diff --git a/raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md b/raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md
deleted file mode 100644
index c9fed2201..000000000
--- a/raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md
+++ /dev/null
@@ -1,30 +0,0 @@
-# Behavioral detection use cases [security-behavioral-detection-use-cases]
-
-Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment.
-
-The behavioral detection feature is built on {{elastic-sec}}'s foundational SIEM detection capabilities, leveraging {{ml}} algorithms to enable proactive threat detection and hunting.
-
-
-## Elastic integrations for behavioral detection use cases [security-behavioral-detection-use-cases-elastic-integrations-for-behavioral-detection-use-cases] 
-
-Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, {{ml}} jobs, and scripts.
-
-::::{admonition} Requirements
-:class: note
-
-* Behavioral detection integrations require the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-* To learn more about the requirements for using {{ml}} jobs, refer to [{{ml-cap}} job and rule requirements](../../../solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md).
-
-::::
-
-
-Here’s a list of integrations for various behavioral detection use cases:
-
-* [Data Exfiltration Detection](https://docs.elastic.co/en/integrations/ded)
-* [Domain Generation Algorithm Detection](https://docs.elastic.co/en/integrations/dga)
-* [Lateral Movement Detection](https://docs.elastic.co/en/integrations/lmd)
-* [Living off the Land Attack Detection](https://docs.elastic.co/en/integrations/problemchild)
-* [Network Beaconing Identification](https://docs.elastic.co/en/integrations/beaconing)
-
-To learn more about {{ml}} jobs enabled by these integrations, refer to [Prebuilt job reference](asciidocalypse://docs/docs-content/docs/reference/security/prebuilt-jobs.md).
-
diff --git a/raw-migrated-files/docs-content/serverless/security-ers-requirements.md b/raw-migrated-files/docs-content/serverless/security-ers-requirements.md
deleted file mode 100644
index 4dc1c101f..000000000
--- a/raw-migrated-files/docs-content/serverless/security-ers-requirements.md
+++ /dev/null
@@ -1,56 +0,0 @@
-# Entity risk scoring requirements [security-ers-requirements]
-
-To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-
-This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.
-
-
-## Entity risk scoring [security-ers-requirements-entity-risk-scoring]
-
-
-### User roles [security-ers-requirements-user-roles]
-
-To turn on the risk scoring engine, you need either the appropriate [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges:
-
-**Predefined roles**
-
-* Platform engineer
-* Detections admin
-* Admin
-
-**Custom role privileges**
-
-| Cluster | Index | {{kib}} |
-| --- | --- | --- |
-| * `manage_index_templates`<br>* `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
-
-
-### Known limitations [security-ers-requirements-known-limitations]
-
-* The risk scoring engine uses an internal user role to score all hosts and users. After you turn on the risk scoring engine, all alerts in the project will contribute to host and user risk scores.
-* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
-
-
-## Asset criticality [security-ers-requirements-asset-criticality]
-
-
-### User roles [security-ers-requirements-user-roles-1]
-
-To use asset criticality, you need either the appropriate [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with the right privileges:
-
-**Predefined roles**
-
-| Action | Predefined role |
-| --- | --- |
-| View asset criticality | * Viewer<br>* Tier 1 analyst<br> |
-| View, assign, change, or unassign asset criticality | * Editor<br>* Tier 2 analyst<br>* Tier 3 analyst<br>* Threat intelligence analyst<br>* Rule author<br>* SOC manager<br>* Endpoint operations analyst<br>* Platform engineer<br>* Detections admin<br>* Endpoint policy manager<br> |
-
-**Custom role privileges**
-
-Custom roles need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
-
-| Action | Index privilege |
-| --- | --- |
-| View asset criticality | `read` |
-| View, assign, or change asset criticality | `read` and `write` |
-| Unassign asset criticality | `delete` |
diff --git a/raw-migrated-files/docs-content/serverless/security-machine-learning.md b/raw-migrated-files/docs-content/serverless/security-machine-learning.md
deleted file mode 100644
index 29e47cff9..000000000
--- a/raw-migrated-files/docs-content/serverless/security-machine-learning.md
+++ /dev/null
@@ -1,68 +0,0 @@
-# Detect anomalies [security-machine-learning]
-
-[{{ml-cap}}](../../../explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role. Refer to [Machine learning job and rule requirements](../../../solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
-
-You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
