From 6651cd53fb64c48b25ec50a26370ea11fcfb0775 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 9 Sep 2025 20:50:18 -0400 Subject: [PATCH 01/14] First draft --- .../incident-management/create-manage-rules.md | 10 ++++++++++ .../observability/incident-management/view-alerts.md | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index ff3a8b0d5d..c0b5dc6736 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -63,6 +63,16 @@ From the action menu you can also: * Run rule (without waiting for next scheduled check) * Update API keys +## Add incident management and response resources to rules [observability-create-manage-rules-incident-management] + +Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the [alert's details page](/solutions/observability/incident-management/view-alerts.md#observability-view-alerts-view-alert-details). Here are some resources you can add to a rule: + +* **Investigation guide**: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. +* **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: + + * Query the same data view + * Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. + ## View rule details [observability-create-manage-rules-view-rule-details] diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index b760552065..1d634f4c71 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -64,6 +64,12 @@ To view the alert in the app that triggered it: * From the alert detail flyout, click **View in app**. * From the **Alerts** table, click the {icon}`eye` icon. +## Find related alerts [observability-view-alerts-find-related-alerts] + +Related alerts can help you to identify patterns and recurring events that might warrant investigation. When examining an alert's details, you can find related alerts by selecting the **Related alerts** tab. + +Relevance to the current alert is based on how closely other alerts match it. Certain attributes are evaluated for matching, such as groups, tags, associated rules, and the time of which an alert was created. Alerts with more matching attributes are determined as more relevant and placed higher on the list of related alerts. To find related alerts that were created around the same time, apply the **Triggered around the same time** filter. + ## Understand alert statuses [observability-view-alerts-understand-statuses] There are four common alert statuses: From 1ea0c0384ef59eb156e6f888514849228411a1c4 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 9 Sep 2025 20:53:09 -0400 Subject: [PATCH 02/14] fix --- .../observability/incident-management/create-manage-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index c0b5dc6736..f76980712c 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -68,7 +68,7 @@ From the action menu you can also: Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the [alert's details page](/solutions/observability/incident-management/view-alerts.md#observability-view-alerts-view-alert-details). Here are some resources you can add to a rule: * **Investigation guide**: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. -* **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: +* **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Related dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: * Query the same data view * Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. From 31bbcfedf747be48f64ede3568088cfcaf05af4a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 9 Sep 2025 20:55:20 -0400 Subject: [PATCH 03/14] applies to tags --- .../observability/incident-management/create-manage-rules.md | 4 ++-- solutions/observability/incident-management/view-alerts.md | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index f76980712c..940b70b8a6 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -67,8 +67,8 @@ From the action menu you can also: Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the [alert's details page](/solutions/observability/incident-management/view-alerts.md#observability-view-alerts-view-alert-details). Here are some resources you can add to a rule: -* **Investigation guide**: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. -* **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Related dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: +* {applies_to}`stack: ga 9.1` **Investigation guide**: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. +* {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Related dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: * Query the same data view * Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 1d634f4c71..280d46147e 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -66,6 +66,10 @@ To view the alert in the app that triggered it: ## Find related alerts [observability-view-alerts-find-related-alerts] +```{applies_to} +stack: ga 9.1 +``` + Related alerts can help you to identify patterns and recurring events that might warrant investigation. When examining an alert's details, you can find related alerts by selecting the **Related alerts** tab. Relevance to the current alert is based on how closely other alerts match it. Certain attributes are evaluated for matching, such as groups, tags, associated rules, and the time of which an alert was created. Alerts with more matching attributes are determined as more relevant and placed higher on the list of related alerts. To find related alerts that were created around the same time, apply the **Triggered around the same time** filter. From 747f00a9aa57878cedb57cc371965e36cc483b7c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 9 Sep 2025 20:57:15 -0400 Subject: [PATCH 04/14] typo --- .../observability/incident-management/create-manage-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index 940b70b8a6..e5140b4895 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -71,7 +71,7 @@ Incident management resources can help you respond to alerts more efficiently an * {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Related dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: * Query the same data view - * Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. + * Use some fields that are specified in the rule's configuration or are present in alert's generated by the rule. ## View rule details [observability-create-manage-rules-view-rule-details] From 8eec84a2560231bfea7138ac484f4746414438bb Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Wed, 10 Sep 2025 04:06:34 -0400 Subject: [PATCH 05/14] Lots of changes --- .../create-manage-rules.md | 27 ++++++++++--------- .../incident-management/view-alerts.md | 6 ++--- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index