elastic · rylnd · Mar 25, 2026 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
@@ -49,11 +49,11 @@ export function SecuritySolutionApiProvider({ getService }: FtrProviderContext)
 
   return {
     ...securitySolutionApiServiceFactory(supertestService),
-    withUser: (user: { username: string; password: string }) => {
+    withUser: (user: { username: string; password?: string }) => {
       const kbnUrl = formatUrl({ ...config.get('servers.kibana'), auth: false });
 
       return securitySolutionApiServiceFactory(
-        supertest_.agent(kbnUrl).auth(user.username, user.password)
+        supertest_.agent(kbnUrl).auth(user.username, user.password ?? 'changeme')
       );
     },
   };

@@ -26,8 +26,8 @@ export const THRESHOLD_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.thresholdRule` as con
 export const NEW_TERMS_RULE_TYPE_ID = `${RULE_TYPE_PREFIX}.newTermsRule` as const;
 
 export const SECURITY_SOLUTION_RULE_TYPE_IDS = [
-  EQL_RULE_TYPE_ID,
   ESQL_RULE_TYPE_ID,
+  EQL_RULE_TYPE_ID,
   INDICATOR_RULE_TYPE_ID,
   ML_RULE_TYPE_ID,
   QUERY_RULE_TYPE_ID,

@@ -239,7 +239,10 @@ export const useGetToolbarVisibility = ({
   const defaultVisibility = useGetDefaultVisibility(defaultVisibilityProps);
   const options = useMemo(() => {
     const isBulkActionsActive =
-      selectedRowsCount === 0 || selectedRowsCount === undefined || bulkActions.length === 0;
+      selectedRowsCount === 0 ||
+      selectedRowsCount === undefined ||
+      bulkActions.length === 0 ||
+      !bulkActions.some((panel) => panel.items?.length);
 
     if (isBulkActionsActive) {
       return {

diff --git a/x-pack/platform/plugins/private/translations/translations/de-DE.json b/x-pack/platform/plugins/private/translations/translations/de-DE.json
@@ -36169,7 +36169,6 @@
     "xpack.securitySolution.flyout.entityDetails.riskInputs": "Risikobeiträge anzeigen",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToExistingCase": "Zu einem bestehenden Fall hinzufügen",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewCase": "Zu einem neuen Fall hinzufügen",
-    "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewTimeline": "Zur neuen Zeitleiste hinzufügen",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.ariaLabel": "Aktionen",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.title": "Risikoeingang: {description}",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.titleDescription": "{quantity} ausgewählt",

diff --git a/x-pack/platform/plugins/private/translations/translations/fr-FR.json b/x-pack/platform/plugins/private/translations/translations/fr-FR.json
@@ -36547,7 +36547,6 @@
     "xpack.securitySolution.flyout.entityDetails.riskInputs": "Voir les contributions au risque",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToExistingCase": "Ajouter à un cas existant",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewCase": "Ajouter au nouveau cas",
-    "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewTimeline": "Ajouter une nouvelle chronologie",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.ariaLabel": "Actions",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.title": "Entrée des risques : {description}",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.titleDescription": "{quantity} sélectionnée",

diff --git a/x-pack/platform/plugins/private/translations/translations/ja-JP.json b/x-pack/platform/plugins/private/translations/translations/ja-JP.json
@@ -36602,7 +36602,6 @@
     "xpack.securitySolution.flyout.entityDetails.riskInputs": "リスク寄与を表示",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToExistingCase": "既存のケースに追加",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewCase": "新しいケースに追加",
-    "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewTimeline": "新規タイムラインに追加",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.ariaLabel": "アクション",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.title": "リスクインプット：{description}",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.titleDescription": "{quantity}選択済み",

diff --git a/x-pack/platform/plugins/private/translations/translations/zh-CN.json b/x-pack/platform/plugins/private/translations/translations/zh-CN.json
@@ -36582,7 +36582,6 @@
     "xpack.securitySolution.flyout.entityDetails.riskInputs": "查看风险贡献",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToExistingCase": "添加到现有案例",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewCase": "添加到新案例",
-    "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.addToNewTimeline": "添加到新时间线",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.ariaLabel": "操作",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.title": "风险输入：{description}",
     "xpack.securitySolution.flyout.entityDetails.riskInputs.actions.titleDescription": "{quantity} 个已选定",

