On my Elasticsearch 7.x cluster, the beats_system role has the cluster privileges monitor and cluster:admin/xpack/monitoring/bulk.
The cluster:admin/xpack/monitoring/bulk privilege is not mentioned on Security privileges | Elasticsearch Guide [7.17] | Elastic. I did find the post Privileges for built-in roles, which says:
The bulk monitoring privilege is an action name.
It grants access to a specific internal action.
I looked for a list of 'actions' and 'internal actions' in the Elasticsearch documentation. It doesn't seem like there is a reference for them. I did not find any results in the REST APIs reference either.
Question: what is this 'internal action'?
FWIW: According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system role) does NOT need to have this cluster privilege.