Hello,
It is a little confusing to understand exactly what you want to do and what is the relation with Document Level Security.
Document level security is used to define which roles can see which documents, it is not clear how this would help you achieve the task of your SOC L1 see all alerts from one place.
Also, why have a cluster for windows and a cluster for linux? It makes management way more complex.
You can see the data from the alerts in one place using cross cluster search, but you cannot manage the alerts from one single place, you would need to manage the alerts in each cluster.
Check this similar post where this is also discussed.
You can use a trial license for up to 30 days.