ b/docs/serverless/sec-requirements.mdx
@@ -9,25 +9,21 @@ tags: [ 'serverless', 'security', 'how-to','manage' ]
The [Support Matrix](https://www.elastic.co/support/matrix) page lists officially
supported operating systems, platforms, and browsers on which components such as ((beats)), ((agent)), ((elastic-defend)), and ((elastic-endpoint)) have been tested.
-{/* TO-DO: Remove the DocIf conditionals once the feature is available in production. */}
+## Space and index privileges
-
- ## Space and index privileges
+Provide access to ((elastic-sec)) by assigning a user the appropriate predefined user role or a custom role with specific privileges.
- Provide access to ((elastic-sec)) by assigning a user the appropriate predefined user role or a custom role with specific privileges.
+To use ((elastic-sec)), your role must have at least:
- To use ((elastic-sec)), your role must have at least:
+* `Read` privilege for the `Security` feature in the [space](((kibana-ref))/xpack-spaces.html). This grants you `Read` access to all features in ((elastic-sec)) except cases. You need additional minimum privileges to use cases.
+* `Read` and `view_index_metadata` privileges for all ((elastic-sec)) indices, such as
+`filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.
- * `Read` privilege for the `Security` feature in the [space](((kibana-ref))/xpack-spaces.html). This grants you `Read` access to all features in ((elastic-sec)) except cases. You need additional minimum privileges to use cases.
- * `Read` and `view_index_metadata` privileges for all ((elastic-sec)) indices, such as
- `filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.
-
-
- describes how to modify ((elastic-sec)) indices.
-
+
+ describes how to modify ((elastic-sec)) indices.
+
- For more information about index privileges, refer to [((es)) security privileges](((ref))/security-privileges.html).
-
+For more information about index privileges, refer to [((es)) security privileges](((ref))/security-privileges.html).
## Feature-specific requirements