-
-
-## Manage {{ml}} jobs [manage-jobs]
-
-If you have the `machine_learning_admin` role, you can use the **ML job settings** interface on the **Alerts***, ***Rules**, and **Rule Exceptions** pages to view, start, and stop {{elastic-sec}} {{ml}} jobs.
-
-:::{image} ../../../images/serverless--detections-machine-learning-ml-ui.png
-:alt: ML job settings UI on the Alerts page
-:class: screenshot
-:::
-
-
-### Manage {{ml}} detection rules [manage-ml-rules]
-
-You can also check the status of {{ml}} detection rules, and start or stop their associated {{ml}} jobs:
-
-* On the **Rules** page, the **Last response** column displays the rule’s current [status](../../../solutions/security/detect-and-alert/manage-detection-rules.md#rule-status). An indicator icon (![Error](../../../images/serverless-warning.svg "")) also appears if a required {{ml}} job isn’t running. Click the icon to list the affected jobs, then click **Visit rule details page to investigate** to open the rule’s details page.
-
-    :::{image} ../../../images/serverless--detections-machine-learning-rules-table-ml-job-error.png
-    :alt: Rules table {{ml}} job error
-    :class: screenshot
-    :::
-
-* On a rule’s details page, check the **Definition** section to confirm whether the required {{ml}} jobs are running. Switch the toggles on or off to run or stop each job.
-
-    :::{image} ../../../images/serverless--troubleshooting-rules-ts-ml-job-stopped.png
-    :alt: Rule details page with ML job stopped
-    :class: screenshot
-    :::
-
-
-
-### Prebuilt jobs [included-jobs]
-
-{{elastic-sec}} comes with prebuilt {{ml}} {{anomaly-jobs}} for automatically detecting host and network anomalies. The jobs are displayed in the `Anomaly Detection` interface. They are available when either:
-
-* You ship data using [Beats](https://www.elastic.co/products/beats) or the [{{agent}}](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md), and {{kib}} is configured with the required index patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*` in **Project settings** → **Management** → **Index Management**).
-
-Or
-
-* Your shipped data is ECS-compliant, and {{kib}} is configured with the shipped data’s index patterns in **Project settings** → **Management** → **Index Management**.
-
-Or
-
-* You install one or more of the [Advanced Analytics integrations](../../../solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md#security-behavioral-detection-use-cases-elastic-integrations-for-behavioral-detection-use-cases).
-
-[Prebuilt job reference](asciidocalypse://docs/docs-content/docs/reference/security/prebuilt-jobs.md) describes all available {{ml}} jobs and lists which ECS fields are required on your hosts when you are not using {{beats}} or the {{agent}} to ship your data. For information on tuning anomaly results to reduce the number of false positives, see [Optimizing anomaly results](../../../solutions/security/advanced-entity-analytics/optimizing-anomaly-results.md).
-
-::::{note}
-Machine learning jobs look back and analyze two weeks of historical data prior to the time they are enabled. After jobs are enabled, they continuously analyze incoming data. When jobs are stopped and restarted within the two-week time frame, previously analyzed data is not processed again.
-
-::::
-
-
-
-## View detected anomalies [view-anomalies]
-
-To view the `Anomalies` table widget and `Max Anomaly Score By Job` details, the user must have the `machine_learning_admin` or `machine_learning_user` role.
-
-::::{note}
-To adjust the `score` threshold that determines which anomalies are shown, you can modify the **`securitySolution:defaultAnomalyScore`** advanced setting.
-
-::::
diff --git a/raw-migrated-files/docs-content/serverless/security-ml-requirements.md b/raw-migrated-files/docs-content/serverless/security-ml-requirements.md
deleted file mode 100644
index 630fe4bd0..000000000
--- a/raw-migrated-files/docs-content/serverless/security-ml-requirements.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# {{ml-cap}} job and rule requirements [security-ml-requirements]
-
-To run and create {{ml}} jobs and rules, you need the appropriate [user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
-
-Additionally, for [custom roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md), to configure [alert suppression](../../../solutions/security/detect-and-alert/suppress-detection-alerts.md) for {{ml}} rules, your role needs the following index privilege:
-
-* `read` permission for the `.ml-anomalies-*` index
-
-For more information, go to [Set up {{ml-features}}](../../../explore-analyze/machine-learning/setting-up-machine-learning.md).
-
-::::{important} 
