[Security][9.4 & Serverless][RBAC] Ability to grant access to alerts (#5538)

nastasha-solomon · rylnd · web-flow · commit 6c866ec4d2a2 · 2026-04-03T16:55:14.000-04:00
## Summary  Fixes elastic/docs-content-internal#796. ### Preview - [Detections privileges | Manage alerts](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5538/solutions/security/detect-and-alert/detections-privileges#manage-alerts): Doc's what's needed to manage alerts in Serverless/9.4, and previous releases. - [Entity risk scoring](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5538/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements#_entity_risk_scoring) - Updated custom stack roles privs to show access needed to view alert risk contributions in entity details. Need to know which predefined roles provide this access. - [View the Privileged user monitoring dashboard](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5538/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements#privmon_privs) - Updated privs for viewing the **Privileged user monitoring** dashboard. - [Attack discovery](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5538/solutions/security/ai/attack-discovery#attack-discovery-rbac) - Added a new tab for privs needed to access Attack discovery alerts. - [Cases](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/5538/explore-analyze/cases/control-case-access#give-alerts-access) - Updated privs for adding alerts to cases. ## Generative AI disclosure  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution? - [x] Yes - [ ] No  Cursor + Auto mode --------- Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
diff --git a/explore-analyze/cases/control-case-access.md b/explore-analyze/cases/control-case-access.md
@@ -108,14 +108,16 @@ Users must log in to their deployment at least once before they can be assigned
 
 ::::{applies-switch} 
 
-:::{applies-item} stack: ga
+:::{applies-item} { stack: ga 9.4+, serverless: ga }
 
-* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**). 
-* `Read` for a solution that has alerts (for example, **{{observability}}** or **Security**).
+* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+* To work with alerts in cases:
+  - **Security**: `Read` or `All` for the **Security > Alerts** feature. For what each level allows, refer to [Detections privileges](/solutions/security/detect-and-alert/detections-privileges.md#manage-alerts).
+  - **{{observability}}**: `Read` for **{{observability}}** 
 
 :::
 
-:::{applies-item} serverless: ga
+:::{applies-item} stack: ga 9.0-9.3
 
 * `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
 * `Read` for a solution that has alerts (for example, **{{observability}}** or **Security**).
diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -35,6 +35,7 @@ To install or run the risk scoring engine, you need the following:
 | --- | --- | --- | --- |
 | Install the risk engine | `manage_index_templates`<br> `manage_transform`<br> `manage_ingest_pipelines` | `All` for `risk-score.risk-score-*` | **Read** for the **Security** feature |
 | Run the risk engine | `manage_transform` | N/A | **Read** for the **Security** feature |
+| {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` View alert risk contributions in entity details | N/A | N/A | **Read** for the **Security > Alerts** feature |
 
 
 ### Predefined roles [ers_roles]
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -24,21 +24,31 @@ To use this feature, you need:
 
 ## Privileges [privmon_privs]
 
+:::{table}
+:widths: 2-6-4
+
 | Action | Index Privileges | Kibana Privileges |
 | ------ | ---------------- | ----------------- |
-| Enable the privileged user monitoring feature | N/A | **All** for the **Security** feature |
-| View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | **Read** for the **Security** feature |
+| Enable privileged user monitoring | N/A | **All** for the **Security** feature |
+| View Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` **Read** for the **Security** feature and at least **Read** for the **Alerts** feature to view detection alert data on the dashboard. <br><br>{applies_to}`stack: ga =9.3` **Read** for the **Security** feature |
+
+:::
 
 ## Predefined roles [privmon_roles]
 ```yaml {applies_to}
 serverless: 
 ```
 
+:::{table}
+:widths: 4-8
+
 | Action | Predefined role |
 | --- | --- |
 | Enable privileged user monitoring | - Platform engineer<br>- Admin |
 | View the Privileged user monitoring dashboard | - Tier 1 analyst<br>- Tier 2 analyst<br>- Tier 3 analyst<br>- Rule author<br>- SOC manager<br>- Platform engineer<br>- Detections admin<br>- Admin |
 
+:::
+
 ## Known limitations
 
 * Currently, none of the privileged user monitoring visualizations support [cross-cluster search](/explore-analyze/cross-cluster-search.md) as part of the data that they query from. 
diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md
@@ -26,11 +26,30 @@ To use Attack Discovery, your role needs specific privileges.
 