e5140b4895..aece3c912c 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -63,17 +63,6 @@ From the action menu you can also: * Run rule (without waiting for next scheduled check) * Update API keys -## Add incident management and response resources to rules [observability-create-manage-rules-incident-management] - -Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the [alert's details page](/solutions/observability/incident-management/view-alerts.md#observability-view-alerts-view-alert-details). Here are some resources you can add to a rule: - -* {applies_to}`stack: ga 9.1` **Investigation guide**: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. -* {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Related dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: - - * Query the same data view - * Use some fields that are specified in the rule's configuration or are present in alert's generated by the rule. - - ## View rule details [observability-create-manage-rules-view-rule-details] Click on an individual rule on the **{{rules-app}}** page to view details including the rule name, status, definition, execution history, related alerts, and more. @@ -110,4 +99,18 @@ To temporarily suppress notifications for *all* rules, create a [maintenance win To import and export rules, use [{{saved-objects-app}}](/explore-analyze/find-and-organize.md). -Rules are disabled on export. You are prompted to re-enable the rule on successful import. \ No newline at end of file +Rules are disabled on export. You are prompted to re-enable the rule on successful import. + +## Add resources for investigating alerts [observability-create-manage-rules-add-investigation-resources] + +When creating or editing a rule, add the following resources to help you get started with investigating alerts: + +* {applies_to}`stack: ga 9.1` **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the [alert's details page](/solutions/observability/incident-management/view-alerts.md#observability-view-alerts-view-alert-details). + + ::::{tip} + + Use Markdown to format and structure text in your investigation guide. + + :::: + +* {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards. \ No newline at end of file diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 280d46147e..1ef78d99de 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -64,15 +64,15 @@ To view the alert in the app that triggered it: * From the alert detail flyout, click **View in app**. * From the **Alerts** table, click the {icon}`eye` icon. -## Find related alerts [observability-view-alerts-find-related-alerts] +## Review related alerts [observability-view-alerts-find-related-alerts] ```{applies_to} stack: ga 9.1 ``` -Related alerts can help you to identify patterns and recurring events that might warrant investigation. When examining an alert's details, you can find related alerts by selecting the **Related alerts** tab. +Check related alerts for patterns and recurring events that might warrant further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. -Relevance to the current alert is based on how closely other alerts match it. Certain attributes are evaluated for matching, such as groups, tags, associated rules, and the time of which an alert was created. Alerts with more matching attributes are determined as more relevant and placed higher on the list of related alerts. To find related alerts that were created around the same time, apply the **Triggered around the same time** filter. +Relevance to the current alert is based on how closely attributes such as groups, tags, associated rules, and the time of which an alert was created match. Alerts are scored against this criteria and considered relevant if they reach a certain score. Within the related alerts table, alerts are ordered from most to least relevant. You can apply the **Triggered around the same time** filter to only view alerts that were created around the smae time as the current one. ## Understand alert statuses [observability-view-alerts-understand-statuses] From f3dc62a2b02666be951fc7fb4bd99057b8e6d036 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Wed, 10 Sep 2025 05:17:00 -0400 Subject: [PATCH 06/14] revise relevance expl --- .../observability/incident-management/view-alerts.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 1ef78d99de..3a21c723ac 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -70,9 +70,14 @@ To view the alert in the app that triggered it: stack: ga 9.1 ``` -Check related alerts for patterns and recurring events that might warrant further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. +Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. + +The relevancy of other alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: + +1. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. +2. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time of which alerts were generated or recovered, tags added to the alerts, alert IDs, and more are evaluated. +3. Alerts are scored based on how closely they match the current alert. Alerts with a score above a certain threshold are considered relevant and are included in the list of related alerts. -Relevance to the current alert is based on how closely attributes such as groups, tags, associated rules, and the time of which an alert was created match. Alerts are scored against this criteria and considered relevant if they reach a certain score. Within the related alerts table, alerts are ordered from most to least relevant. You can apply the **Triggered around the same time** filter to only view alerts that were created around the smae time as the current one. ## Understand alert statuses [observability-view-alerts-understand-statuses] From c4ac30a93b5ccf17ef1bdef8a02fd9f292a97e5b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 22 Sep 2025 23:29:43 -0400 Subject: [PATCH 07/14] Update solutions/observability/incident-management/create-manage-rules.md --- .../observability/incident-management/create-manage-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index aece3c912c..6c0352b025 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -113,4 +113,4 @@ When creating or editing a rule, add the following resources to help you get sta :::: -* {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards. \ No newline at end of file +* {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards (available for custom threshold rules only). \ No newline at end of file From 6461ba3eeb4147c14c263ef3ec416c3e9ff89b2b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 22 Sep 2025 23:30:09 -0400 