-Some roles give access to the results of *all* {{anomaly-jobs}}, irrespective of whether the user has access to the source indices. Likewise, a user who has full or read-only access to {{ml-features}} within a given {{kib}} space can view the results of *all* {{anomaly-jobs}} that are visible in that space. You must carefully consider who is given these roles and feature privileges; {{anomaly-job}} results may propagate field values that contain sensitive information from the source indices to the results.
-
-::::
-
-
diff --git a/raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md b/raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md
deleted file mode 100644
index a9312fc00..000000000
--- a/raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-navigation_title: "Turn on risk scoring"
----
-
-# Turn on the risk scoring engine [security-turn-on-risk-engine]
-
-
-::::{admonition} Requirements
-:class: note
-
-To use entity risk scoring, you must have the appropriate user role. For more information, refer to [Entity risk scoring requirements](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md).
-
-::::
-
-
-
-## Preview risky entities [security-turn-on-risk-engine-preview-risky-entities]
-
-You can preview risky entities before installing the risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
-
-::::{note}
-The preview is limited to two risk scores per serverless project.
-
-::::
-
-
-To preview risky entities, go to **Project settings** → **Management** → **Entity Risk Score**:
-
-:::{image} ../../../images/serverless-preview-risky-entities.png
-:alt: Preview of risky entities
-:class: screenshot
-:::
-
-
-## Turn on the risk engine [security-turn-on-risk-engine-turn-on-the-risk-engine]
-
-::::{note}
-To view risk score data, you must have alerts generated in your environment.
-
-::::
-
-
-If you’re installing the risk scoring engine for the first time:
-
-1. Go to **Project settings** → **Management** → **Entity Risk Score**.
-2. On the **Entity Risk Score** page, turn the toggle on.
-
-You can also choose to include `Closed` alerts in risk scoring calculations and specify a date and time range for the calculation.
-
-:::{image} ../../../images/serverless-turn-on-risk-engine.png
-:alt: Turn on entity risk scoring
-:class: screenshot
-:::
diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml
index 92c371dc4..c66348edc 100644
--- a/raw-migrated-files/toc.yml
+++ b/raw-migrated-files/toc.yml
@@ -221,7 +221,6 @@ toc:
       - file: docs-content/serverless/security-alerts-manage.md
       - file: docs-content/serverless/security-automated-response-actions.md
       - file: docs-content/serverless/security-automatic-import.md
-      - file: docs-content/serverless/security-behavioral-detection-use-cases.md
       - file: docs-content/serverless/security-benchmark-rules-kspm.md
       - file: docs-content/serverless/security-benchmark-rules.md
       - file: docs-content/serverless/security-blocklist.md
@@ -253,7 +252,6 @@ toc:
       - file: docs-content/serverless/security-endpoint-management-req.md
       - file: docs-content/serverless/security-endpoints-page.md
       - file: docs-content/serverless/security-environment-variable-capture.md
-      - file: docs-content/serverless/security-ers-requirements.md
       - file: docs-content/serverless/security-event-filters.md
       - file: docs-content/serverless/security-get-started-with-kspm.md
       - file: docs-content/serverless/security-host-isolation-exceptions.md
@@ -266,8 +264,6 @@ toc:
       - file: docs-content/serverless/security-linux-file-monitoring.md
       - file: docs-content/serverless/security-llm-connector-guides.md
       - file: docs-content/serverless/security-llm-performance-matrix.md
-      - file: docs-content/serverless/security-machine-learning.md
-      - file: docs-content/serverless/security-ml-requirements.md
       - file: docs-content/serverless/security-overview-dashboard.md
       - file: docs-content/serverless/security-policies-page.md
       - file: docs-content/serverless/security-posture-faq.md
@@ -289,7 +285,6 @@ toc:
       - file: docs-content/serverless/security-triage-alerts-with-elastic-ai-assistant.md
       - file: docs-content/serverless/security-trusted-applications.md
       - file: docs-content/serverless/security-tune-detection-signals.md
-      - file: docs-content/serverless/security-turn-on-risk-engine.md
       - file: docs-content/serverless/security-view-alert-details.md
       - file: docs-content/serverless/security-visualize-alerts.md
       - file: docs-content/serverless/security-vuln-management-dashboard-dash.md
diff --git a/solutions/security/advanced-entity-analytics/anomaly-detection.md b/solutions/security/advanced-entity-analytics/anomaly-detection.md
index 5bd91ff9d..4112eb056 100644
--- a/solutions/security/advanced-entity-analytics/anomaly-detection.md
+++ b/solutions/security/advanced-entity-analytics/anomaly-detection.md
@@ -6,21 +6,15 @@ mapped_urls:
 