 ::::{applies-switch}
 
-:::{applies-item} { "stack": "ga 9.3+", "serverless": "ga" }
+:::{applies-item} { "stack": "ga 9.4+", "serverless": "ga" }
 
 Ensure your role has:
 
-* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature.
+* Minimum [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for these **Security** features:
+
+  - `All` for **Attack discovery**
+  - At least `Read` for **Rules**
+  - At least `Read` for **Alerts**
+
+* The appropriate [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges), based on what you want to do with Attack Discovery alerts:
+
+| Action | Indices | {{es}} privileges |
+|---------|---------|--------------------------|
+| Read Attack Discovery alerts | - `.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.alerts-security.attack.discovery.alerts-<space-id>`<br> - `.adhoc.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>`| `read` and `view_index_metadata` |
+| Read and modify Attack Discovery alerts. This includes:<br>- Generating discovery alerts manually<br>- Generating discovery alerts using schedules<br>- Sharing manually created alerts with other users<br>- Updating a discovery's status |- `.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.adhoc.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>`| `read`, `view_index_metadata`, `write`, and `maintenance`|
+
+:::
+
+:::{applies-item} { "stack": "ga 9.3"}
+
+Ensure your role has:
+
+* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 
     ![attack-discovery-rules-rbac](/solutions/images/attack-discovery-rules-rbac.png "elasticsearch =60%x60%")
 
@@ -49,7 +68,7 @@ Ensure your role has:
 
 * `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 
-    ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png)
+    ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png "elasticsearch =60%x60%")
 
 * The appropriate [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges), based on what you want to do with Attack Discovery alerts:
 
@@ -64,7 +83,7 @@ Ensure your role has:
 
 Ensure your role has `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature.
 
-![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png)
+![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png "elasticsearch =60%x60%")
 
 :::
 
@@ -82,7 +101,8 @@ In {{stack}} 9.0.0, the **Run** button is called **Generate**.
 
 ::::{image} /solutions/images/security-attack-discovery-settings.png
 :alt: Attack Discovery's settings menu
-:width: 500px
+:screenshot:
+:width: 60%
 ::::
 
 You can select which alerts Attack Discovery will process by filtering based on a KQL query, the time and date selector, and the **Number of alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. Under **Alert summary** you can view a summary of the selected alerts grouped by various fields, and under **Alerts preview** you can see more details about the selected alerts.
@@ -115,6 +135,8 @@ You’ll need to select an LLM connector before you can analyze alerts. To get s
 
     :::{image} /solutions/images/security-attck-disc-select-model-empty.png
     :alt: attck disc select model empty
+    :screenshot:
+    :width: 60%
     :::
 
 3. Once you’ve selected a connector, do one of the following to start the analysis:
@@ -138,6 +160,8 @@ Each discovery includes the following information describing the potential threa
 
 :::{image} /solutions/images/security-attck-disc-example-disc.png
 :alt: Attack Discovery detail view
+:screenshot:
+:width: 60%
 :::
 
 
@@ -153,6 +177,7 @@ There are several ways you can incorporate discoveries into your {{elastic-sec}}
 
 :::{image} /solutions/images/security-add-discovery-to-assistant.gif
 :alt: Attack Discovery view in AI Assistant
+:width: 60%
 :::
 
 ## Schedule discoveries
diff --git a/solutions/security/detect-and-alert/detections-privileges.md b/solutions/security/detect-and-alert/detections-privileges.md
@@ -2,9 +2,9 @@
 mapped_pages:
   - https://www.elastic.co/guide/en/security/current/detections-permissions-section.html
 applies_to:
-  stack: ga all
+  stack: ga
   serverless:
-    security: ga all
+    security: ga
 products:
   - id: security
   - id: cloud-serverless
@@ -15,9 +15,9 @@ description: Find privilege requirements, predefined roles, and the authorizatio
 
 Learn about the access requirements for detection features, including:
 
-- **Privilege requirements**: Cluster, index, and {{kib}} privileges that your role needs to enable detections, manage rules, and more
-- **Predefined {{serverless-full}}  roles**: {{serverless-short}} roles with detection privileges
-- **Authorization model**: How rules inherit privileges from their last editor via API keys
+- **Privilege requirements**: Cluster, index, and {{kib}} privileges that your role needs to enable detections, manage rules, view and edit alerts, and more
+- **Predefined {{serverless-full}} roles**: {{serverless-short}} roles with detection privileges
+- **Authorization model**: How rules inherit privileges from their last editor using API keys
 
 For instructions on turning on the detections feature, refer to [Turn on detections](/solutions/security/detect-and-alert/turn-on-detections.md).
 
