From 5adeebab614cde27d00f25eb59459cc0b7cc6922 Mon Sep 17 00:00:00 2001
From: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>
Date: Tue, 24 Jun 2025 10:52:45 -0500
Subject: [PATCH] Enable Security Entity Analytics Privileged user monitoring
 feature (#224638)

# Overview

This pull request enables the Security Entity Analytics Privileged user
monitoring feature. This feature has many accompanying PRs, that have
until now been kept behind an experimental feature flag. The feature is
currently slated to ship as a Technical Preview.

Instead of removing the feature flag, we will be allowing for a
"disabled" version of the experimental flag, which allows this feature
to remain disabled in Serverless, until fully tested during the 9.1
release cycle. Disabling in Serverless is accomplished via setting the
configuration to disabled in the `config/serverless.security.yml` file.

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
---
 config/serverless.security.yml                             | 6 ++++++
 .../security_solution/common/experimental_features.ts      | 2 +-
 .../security_solution/public/entity_analytics/links.ts     | 4 ++--
 .../entity_analytics/register_entity_analytics_routes.ts   | 2 +-
 .../trial_license_complete_tier/configs/ess.config.ts      | 7 +------
 .../configs/serverless.config.ts                           | 1 -
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/config/serverless.security.yml b/config/serverless.security.yml
index 616552a2555f..3e3a1eb782a3 100644
--- a/config/serverless.security.yml
+++ b/config/serverless.security.yml
@@ -205,3 +205,9 @@ xpack.alerting.rules.run.ruleTypeOverrides:
     timeout: 5m
   - id: attack-discovery
     timeout: 10m
+
+# Experimental Security Solution features
+
+# These features are disabled in Serverless until fully tested
+xpack.securitySolution.enableExperimental:
+  - privilegedUserMonitoringDisabled
diff --git a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
index 3a3785a8bb07..eb44f33244c5 100644
--- a/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
+++ b/x-pack/solutions/security/plugins/security_solution/common/experimental_features.ts
@@ -227,7 +227,7 @@ export const allowedExperimentalValues = Object.freeze({
   /**
    * Enables Privilege Monitoring
    */
-  privilegeMonitoringEnabled: false,
+  privilegedUserMonitoringDisabled: false,
 
   /**
    * Disables the siem migrations feature
diff --git a/x-pack/solutions/security/plugins/security_solution/public/entity_analytics/links.ts b/x-pack/solutions/security/plugins/security_solution/public/entity_analytics/links.ts
index 8490ef05d59f..db8622b00adc 100644
--- a/x-pack/solutions/security/plugins/security_solution/public/entity_analytics/links.ts
+++ b/x-pack/solutions/security/plugins/security_solution/public/entity_analytics/links.ts
@@ -41,7 +41,7 @@ const privMonLinks: LinkItem = {
       defaultMessage: 'Privileged user monitoring',
     }),
   ],
-  experimentalKey: 'privilegeMonitoringEnabled',
+  hideWhenExperimentalKey: 'privilegedUserMonitoringDisabled',
   hideTimeline: false,
   skipUrlState: false,
   capabilities: [`${SECURITY_FEATURE_ID}.entity-analytics`],
@@ -86,7 +86,7 @@ export const entityAnalyticsLinks: LinkItem = {
   links: [eaOverviewLinks, privMonLinks],
   hideTimeline: true,
   skipUrlState: true,
-  experimentalKey: 'privilegeMonitoringEnabled',
+  hideWhenExperimentalKey: 'privilegedUserMonitoringDisabled',
   capabilities: [`${SECURITY_FEATURE_ID}.entity-analytics`],
   licenseType: 'platinum',
 };
diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/register_entity_analytics_routes.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/register_entity_analytics_routes.ts
index 3a7e2f474565..2492038e4b37 100644
--- a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/register_entity_analytics_routes.ts
+++ b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/register_entity_analytics_routes.ts
@@ -22,7 +22,7 @@ export const registerEntityAnalyticsRoutes = (routeDeps: EntityAnalyticsRoutesDe
     registerEntityStoreRoutes(routeDeps);
   }
 
-  if (routeDeps.config.experimentalFeatures.privilegeMonitoringEnabled) {
+  if (!routeDeps.config.experimentalFeatures.privilegedUserMonitoringDisabled) {
     registerPrivilegeMonitoringRoutes(routeDeps);
   }
 };
diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts
index 396c96f93f33..fc3bc5327607 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/ess.config.ts
@@ -15,12 +15,7 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
     ...functionalConfig.getAll(),
     kbnTestServer: {
       ...functionalConfig.get('kbnTestServer'),
-      serverArgs: [
-        ...functionalConfig.get('kbnTestServer.serverArgs'),
-        `--xpack.securitySolution.enableExperimental=${JSON.stringify([
-          'privilegeMonitoringEnabled',
-        ])}`,
-      ],
+      serverArgs: [...functionalConfig.get('kbnTestServer.serverArgs')],
     },
     testFiles: [require.resolve('..')],
     junit: {
diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/serverless.config.ts
index 9986d58fa2e0..d146796fa30a 100644
--- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/serverless.config.ts
+++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/monitoring/trial_license_complete_tier/configs/serverless.config.ts
@@ -9,7 +9,6 @@ import { createTestConfig } from '../../../../../config/serverless/config.base';
 
 export default createTestConfig({
   kbnTestServerArgs: [
-    `--xpack.securitySolution.enableExperimental=${JSON.stringify(['privilegeMonitoringEnabled'])}`,
     `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([
       { product_line: 'security', product_tier: 'complete' },
       { product_line: 'endpoint', product_tier: 'complete' },