 # Anomaly detection
 
-% What needs to be done: Align serverless/stateful
 
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/machine-learning.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-machine-learning.md
-
-[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate subscription, are using a **{{ess-trial}}[cloud deployment]**, or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
+[{{ml-cap}}](/explore-analyze/machine-learning/anomaly-detection.md) functionality is available when you have the appropriate role, subscription, are using a [cloud deployment](https://cloud.elastic.co/registration?page=docs&placement=docs-body), or are testing out a **Free Trial**. Refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for more information.
 
 You can view the details of detected anomalies within the `Anomalies` table widget shown on the Hosts, Network, and associated details pages, or even narrow to the specific date range of an anomaly from the `Max anomaly score by job` field in the overview of the details pages for hosts and IPs. These interfaces also offer the ability to drag and drop details of the anomaly to Timeline, such as the `Entity` itself, or any of the associated `Influencers`.
 
 
 ## Manage {{ml}} jobs [manage-jobs]
 
-If you have the `machine_learning_admin` role, you can use the **ML job settings** interface on the **Alerts**, **Rules**, and **Rule Exceptions** pages to view, start, and stop {{elastic-sec}} {{ml}} jobs.
+If you have the appropriate role, you can use the **ML job settings** interface on the **Alerts**, **Rules**, and **Rule Exceptions** pages to view, start, and stop {{elastic-sec}} {{ml}} jobs.
 
 :::{image} ../../../images/security-ml-ui.png
 :alt: ML job settings UI on the Alerts page
diff --git a/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md b/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md
index 874859143..5564d6eec 100644
--- a/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md
+++ b/solutions/security/advanced-entity-analytics/behavioral-detection-use-cases.md
@@ -6,18 +6,6 @@ mapped_urls:
 
 # Behavioral detection use cases
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/behavioral-detection-use-cases.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-behavioral-detection-use-cases.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$ml-integrations$$$
-
-$$$security-behavioral-detection-use-cases-elastic-integrations-for-behavioral-detection-use-cases$$$
 
 Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment.
 
@@ -29,7 +17,8 @@ The behavioral detection feature is built on {{elastic-sec}}'s foundational SIEM
 Behavioral detection integrations provide a convenient way to enable behavioral detection capabilities. They streamline the deployment of components that implement behavioral detection, such as data ingestion, transforms, rules, {{ml}} jobs, and scripts.
 
 ::::{admonition} Requirements
-* Behavioral detection integrations require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
+* In {{stack}}, behavioral detection integrations require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
+* In serverless, behavioral detection integrations require the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md).
 * To learn more about the requirements for using {{ml}} jobs, refer to [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md).
 
 ::::
diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
index bfc15bfac..5ae559e79 100644
--- a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
+++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -6,31 +6,47 @@ mapped_urls:
 
 # Entity risk scoring requirements
 
-% What needs to be done: Align serverless/stateful
+This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
 
-% Use migrated content from existing pages that map to this page:
+To use these features in {{stack}}, your role must have certain cluster, index, and {{kib}} privileges. In serverless, you need the appropriate user roles or a custom role with the right privileges.
 
-% - [x] ./raw-migrated-files/security-docs/security/ers-requirements.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-ers-requirements.md
+In {{stack}}, these features require a [Platinum subscription](https://www.elastic.co/pricing) or higher. In serverless, they require the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md).
 
