From 3ee1f066e3efa4018fd556f3c292a2f176e1f5a4 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 6 Oct 2025 22:55:36 -0400 Subject: [PATCH 1/5] First draft --- .../alerts-cases/cases/manage-cases.md | 8 ++++++++ .../incident-management/create-manage-cases.md | 10 +++++++++- .../security/investigate/open-manage-cases.md | 17 ++++++++++++++++- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md index a079c774fc..93ab2085eb 100644 --- a/explore-analyze/alerts-cases/cases/manage-cases.md +++ b/explore-analyze/alerts-cases/cases/manage-cases.md @@ -138,3 +138,11 @@ To view a case, click on its name. You can then: * Change the severity. * Close or delete the case. * Reopen a closed case. + +### Search and filter by case ID [cases-id] + +```{applies_to} +stack: ga 9.2 +``` + +Existing and new cases are automatically assigned numeric IDs, which display after the case name. Use these IDs to quickly search and filter the Cases table. You can also use them for simplified tracking and collaboration when communicating about a case. diff --git a/solutions/observability/incident-management/create-manage-cases.md b/solutions/observability/incident-management/create-manage-cases.md index de5d3c8adc..90d0c20980 100644 --- a/solutions/observability/incident-management/create-manage-cases.md +++ b/solutions/observability/incident-management/create-manage-cases.md @@ -98,4 +98,12 @@ To view a case, click on its name. You can then: * Remove an alert. * Refresh the case to retrieve the latest updates. * Close the case. -* Reopen a closed case. \ No newline at end of file +* Reopen a closed case. + +## Search and filter by case ID [cases-id] + +```{applies_to} +stack: ga 9.2 +``` + +Existing and new cases are automatically assigned numeric IDs, which display after the case name. Use these IDs to quickly search and filter the Cases table.You can also use them for simplified tracking and collaboration when communicating about a case. \ No newline at end of file diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index a15186be2f..d8dd814b67 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -95,7 +95,7 @@ To explore a case, click on its name. You can then: Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](/solutions/images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment. :::: -* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case +* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts), [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case), and {applies_to}`stack: ga 9.2.0` events attached to the case * [Add files](/solutions/security/investigate/open-manage-cases.md#cases-add-files) * [Add a Lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization) * Modify the case’s description, assignees, category, severity, status, and tags. @@ -147,6 +147,13 @@ To explore the alerts attached to a case, click the **Alerts** tab. In the table Each case can have a maximum of 1,000 alerts. :::: +### Examine events attached to a case [cases-examine-events] + +```{applies_to} +stack: ga 9.2 +``` + +To explore the events attached to a case, click the **Events** tab. In the table, alerts are organized from oldest to newest. To view event details, click the **View details** button. ### Add files [cases-add-files] @@ -328,3 +335,11 @@ To import a case: * If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function. :::: + +## Search and filter by case ID [cases-id] + +```{applies_to} +stack: ga 9.2 +``` + +Existing and new cases are automatically assigned numeric IDs, which display after the case name. Use these IDs to quickly search and filter the Cases table. You can also use them for simplified tracking and collaboration when communicating about a case. From a22db5433236f59243ae5090f19f6b1f75f9e87e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 6 Oct 2025 23:00:11 -0400 Subject: [PATCH 2/5] Minor revision --- solutions/security/investigate/open-manage-cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index d8dd814b67..5adeef1d92 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -153,7 +153,7 @@ Each case can have a maximum of 1,000 alerts. stack: ga 9.2 ``` -To explore the events attached to a case, click the **Events** tab. In the table, alerts are organized from oldest to newest. To view event details, click the **View details** button. +You can add events to cases from the Events table (which you can access from **Events** tab on the **Hosts**, **Network**, or **Users** pages) or Timeline. To examine attached events, open the appropriate case, then click the **Events** tab. In the table, alerts are organized from oldest to newest. To view event details, clieck the **View details** button. ### Add files [cases-add-files] From 17b0ac1788a36f78b9d9b665405bede010689213 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 7 Oct 2025 09:19:15 -0400 Subject: [PATCH 3/5] Fix level --- explore-analyze/alerts-cases/cases/manage-cases.md | 2 +- .../observability/incident-management/create-manage-cases.md | 2 +- solutions/security/investigate/open-manage-cases.