@@ -27,7 +27,14 @@ Rules run in the background using the privileges of the user who last edited the
 
 ## About index privileges
 
-When creating custom roles for detection features, you'll need to grant access to system indices that include your space ID (`<space-id>`). For example, the default space uses `.alerts-security.alerts-default`. Refer to the following details to understand which system indices your role might require access to. 
+When creating custom roles for detection features, you'll need to grant access to system indices that include your space ID (`<space-id>`). For example, the default space uses `.alerts-security.alerts-default`. Refer to the following details to understand which system indices your role might require access to.
+
+{applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` You can give a role access to alerts only, rules only, or both.
+
+:::{admonition} Role access to rules and alerts in 9.4
+:applies_to: {"stack": "ga 9.4+", "serverless": "ga"}
+Starting in {{stack}} 9.4, new custom roles require explicit **Rules and Exceptions** and **Alerts** privileges. Earlier releases sometimes granted alert-related access indirectly through broader **Security** privileges or the **Rules, Alerts, and Exceptions** feature. Review custom roles after an upgrade to confirm each role still has the intended access to alerts.
+:::
 
 :::::{tab-set}
 
@@ -56,7 +63,8 @@ Index privileges
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ## Preview rules
@@ -70,7 +78,8 @@ Index privileges
     - `.internal.preview.alerts-security.alerts-<space-id>-*`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.3+` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ## Manage rules
@@ -86,11 +95,12 @@ Index privileges
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.3+` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ::::{note}
-To manage rules with actions and connectors, you need additional privileges for the `Actions and Connectors` feature (`Management`> `Actions and Connectors`):
+To manage rules with actions and connectors, you need additional privileges for the `Actions and Connectors` feature (`Management` > `Actions and Connectors`):
 
 - `All`: Provides full access to rule actions and connectors.
 - `Read`: Allows you to edit rule actions and use existing connectors, but you cannot create new connectors.
@@ -114,15 +124,11 @@ Index privileges
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `Read` for `Alerts`: View alerts, open alert flyouts, and view alert tables on pages and dashboards with alert-related flows.
+    - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for `Alerts`: Everything that `Read` provides, plus changing alert status, setting assignees, setting tags, and bulk actions on alerts.
+    - {applies_to}`stack: ga 9.3` `All` for the `Rules, Alerts, and Exceptions` feature to view alert management flows
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
-::::{note}
-Alerts are managed through {{es}} index privileges. To view alert management flows, you need at least `Read` for the `Rules, Alerts, and Exceptions` feature.
-
-Before a user can be assigned to a case, they must log into {{kib}} at least once to create a user profile.
-::::
-
 ## Manage exceptions
 
 Cluster privileges
@@ -132,7 +138,7 @@ Index privileges
 :   None
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.4` {applies_to}`serverless: ga` At least `Read` for the `Rules, Alerts, and Exceptions` feature and **Manage Exceptions** selected for the `Exceptions` sub-feature
+:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` At least `Read` for the `Rules and Exceptions` feature and **Manage Exceptions** selected for the `Exceptions` sub-feature
     - {applies_to}`stack: ga =9.3` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
@@ -147,11 +153,12 @@ Index privileges
     - `.items-<space-id>`
 
 {{kib}} privileges
-:   - {applies_to}`stack: ga 9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
+:   - {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` `All` for the `Rules and Exceptions` feature and `All` for the `Alerts` feature
+    - {applies_to}`stack: ga =9.3` {applies_to}`serverless: ga` `All` for the `Rules, Alerts, and Exceptions` feature
     - {applies_to}`stack: ga 9.0-9.2` `All` for the `Security` feature
 
 ::::{important}
-To create the `.lists` and `.items` data streams in your space, visit the **Rules** page for each appropriate space. 
+To create the `.lists` and `.items` data streams in your space, visit the **Rules** page for each appropriate space.
 ::::
 
 
@@ -167,6 +174,8 @@ serverless: ga
 | --- | --- |
 | Manage rules | Threat Intelligence Analyst, Tier 3 Analyst, Detections Eng, SOC Manager, Endpoint Policy Manager, Platform Engineer, Editor |
 | View rules (read only) | Tier 1 Analyst, Tier 2 Analyst, Viewer, Endpoint Operations Analyst |
+| View alerts and entity risk scoring (read only) | Viewer, Editor, Tier 1 Analyst, Tier 2 Analyst, Tier 3 Analyst, Threat Intelligence Analyst, Rule author, SOC Manager, Detections Eng, Platform Engineer, Endpoint Operations Analyst, Endpoint Policy Manager |
 | Manage alerts | All roles except Viewer |
 | Manage exceptions and value lists | Threat Intelligence Analyst, Tier 3 Analyst, Detections Eng, SOC Manager, Endpoint Policy Manager, Platform Engineer, Editor |
 | View exceptions and value lists (read only) | Tier 1 Analyst, Tier 2 Analyst, Viewer, Endpoint Operations Analyst |
+