Subject: [PATCH 08/14] Update solutions/observability/incident-management/create-manage-rules.md --- .../observability/incident-management/create-manage-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index 6c0352b025..43db6b5c5a 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -105,7 +105,7 @@ Rules are disabled on export. You are prompted to re-enable the rule on successf When creating or editing a rule, add the following resources to help you get started with investigating alerts: -* {applies_to}`stack: ga 9.1` **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the [alert's details page](/solutions/observability/incident-management/view-alerts.md#observability-view-alerts-view-alert-details). +* {applies_to}`stack: ga 9.1` **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the alert's details page. ::::{tip} From c61828f4901e8b2040eb86529fd94efcddaf4920 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 22 Sep 2025 23:30:22 -0400 Subject: [PATCH 09/14] Update solutions/observability/incident-management/view-alerts.md Co-authored-by: Bena Kansara <69037875+benakansara@users.noreply.github.com> --- solutions/observability/incident-management/view-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 3a21c723ac..501c092e41 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -72,7 +72,7 @@ stack: ga 9.1 Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. -The relevancy of other alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: +The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: 1. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. 2. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time of which alerts were generated or recovered, tags added to the alerts, alert IDs, and more are evaluated. From 67e27fdd49407fbebb16cb1e1376534e176bcfb8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 22 Sep 2025 23:30:39 -0400 Subject: [PATCH 10/14] Update solutions/observability/incident-management/view-alerts.md Co-authored-by: Bena Kansara <69037875+benakansara@users.noreply.github.com> --- solutions/observability/incident-management/view-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 501c092e41..cebd6461ae 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -75,7 +75,7 @@ Check related alerts for patterns and recurring events that might need further i The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: 1. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. -2. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time of which alerts were generated or recovered, tags added to the alerts, alert IDs, and more are evaluated. +2. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time at which alerts were generated or recovered, tags added to the alerts, group values, and more are evaluated. 3. Alerts are scored based on how closely they match the current alert. Alerts with a score above a certain threshold are considered relevant and are included in the list of related alerts. From 7a23ba98a5a1480f3fd94c7e7a2668598f29f67b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 23 Sep 2025 12:14:55 -0400 Subject: [PATCH 11/14] Update solutions/observability/incident-management/view-alerts.md Co-authored-by: florent-leborgne --- solutions/observability/incident-management/view-alerts.md | 1 - 1 file changed, 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 5fabbe0aa0..0b87c4eca5 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -66,7 +66,6 @@ To view the alert in the app that triggered it: * From the **Alerts** table, click the {icon}`eye` icon. ## Review related alerts [observability-view-alerts-find-related-alerts] - ```{applies_to} stack: ga 9.1 ``` From ff792ef0cc9563c7b1ef858c6f18090d7a199f85 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 23 Sep 2025 12:15:13 -0400 Subject: [PATCH 12/14] Update solutions/observability/incident-management/create-manage-rules.md Co-authored-by: florent-leborgne --- .../observability/incident-management/create-manage-rules.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md index 168642dd38..38145a9d81 100644 --- a/solutions/observability/incident-management/create-manage-rules.md +++ b/solutions/observability/incident-management/create-manage-rules.md @@ -109,9 +109,7 @@ When creating or editing a rule, add the following resources to help you get sta * {applies_to}`stack: ga 9.1` **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the alert's details page. ::::{tip} - Use Markdown to format and structure text in your investigation guide. - :::: * {applies_to}`stack: ga 9.1` **Related and suggested dashboards**: Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards (available for custom threshold rules only). From 5277ec9ad904006a91a6e41ef98b8e512a042708 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 23 Sep 2025 12:15:29 -0400 Subject: [PATCH 13/14] Update solutions/observability/incident-management/view-alerts.md Co-authored-by: florent-leborgne --- solutions/observability/incident-management/view-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index 0b87c4eca5..a2a0e3b0d2 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -72,7 +72,7 @@ stack: ga 9.1 Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. -The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: +The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share: 1. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. 2. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time at which alerts were generated or recovered, tags added to the alerts, group values, and more are evaluated. From 8892d041c96d064256aacfc833be1c0024ae197a Mon Sep 17 00:00:00 2001 From: Bena Kansara <69037875+benakansara@users.noreply.github.com> Date: Fri, 26 Sep 2025 16:50:32 +0200 Subject: [PATCH 14/14] Apply suggestion from @nastasha-solomon Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- solutions/observability/incident-management/view-alerts.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md index a2a0e3b0d2..88da30bd03 100644 --- a/solutions/observability/incident-management/view-alerts.md +++ b/solutions/observability/incident-management/view-alerts.md @@ -70,7 +70,9 @@ To view the alert in the app that triggered it: stack: ga 9.1 ``` -Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. +Check related alerts to find other alerts that might be related to the same incident. You can add these alerts to a case and investigate them as a group instead of analyzing them individually. + +To find related alerts, go to the **Related alerts** tab from an alert's details page. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share: