From 3c5f68341d0fe2e04e5d6a7cf119179aba424390 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 7 Oct 2025 09:32:35 -0400
Subject: [PATCH 1/4] First draft

---
 solutions/security/investigate/open-manage-cases.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md
index a15186be2f..7d8ee31fa3 100644
--- a/solutions/security/investigate/open-manage-cases.md
+++ b/solutions/security/investigate/open-manage-cases.md
@@ -95,7 +95,7 @@ To explore a case, click on its name. You can then:
     Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](/solutions/images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment.
     ::::
 
-* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) attached to the case
+* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case), and {applies_to}`stack: ga 9.2.0` [events](/solutions/security/investigate/open-manage-cases.md#cases-examine-events) attached to the case
 * [Add files](/solutions/security/investigate/open-manage-cases.md#cases-add-files)
 * [Add a Lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization)
 * Modify the case’s description, assignees, category, severity, status, and tags.
@@ -147,7 +147,13 @@ To explore the alerts attached to a case, click the **Alerts** tab. In the table
 Each case can have a maximum of 1,000 alerts.
 ::::
 
+### Examine events attached to a case [cases-examine-events]
 
+```{applies_to}
+stack: ga 9.2
+```
+
+After adding events to cases from the Events table (which you can access from **Events** tab on the **Hosts**, **Network**, or **Users** pages) or from Timeline, you can examine them in the case's **Events** tab. Within the tab, alerts are organized from newest to oldest. Click the **View details** button the find out more about the event.
 
 ### Add files [cases-add-files]
 

From a9bfe1eb3f4a3439b24aee959d93eb6bd14e1f6f Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Tue, 7 Oct 2025 12:53:32 -0400
Subject: [PATCH 2/4] Update
 solutions/security/investigate/open-manage-cases.md

Co-authored-by: florent-leborgne <florent.leborgne@elastic.co>
---
 solutions/security/investigate/open-manage-cases.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md
index 7d8ee31fa3..7645b085b1 100644
--- a/solutions/security/investigate/open-manage-cases.md
+++ b/solutions/security/investigate/open-manage-cases.md
@@ -95,7 +95,7 @@ To explore a case, click on its name. You can then:
     Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](/solutions/images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment.
     ::::
 
-* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) and [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case), and {applies_to}`stack: ga 9.2.0` [events](/solutions/security/investigate/open-manage-cases.md#cases-examine-events) attached to the case
+* Examine [alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts), [indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case), and {applies_to}`stack: ga 9.2.0` [events](/solutions/security/investigate/open-manage-cases.md#cases-examine-events) attached to the case
 * [Add files](/solutions/security/investigate/open-manage-cases.md#cases-add-files)
 * [Add a Lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization)
 * Modify the case’s description, assignees, category, severity, status, and tags.

From 7fbbd31a84dc903866ebc75cd58f301e8075f9c8 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Tue, 7 Oct 2025 12:53:39 -0400
Subject: [PATCH 3/4] Update
 solutions/security/investigate/open-manage-cases.md

Co-authored-by: florent-leborgne <florent.leborgne@elastic.co>
---
 solutions/security/investigate/open-manage-cases.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md
index 7645b085b1..ac5b0e70ad 100644
--- a/solutions/security/investigate/open-manage-cases.md
+++ b/solutions/security/investigate/open-manage-cases.md
@@ -148,7 +148,6 @@ Each case can have a maximum of 1,000 alerts.
 ::::
 
 ### Examine events attached to a case [cases-examine-events]
-
 ```{applies_to}
 stack: ga 9.2
 ```

From d4334d37bf58a360f1a849fd09c884cb7472b509 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Tue, 7 Oct 2025 13:18:02 -0400
Subject: [PATCH 4/4] Update
 solutions/security/investigate/open-manage-cases.md

Co-authored-by: florent-leborgne <florent.leborgne@elastic.co>
---
 solutions/security/investigate/open-manage-cases.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md
index ac5b0e70ad..1aec0b24ea 100644
--- a/solutions/security/investigate/open-manage-cases.md
+++ b/solutions/security/investigate/open-manage-cases.md
@@ -152,7 +152,7 @@ Each case can have a maximum of 1,000 alerts.
 stack: ga 9.2
 ```
 
-After adding events to cases from the Events table (which you can access from **Events** tab on the **Hosts**, **Network**, or **Users** pages) or from Timeline, you can examine them in the case's **Events** tab. Within the tab, alerts are organized from newest to oldest. Click the **View details** button the find out more about the event.
+After adding events to cases from the Events table (which you can access from the **Events** tab on the **Hosts**, **Network**, or **Users** pages) or from Timeline, you can examine them in the case's **Events** tab. Within the tab, alerts are organized from newest to oldest. Click the **View details** button the find out more about the event.
 
 ### Add files [cases-add-files]