-To use entity risk scoring, asset criticality, and entity store, your role must have certain cluster, index, and {{kib}} privileges. These features require a [Platinum subscription](https://www.elastic.co/pricing) or higher.
 
-This page covers the requirements and guidelines for using the entity risk scoring, asset criticality, and entity store features, as well as their known limitations.
+## Entity risk scoring [_entity_risk_scoring]
 
+To turn on the risk scoring engine, you need the following:
 
-## Entity risk scoring [_entity_risk_scoring]
+* In {{stack}}, you need the appropriate [privileges](#_privileges).
+* In serverless, you need either the appropriate [predefined Security user role](#ers_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges).
 
 
 ### Privileges [_privileges]
 
-To turn on the risk scoring engine, you need the following privileges:
+#### Cluster
+
+- `manage_index_templates`
+- `manage_transform`
+
+#### Index
+
+`All` privilege for `risk-score.risk-score-*`
+
+#### {{kib}}
+
+**Read** for the **Security** feature
+
+### Predefined roles [ers_roles]
 
-| Cluster | Index | {{kib}} |
-| --- | --- | --- |
-| * `manage_index_templates`<br>* `manage_transform`<br> | `all` privilege for `risk-score.risk-score-*` | **Read** for the **Security** feature |
+* Platform engineer
+* Detections admin
+* Admin
 
 
 ### {{es}} resource guidelines [_es_resource_guidelines]
+```yaml {applies_to}
+stack:
+```
 
 Follow these guidelines to ensure clusters have adequate memory to handle data volume:
 
@@ -40,15 +56,19 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 
 ### Known limitations [_known_limitations]
 
-The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores.
+* The risk scoring engine uses an internal user role to score all hosts and users, and doesn’t respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {{kib}} space, all alerts in the space will contribute to host and user risk scores.
+* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
 
 
 ## Asset criticality [_asset_criticality]
 
+To use asset criticality, you need the following:
+
+* In {{stack}}, you need the appropriate [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
+* In serverless, you need either the appropriate [predefined Security user role](#ac_roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_2) for the `.asset-criticality.asset-criticality-<space-id>` index.
 
 ### Privileges [_privileges_2]
 
-To use asset criticality, you need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
 
 | Action | Index privilege |
 | --- | --- |
@@ -56,14 +76,37 @@ To use asset criticality, you need the following privileges for the `.asset-crit
 | View, assign, or change asset criticality | `read` and `write` |
 | Unassign asset criticality | `delete` |
 
+### Predefined roles [ac_roles]
+
+| Action | Predefined role |
+| --- | --- |
+| View asset criticality | - Viewer<br>- Tier 1 analyst<br> |
+| View, assign, change, or unassign asset criticality | - Editor<br>- Tier 2 analyst<br>- Tier 3 analyst<br>- Threat intelligence analyst<br>- Rule author<br>- SOC manager<br>- Endpoint operations analyst<br>- Platform engineer<br>- Detections admin<br>- Endpoint policy manager<br> |
+
 
 ## Entity store [_entity_store]
 
+To turn on the entity store, you need the following:
+
+* In {{stack}}, you need the appropriate [privileges](#_privileges_3).
+* In serverless, you need either the Admin role or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with the right [privileges](#_privileges_3).
 
 ### Privileges [_privileges_3]
 
-To use the entity store, you need the following privileges:
+#### Cluster
+
+- `manage_enrich`
+- `manage_index_templates`
+- `manage_ingest_pipelines`
+- `manage_transform`
+
+#### Index
+
+- `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`
+- `read` and `manage` for `risk-score.risk-score-*`
+- `read` and `manage` for `.entities.v1.latest.*`
+- `read` and `view_index_metadata` for all {{elastic-sec}} indices
+
+#### {{kib}}
 
-| Cluster | Index | {{kib}} |
-| --- | --- | --- |
-| * `manage_enrich`<br>* `manage_index_templates`<br>* `manage_ingest_pipelines`<br>* `manage_transform`<br> | * `read` and `view_index_metadata` for `.asset-criticality.asset-criticality-*`<br>* `read` and `manage` for `risk-score.risk-score-*`<br>* `read` and `manage` for `.entities.v1.latest.*`<br>* `read` and `view_index_metadata` for all {{elastic-sec}} indices<br> | **All** for the **Security** and **Saved Objects Management** features |
+**All** for the **Security** and **Saved Objects Management** features 
diff --git a/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md b/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md
index dc2618bc8..57825d0fe 100644
--- a/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md
+++ b/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md
@@ -6,14 +6,7 @@ mapped_urls:
 