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md index 93ab2085eb..64b4d89689 100644 --- a/explore-analyze/alerts-cases/cases/manage-cases.md +++ b/explore-analyze/alerts-cases/cases/manage-cases.md @@ -139,7 +139,7 @@ To view a case, click on its name. You can then: * Close or delete the case. * Reopen a closed case. -### Search and filter by case ID [cases-id] +## Search and filter by case ID [cases-id] ```{applies_to} stack: ga 9.2 diff --git a/solutions/observability/incident-management/create-manage-cases.md b/solutions/observability/incident-management/create-manage-cases.md index 90d0c20980..80668a25a5 100644 --- a/solutions/observability/incident-management/create-manage-cases.md +++ b/solutions/observability/incident-management/create-manage-cases.md @@ -106,4 +106,4 @@ To view a case, click on its name. You can then: stack: ga 9.2 ``` -Existing and new cases are automatically assigned numeric IDs, which display after the case name. Use these IDs to quickly search and filter the Cases table.You can also use them for simplified tracking and collaboration when communicating about a case. \ No newline at end of file +Existing and new cases are automatically assigned numeric IDs, which display after the case name. Use these IDs to quickly search and filter the Cases table. You can also use them for simplified tracking and collaboration when communicating about a case. \ No newline at end of file diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index 5adeef1d92..b3e46a0c51 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -153,7 +153,7 @@ Each case can have a maximum of 1,000 alerts. stack: ga 9.2 ``` -You can add events to cases from the Events table (which you can access from **Events** tab on the **Hosts**, **Network**, or **Users** pages) or Timeline. To examine attached events, open the appropriate case, then click the **Events** tab. In the table, alerts are organized from oldest to newest. To view event details, clieck the **View details** button. +After adding events to cases from the Events table (which you can access from **Events** tab on the **Hosts**, **Network**, or **Users** pages) or from Timeline, you can examine them in the case's **Events** tab. Within the tab, alerts are organized from newest to oldest. Click the **View details** button the find out more about the event. ### Add files [cases-add-files] From 9edbb4bd266db681da602cdc6a841925c3e6efdd Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 7 Oct 2025 13:56:12 -0400 Subject: [PATCH 4/5] Remove docs for events --- solutions/security/investigate/open-manage-cases.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index b3e46a0c51..870b4360e1 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -147,15 +147,6 @@ To explore the alerts attached to a case, click the **Alerts** tab. In the table Each case can have a maximum of 1,000 alerts. :::: -### Examine events attached to a case [cases-examine-events] - -```{applies_to} -stack: ga 9.2 -``` - -After adding events to cases from the Events table (which you can access from **Events** tab on the **Hosts**, **Network**, or **Users** pages) or from Timeline, you can examine them in the case's **Events** tab. Within the tab, alerts are organized from newest to oldest. Click the **View details** button the find out more about the event. - - ### Add files [cases-add-files] To upload files to a case, click the **Files** tab: From d8def37cc6242160a6f7690b8881e77af895f461 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 7 Oct 2025 13:56:43 -0400 Subject: [PATCH 5/5] Update open-manage-cases.md --- solutions/security/investigate/open-manage-cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index 870b4360e1..0ce257b07f 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -95,7 +95,7 @@ To explore a case, click on its name. You can then: Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](/solutions/images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment. :::: -* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts), [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case), and {applies_to}`stack: ga 9.2.0` events attached to the case +* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case * [Add files](/solutions/security/investigate/open-manage-cases.md#cases-add-files) * [Add a Lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization) * Modify the case’s description, assignees, category, severity, status, and tags.