@@ -142,7 +142,8 @@ export default function ({ getService }: FtrProviderContext) {
             'securitySolutionCasesV3',
             'securitySolutionTimeline',
             'securitySolutionNotes',
-            'securitySolutionRulesV2',
+            'securitySolutionRulesV3',
+            'securitySolutionAlertsV1',
             'securitySolutionSiemMigrations',
             'workflowsManagement',
             'fleet',

@@ -351,6 +351,14 @@ export default function ({ getService }: FtrProviderContext) {
         'minimal_read',
         'security_solution_exceptions_all',
       ],
+      securitySolutionRulesV3: [
+        'all',
+        'read',
+        'minimal_all',
+        'minimal_read',
+        'security_solution_exceptions_all',
+      ],
+      securitySolutionAlertsV1: ['all', 'read', 'minimal_all', 'minimal_read'],
       infrastructure: ['all', 'read', 'minimal_all', 'minimal_read'],
       logs: ['all', 'read', 'minimal_all', 'minimal_read'],
       dataQuality: ['all', 'read', 'minimal_all', 'minimal_read', 'manage_rules', 'manage_alerts'],

@@ -63,6 +63,8 @@ export default function ({ getService }: FtrProviderContext) {
             siemV5: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionRulesV1: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionRulesV2: ['all', 'read', 'minimal_all', 'minimal_read'],
+            securitySolutionRulesV3: ['all', 'read', 'minimal_all', 'minimal_read'],
+            securitySolutionAlertsV1: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionCases: ['all', 'read', 'minimal_all', 'minimal_read'],
@@ -420,6 +422,14 @@ export default function ({ getService }: FtrProviderContext) {
               'minimal_read',
               'security_solution_exceptions_all',
             ],
+            securitySolutionRulesV3: [
+              'all',
+              'read',
+              'minimal_all',
+              'minimal_read',
+              'security_solution_exceptions_all',
+            ],
+            securitySolutionAlertsV1: ['all', 'read', 'minimal_all', 'minimal_read'],
             securitySolutionAssistant: [
               'all',
               'read',

@@ -64,6 +64,20 @@ function getUserCredentials(username: string) {
   return `Basic ${Buffer.from(`${username}:changeme`).toString('base64')}`;
 }
 
+const deprecatedApiActions: Record<string, Set<string>> = {
+  'api:alerts-signal-update-deprecated-privilege': new Set([
+    'siem',
+    'siemV2',
+    'siemV3',
+    'siemV4',
+    'securitySolutionRulesV1',
+    'securitySolutionRulesV2',
+  ]),
+};
+
+const isDeprecatedApiAction = ({ featureId, action }: { featureId: string; action: string }) =>
+  deprecatedApiActions[action]?.has(featureId) ?? false;
+
 export default function ({ getService }: FtrProviderContext) {
   describe('deprecated features', function () {
     const supertest = getService('supertest');
@@ -190,6 +204,7 @@ export default function ({ getService }: FtrProviderContext) {
           "securitySolutionCases",
           "securitySolutionCasesV2",
           "securitySolutionRulesV1",
+          "securitySolutionRulesV2",
           "siem",
           "siemV2",
           "siemV3",
@@ -224,6 +239,8 @@ export default function ({ getService }: FtrProviderContext) {
         'siemV2',
         'siemV3',
         'siemV4',
+        'securitySolutionRulesV1',
+        'securitySolutionRulesV2',
       ]);
       for (const feature of features) {
         if (
@@ -321,6 +338,7 @@ export default function ({ getService }: FtrProviderContext) {
           for (const deprecatedAction of deprecatedActions) {
             if (
               isReplaceableAction(deprecatedAction) &&
+              !isDeprecatedApiAction({ featureId: feature.id, action: deprecatedAction }) &&
               !replacementActions.delete(deprecatedAction)
             ) {
               throw new Error(

@@ -88,11 +88,12 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv
         'infrastructure',
         'logs',
         'observabilityCasesV3',
+        'securitySolutionAlertsV1',
         'securitySolutionAssistant',
         'securitySolutionAttackDiscovery',
         'securitySolutionCasesV3',
         'securitySolutionNotes',
-        'securitySolutionRulesV2',
+        'securitySolutionRulesV3',
         'securitySolutionSiemMigrations',
         'securitySolutionTimeline',
         'siemV5',

@@ -90,11 +90,12 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex
             'infrastructure',
             'logs',
             'observabilityCasesV3',
+            'securitySolutionAlertsV1',
             'securitySolutionAssistant',
             'securitySolutionAttackDiscovery',
             'securitySolutionCasesV3',
             'securitySolutionNotes',
-            'securitySolutionRulesV2',
+            'securitySolutionRulesV3',
             'securitySolutionSiemMigrations',
             'securitySolutionTimeline',
             'siemV5',

@@ -80,11 +80,12 @@ const ALL_SPACE_RESULTS: Space[] = [
       'infrastructure',
       'logs',
       'observabilityCasesV3',
+      'securitySolutionAlertsV1',
       'securitySolutionAssistant',
       'securitySolutionAttackDiscovery',
       'securitySolutionCasesV3',
       'securitySolutionNotes',
-      'securitySolutionRulesV2',
+      'securitySolutionRulesV3',
       'securitySolutionSiemMigrations',
       'securitySolutionTimeline',
       'siemV5',

@@ -102,6 +102,8 @@ export default function ({ getService }: FtrProviderContext) {
         siemV5: 0,
         securitySolutionRulesV1: 0,
         securitySolutionRulesV2: 0,
+        securitySolutionRulesV3: 0,
+        securitySolutionAlertsV1: 0,
         securitySolutionCases: 0,
         securitySolutionCasesV2: 0,
         securitySolutionCasesV3: 0,

@@ -1,4 +1,84 @@
-## Security Solution App Features
+# Security Solution Kibana features
 
-This package provides resources to be used for Security Solution app features
+This package (`@kbn/security-solution-features`) defines **Kibana feature registry** entries used by Elastic Security: base feature metadata, **privileges** (UI, API, saved objects, alerting), **sub-features** where applicable, and **product-feature** overlays that turn specific product capabilities on or off.
 
+---
+
+## Security
+
+**Feature id:** `siemV5` (`SECURITY_FEATURE_ID_V5`)
+
+**Display name:** Security
+
+**Role:** Controls access to the main Security Solution experience and related apps. It is the umbrella feature for navigating and using Security, including integration with **Cloud Security Posture** (`csp`) and **Defend for containers** (`cloudDefend`) apps where configured.
+
+**Base privileges**
+
+- **`all` / `read`:** Gate the Security Solution catalogue entry and apps (`securitySolution`, CSP, Cloud Defend, `kibana`).
+- **UI:** `show` (read path) and `crud` (all path) map to broad Security UI capabilities.
+- **API:** Core Security APIs, RAC (`rac`), list APIs (`lists-*`), user read, and `initialize-security-solution`.
+- **Saved objects:** Read/write patterns depend on the privilege level and the saved-object types passed in at registration time; the `all` privilege includes the `alert` saved object type plus Security-related types from parameters.
+
+**Sub-features (v5):** Security is built as a **sub-feature–first** feature. The registry description states that **each sub-feature privilege must be assigned individually** when your pricing plan supports granular privileges; global assignment is only used when the plan does not allow per–sub-feature control.
+
+Sub-features include (non-exhaustive): endpoint host list and workflow insights, SOC management, global artifact management, trusted applications and devices, host isolation exceptions, blocklist, event filters, endpoint exceptions, policy and scripts management, response-actions history, host isolation, process/file operations, execute/scan actions, and related Endpoint capabilities. Some entries are gated by experimental feature flags.
+
+**Product features:** Additional keys in `ProductFeatureSecurityKey` (see `src/product_features_keys.ts` and `src/security/product_feature_config.ts`) layer **extra UI/API privileges** onto Security when those product capabilities are enabled—for example advanced insights, detections-related UI, threat intelligence, investigation guides, and Endpoint-specific behaviors.
+
+**Versioning:** Older Security feature ids (`siem`, `siemV2`–`siemV4`) exist for backward compatibility and migration; current work targets **`siemV5`**.
+
+---
+
+## Rules
+
+**Feature id (current):** `securitySolutionRulesV3` (`RULES_FEATURE_ID_V3`, `RULES_FEATURE_LATEST`)
+
+**Display name:** Rules and Exceptions
+
+**Role:** Governs **creation, editing, and management of Security detection rules** and related **exception lists**, separate from the **Alerts** feature. It wires Security Solution rule types into Kibana **alerting** (rule-level privileges: create, enable, manual run, manage settings, read) and grants access to the **Stack Management → Rules** area (`insightsAndAlerting` / `triggersActions`).
+
+**Apps / catalogue:** Uses the `securitySolutionRules` app and the Security Solution catalogue id.
+
+**Base privileges**
+
+- **`all`:** Full rule and list APIs (`rules-*`, `lists-*`), user read, RAC, initialization; saved-object access for rule-related types (with exceptions for namespace-aware exception lists as defined in code).
+- **`read`:** Read-only rule and list access, read exceptions API, and read-only alerting rule privileges.
+
+**Sub-features (v3):** **Exceptions** (`RulesSubFeatureId.exceptions`) is registered as a sub-feature so exception-list access can be granted with **minimal** privilege combinations alongside base Rules privileges.
+
+**Product features:** `ProductFeatureRulesKey` entries (for example `detections`, `externalDetections`) add targeted UI/API privileges—such as CSP-related APIs for detections—when those product slices are enabled. See `src/rules/product_feature_config.ts`.
+
+**Older versions**
+
+- **`securitySolutionRulesV1`:** Original combined rules feature.
+- **`securitySolutionRulesV2`:** Deprecated; display name was “Rules, Alerts, and Exceptions.” Privileges were split so that **`securitySolutionRulesV3` + `securitySolutionAlertsV1`** replace the older combined model (`replacedBy` mappings in the v2 config).
+
+---
+
+## Alerts
+
+**Feature id:** `securitySolutionAlertsV1` (`ALERTS_FEATURE_ID`)
+
+**Display name:** Alerts
+
+**Role:** Controls access to **alert documents** for Security detection and legacy notification rule types: viewing and updating alerts (status, assignment, tags, and so on), without bundling full **rule authoring** into the same feature. Alerting **alert** privileges (not rule management) are scoped to the same rule type ids as Rules (including `siem.notifications` where applicable).
+
+**Apps:** Uses `securitySolutionAlertsV1`, `kibana`, and `securitySolution` app ids so the Alerts surface can be authorized independently of Rules.
+
+**Base privileges**
+
+- **`all`:** `read_alerts` and `edit_alerts` UI capabilities; `alerts-read` / `alerts-all` APIs; RAC; user read; read access to **data views** (`index-pattern`) for querying alerts.
+- **`read`:** Read-only alerts UI and APIs, read-only alerting alert privileges.
+
+**Product features:** `ProductFeatureAlertsKey` entries (`detections`, `externalDetections`) add UI flags such as `detections` / `external_detections` and optional APIs (for example `bulkGetUserProfiles` for detections on `all`). See `src/alerts/product_feature_config.ts`.
+
+**Compatibility:** Deprecated privilege strings (`alerts-signal-update-deprecated-privilege`, `edit_alerts-update-deprecated-privilege`) exist so older role assignments that implied alert updates under read APIs continue to work where explicitly mapped (for example in deprecated Rules v2).
+
+---
+
+## How these pieces fit together
+
+- **Security (`siemV5`)** is the primary application and platform access feature for the Security UI, lists, and broad saved-object/API access; granular Endpoint and workflow controls are expressed as **sub-features**.
+- **Rules** and **Alerts** split **rule lifecycle** vs **alert workflow** so administrators can assign detection engineers vs analysts with narrower scopes.
+
+For exact privilege strings and merge behavior, follow the source of truth in `src/constants.ts` and the corresponding `kibana_features.ts` / `kibana_sub_features.ts` files for each version.
diff --git a/x-pack/solutions/security/packages/features/moon.yml b/x-pack/solutions/security/packages/features/moon.yml
@@ -25,6 +25,7 @@ dependsOn:
   - '@kbn/securitysolution-rules'
   - '@kbn/securitysolution-list-constants'
   - '@kbn/elastic-assistant-common'
+  - '@kbn/data-views-plugin'
 tags:
   - shared-common
   - package

@@ -18,4 +18,5 @@ export { getAttackDiscoveryFeature } from './src/attack_discovery';
 export { getTimelineFeature } from './src/timeline';
 export { getNotesFeature } from './src/notes';
 export { getSiemMigrationsFeature } from './src/siem_migrations';
-export { getRulesFeature, getRulesV2Feature } from './src/rules';
+export { getRulesFeature, getRulesV2Feature, getRulesV3Feature } from './src/rules';
+export { getAlertsFeature } from './src/alerts';
@@ -0,0 +1,18 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { ProductFeatureAlertsKey } from '../product_features_keys';
+import { getAlertsBaseKibanaFeature } from './kibana_features';
+import type { ProductFeatureParams } from '../types';
+import { alertsDefaultProductFeaturesConfig } from './product_feature_config';
+
+export const getAlertsFeature = (): ProductFeatureParams<ProductFeatureAlertsKey, string> => ({
+  baseKibanaFeature: getAlertsBaseKibanaFeature(),
+  baseKibanaSubFeatureIds: [],
+  subFeaturesMap: new Map(),
+  productFeatureConfig: alertsDefaultProductFeaturesConfig,
+});