 # Machine learning job and rule requirements
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/ml-requirements.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-ml-requirements.md
-
-To run and create {{ml}} jobs and rules, you need all of these:
+To run and create {{ml}} jobs and rules in serverless, you need the appropriate [user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles). In {{stack}}, you need all of these:
 
 * The [appropriate license](https://www.elastic.co/subscriptions)
 * There must be at least one {{ml}} node in your cluster
@@ -26,7 +19,7 @@ Additionally, to configure [alert suppression](/solutions/security/detect-and-al
 For more information, go to [Set up {{ml-features}}](/explore-analyze/machine-learning/setting-up-machine-learning.md).
 
 ::::{important} 
-The `machine_learning_admin` and `machine_learning_user` built-in roles give access to the results of *all* {{anomaly-jobs}}, irrespective of whether the user has access to the source indices. Likewise, a user who has full or read-only access to {{ml-features}} within a given {{kib}} space can view the results of *all* {{anomaly-jobs}} that are visible in that space. You must carefully consider who is given these roles and feature privileges; {{anomaly-job}} results may propagate field values that contain sensitive information from the source indices to the results.
+Some roles (for example, in {{stack}}, the `machine_learning_admin` and `machine_learning_user` built-in roles) give access to the results of *all* {{anomaly-jobs}}, irrespective of whether the user has access to the source indices. Likewise, a user who has full or read-only access to {{ml-features}} within a given {{kib}} space can view the results of *all* {{anomaly-jobs}} that are visible in that space. You must carefully consider who is given these roles and feature privileges; {{anomaly-job}} results may propagate field values that contain sensitive information from the source indices to the results.
 
 ::::
 
diff --git a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
index 2d00a3e69..6a777fc6d 100644
--- a/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
+++ b/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md
@@ -6,29 +6,18 @@ mapped_urls:
 
 # Turn on the risk scoring engine
 
-% What needs to be done: Align serverless/stateful
-
-% Use migrated content from existing pages that map to this page:
-
-% - [x] ./raw-migrated-files/security-docs/security/turn-on-risk-engine.md
-% - [ ] ./raw-migrated-files/docs-content/serverless/security-turn-on-risk-engine.md
-
-% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc):
-
-$$$upgrade-risk-engine$$$
 
 ::::{important}
-To use entity risk scoring, your role must have the appropriate privileges. For more information, refer to [Entity risk scoring requirements](/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md).
+To use entity risk scoring, your role must have the appropriate user role or privileges. For more information, refer to [Entity risk scoring requirements](/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md).
 ::::
 
 
-
 ## Preview risky entities [_preview_risky_entities]
 
 You can preview risky entities before installing the latest risk engine. The preview shows the riskiest hosts and users found in the 1000 sampled entities during the time frame selected in the date picker.
 
 ::::{note}
-The preview is limited to two risk scores per {{kib}} instance.
+The preview is limited to two risk scores per {{kib}} instance or serverless project.
 ::::
 
 
@@ -44,7 +33,7 @@ To preview risky entities, find **Entity Risk Score** in the navigation menu or
 
 ::::{note}
 * To view risk score data, you must have alerts generated in your environment.
-* If you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 8.11 or newer, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine).
+* In {{stack}}, if you previously installed the original user and host risk score modules, and you’re upgrading to {{stack}} version 8.11 or newer, refer to [Upgrade to the latest risk engine](/solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md#upgrade-risk-engine).
 
 ::::
 
@@ -63,6 +52,9 @@ You can also choose to include `Closed` alerts in risk scoring calculations and
 
 
 ## Upgrade to the latest risk engine [upgrade-risk-engine]
+```yaml {applies_to}
+stack:
+```
 
 If you upgraded to 8.11 from an earlier {{stack}} version, and you have the original risk engine installed, you can upgrade to the latest risk engine. You will be prompted to upgrade in places where risk score data exists, such as: