From fb7963f9c8aea38172a83860979346d04feb47fc Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 16 Dec 2025 12:49:10 -0500 Subject: [PATCH 1/6] First draft --- .../alerts-cases/cases/manage-cases.md | 72 +++++++---- .../create-manage-cases.md | 37 ++++-- .../security/investigate/open-manage-cases.md | 113 ++++++++++-------- 3 files changed, 136 insertions(+), 86 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md index 6b003e90e5..a124a5ceff 100644 --- a/explore-analyze/alerts-cases/cases/manage-cases.md +++ b/explore-analyze/alerts-cases/cases/manage-cases.md @@ -88,25 +88,6 @@ For self-managed {{kib}}: When you subsequently add assignees to cases, they receive an email. -## Add files [add-case-files] - -After you create a case, you can upload and manage files on the **Files** tab. To find the tab: - -- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.0`: Go to the case's details page. - -To download or delete the file or copy the file hash to your clipboard, open the action menu {icon}`boxes_horizontal`. The available hash functions are MD5, SHA-1, and SHA-256. - -When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list. - -::::{note} -Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md). -:::: - -::::{important} -When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported. -:::: - ## Add visualizations [add-case-visualization] You can also optionally add visualizations. For example, you can portray event and alert data through charts and graphs. @@ -144,7 +125,52 @@ To view a case, click on its name. You can then: * Add a connector (if you did not select one while creating the case). * Send updates to external systems (if external connections are configured). * Refresh the case to retrieve the latest updates. -* Add and manage the following items: - * Alerts - * Files - * Observables \ No newline at end of file + +## Add context and supporting evidence [add-case-context] + +% Need to review this and add appropriate applies to tags + +Provide additional context for the case and helpful resources by adding the following items: +* [Alerts](#add-case-alerts) +* [Files](#add-case-files) +* [Observables](#add-case-observables) + +::::{tip} +:applies_to: {stack: ga 9.3} +From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names. +:::: + +### Add alerts [add-case-alerts] + +Escalate alerts and track them in a single place by [adding them to cases](../../../solutions/observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases). + +To examine the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button. + +You can find the **Alerts** tab in the following places: + +- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. +- {applies_to}`stack: ga 9.0`: Go to the case's details page. + + +### Add files [add-case-files] + +After you create a case, you can upload and manage files on the **Files** tab. To find the tab: + +- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. +- {applies_to}`stack: ga 9.0`: Go to the case's details page. + +To download or delete the file or copy the file hash to your clipboard, open the action menu {icon}`boxes_horizontal`. The available hash functions are MD5, SHA-1, and SHA-256. + +When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list. + +::::{note} +Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md). +:::: + +::::{important} +When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported. +:::: + +### Add observables [add-case-observables] + +% Add applies to tag and snippet \ No newline at end of file diff --git a/solutions/observability/incident-management/create-manage-cases.md b/solutions/observability/incident-management/create-manage-cases.md index 6439d5b8ea..a002dbde8b 100644 --- a/solutions/observability/incident-management/create-manage-cases.md +++ b/solutions/observability/incident-management/create-manage-cases.md @@ -74,13 +74,6 @@ You can also create a case from an alert or add an alert to an existing case. Fr :::: - - -## Add files [observability-create-a-new-case-add-files] - -:::{include} /solutions/_snippets/add-case-files.md -::: - ## Send cases to external incident management systems [observability-create-a-new-case-send-cases-to-external-incident-management-systems] To send a case to an external system, click the ![push](/solutions/images/serverless-importAction.svg "") button in the **External incident management system** section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again. @@ -100,6 +93,30 @@ To view a case, click on its name. You can then: * Add a connector (if you did not select one while creating the case). * Send updates to external systems (if external connections are configured). * Refresh the case to retrieve the latest updates. -* Add and manage the following items: - * Alerts - * Files \ No newline at end of file + +## Add context and supporting evidence [observability-create-a-new-case-add-context] + +Provide additional context for the case and helpful resources by adding the following items: +* [Alerts](#observability-create-a-new-case-examine-alerts) +* [Files](#observability-create-a-new-case-add-files) + +::::{tip} +:applies_to: {stack: ga 9.3} +From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names. +:::: + +### Add alerts [observability-create-a-new-case-examine-alerts] + +Escalate alerts and track them in a single place by [adding them to cases](../../observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases). + +To examine the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button. + +You can find the **Alerts** tab in the following places: + +- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. +- {applies_to}`stack: ga 9.0`: Go to the case's details page. + +### Add files [observability-create-a-new-case-add-files] + +:::{include} /solutions/_snippets/add-case-files.md +::: \ No newline at end of file diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index fc6ab2d1ad..5a2f209eaa 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -99,12 +99,6 @@ To explore a case, click on its name. You can then: Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](/solutions/images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment. :::: -* Add and manage the following items: - * [Alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts) - * [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) - * {applies_to}`stack: ga 9.2.0` [Events](/solutions/security/investigate/open-manage-cases.md#cases-examine-events) - * [Files](/solutions/security/investigate/open-manage-cases.md#cases-add-files) - * [Observables](/solutions/security/investigate/open-manage-cases.md#cases-add-observables) * [Manage connectors](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations) and send updates to external systems (if you’ve added a connector to the case) * [Copy the case UUID](/solutions/security/investigate/open-manage-cases.md#cases-copy-case-uuid) * Refresh the case to retrieve the latest updates @@ -132,21 +126,36 @@ To edit, delete, or quote a comment, select the appropriate option from the **Mo :screenshot: ::: +## Add context and supporting evidence [cases-add-context] -### Examine alerts attached to a case [cases-examine-alerts] +Provide additional context for the case and helpful resources by adding the following items: +* [Alerts](#cases-examine-alerts) +* [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) +* {applies_to}`stack: ga 9.2.0` [Events](#cases-examine-events) +* [Files](#cases-add-files) +* [Observables](#cases-add-observables) -To explore the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button. +::::{tip} +:applies_to: {stack: ga 9.3} +From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names. +:::: + +### Add alerts [cases-examine-alerts] + +Escalate alerts and track them in a single place by attaching them to cases. You can add alerts from an investigation that you've opened in Timeline, or from the **Alerts** page. + +To examine the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button. You can find the **Alerts** tab in the following places: - {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.0`: Go to the case's details page. +- {applies_to}`stack: ga 9.0`: Go to the case's details page. ::::{important} Each case can have a maximum of 1,000 alerts. :::: -### Examine events attached to a case [cases-examine-events] +### Add events [cases-examine-events] ```{applies_to} stack: ga 9.2 ``` @@ -165,48 +174,6 @@ You can find the **Events** tab in the following places: :::{include} /solutions/_snippets/add-case-files.md ::: -### Add a Lens visualization [cases-lens-visualization] - -::::{warning} -This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. -:::: - - -Add a Lens visualization to your case to portray event and alert data through charts and graphs. - -:::{image} /solutions/images/security-add-vis-to-case.gif -:alt: Shows how to add a visualization to a case -:screenshot: -::: - -To add a Lens visualization to a comment within your case: - -1. Click the **Visualization** button. The **Add visualization** dialog appears. -2. Select an existing visualization from your Visualize Library or create a new visualization. - - ::::{important} - Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case, and provides important context for others managing the case. - :::: - -3. Save the visualization to your Visualize Library by clicking the **Save to library** button (optional). - - 1. Enter a title and description for the visualization. - 2. Choose if you want to keep the **Update panel on Security** activated. This option is activated by default and automatically adds the visualization to your Visualize Library. - -4. After you’ve finished creating your visualization, click **Save and return** to go back to your case. -5. Click **Preview** to show how the visualization will appear in the case comment. -6. Click **Add Comment** to add the visualization to your case. - -Alternatively, while viewing a [dashboard](/solutions/security/dashboards.md) you can open a panel’s menu then click **More actions (…) → Add to existing case** or **More actions (…) → Add to new case**. - -After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case’s comment menu. - -:::{image} /solutions/images/security-cases-open-vis.png -:alt: Shows where the Open Visualization option is -:screenshot: -::: - - ### Add observables [cases-add-observables] ::::{admonition} Requirements @@ -242,7 +209,7 @@ After adding an observable to a case, you can remove or edit it by using the **A Go to the **Similar cases** tab to access other cases with the same observables. :::: -### Copy the case UUID [cases-copy-case-uuid] +## Copy the case UUID [cases-copy-case-uuid] Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the Cases page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case’s details page, then from the **More actions** menu (…), select **Copy Case ID**. @@ -252,6 +219,46 @@ Each case has a universally unique identifier (UUID) that you can copy and share :screenshot: ::: +## Add a Lens visualization [cases-lens-visualization] + +::::{warning} +This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. +:::: + + +Add a Lens visualization to your case to portray event and alert data through charts and graphs. + +:::{image} /solutions/images/security-add-vis-to-case.gif +:alt: Shows how to add a visualization to a case +:screenshot: +::: + +To add a Lens visualization to a comment within your case: + +1. Click the **Visualization** button. The **Add visualization** dialog appears. +2. Select an existing visualization from your Visualize Library or create a new visualization. + + ::::{important} + Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case, and provides important context for others managing the case. + :::: + +3. Save the visualization to your Visualize Library by clicking the **Save to library** button (optional). + + 1. Enter a title and description for the visualization. + 2. Choose if you want to keep the **Update panel on Security** activated. This option is activated by default and automatically adds the visualization to your Visualize Library. + +4. After you’ve finished creating your visualization, click **Save and return** to go back to your case. +5. Click **Preview** to show how the visualization will appear in the case comment. +6. Click **Add Comment** to add the visualization to your case. + +Alternatively, while viewing a [dashboard](/solutions/security/dashboards.md) you can open a panel’s menu then click **More actions (…) → Add to existing case** or **More actions (…) → Add to new case**. + +After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case’s comment menu. + +:::{image} /solutions/images/security-cases-open-vis.png +:alt: Shows where the Open Visualization option is +:screenshot: +::: ## Export and import cases [cases-export-import] From d5f5638a181eafc3414c5fef4cf991a0c4f688f8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 16 Dec 2025 15:32:32 -0500 Subject: [PATCH 2/6] More movement --- .../alerts-cases/cases/manage-cases.md | 38 +++++-------- solutions/_snippets/add-case-alerts.md | 10 ++++ solutions/_snippets/add-case-observables.md | 27 ++++++++++ .../create-manage-cases.md | 16 +++--- .../security/investigate/open-manage-cases.md | 54 ++++--------------- 5 files changed, 68 insertions(+), 77 deletions(-) create mode 100644 solutions/_snippets/add-case-alerts.md create mode 100644 solutions/_snippets/add-case-observables.md diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md index a124a5ceff..9d54e98978 100644 --- a/explore-analyze/alerts-cases/cases/manage-cases.md +++ b/explore-analyze/alerts-cases/cases/manage-cases.md @@ -126,11 +126,9 @@ To view a case, click on its name. You can then: * Send updates to external systems (if external connections are configured). * Refresh the case to retrieve the latest updates. -## Add context and supporting evidence [add-case-context] +## Add context and supporting materials [add-case-context] -% Need to review this and add appropriate applies to tags - -Provide additional context for the case and helpful resources by adding the following items: +Provide additional context and resources by adding the following to the case: * [Alerts](#add-case-alerts) * [Files](#add-case-files) * [Observables](#add-case-observables) @@ -142,35 +140,27 @@ From the **Attachments** tab, you can search for specific observable values, ale ### Add alerts [add-case-alerts] -Escalate alerts and track them in a single place by [adding them to cases](../../../solutions/observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases). - -To examine the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button. - -You can find the **Alerts** tab in the following places: - -- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.0`: Go to the case's details page. +:::{include} /solutions/_snippets/add-case-alerts.md +::: +::::{note} +Refer to [](../../../solutions/observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases) to learn how to add alerts to cases. +:::: ### Add files [add-case-files] -After you create a case, you can upload and manage files on the **Files** tab. To find the tab: - -- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.0`: Go to the case's details page. - -To download or delete the file or copy the file hash to your clipboard, open the action menu {icon}`boxes_horizontal`. The available hash functions are MD5, SHA-1, and SHA-256. +:::{include} ../../../solutions/_snippets/add-case-files.md +::: -When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list. +::::{important} +When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported. +:::: ::::{note} Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md). :::: -::::{important} -When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported. -:::: - ### Add observables [add-case-observables] -% Add applies to tag and snippet \ No newline at end of file +:::{include} ../../../solutions/_snippets/add-case-observables.md +::: \ No newline at end of file diff --git a/solutions/_snippets/add-case-alerts.md b/solutions/_snippets/add-case-alerts.md new file mode 100644 index 0000000000..a9173b0070 --- /dev/null +++ b/solutions/_snippets/add-case-alerts.md @@ -0,0 +1,10 @@ +Escalate alerts and track them in a single place by attaching them to cases. To examine the alerts, click the **Alerts** tab in the case. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button. + +You can find the **Alerts** tab in the following places: + +- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. +- {applies_to}`stack: ga 9.0`: Go to the case's details page. + +::::{important} +Each case can have a maximum of 1,000 alerts. +:::: \ No newline at end of file diff --git a/solutions/_snippets/add-case-observables.md b/solutions/_snippets/add-case-observables.md new file mode 100644 index 0000000000..f76eebe88e --- /dev/null +++ b/solutions/_snippets/add-case-observables.md @@ -0,0 +1,27 @@ +An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. + +To view and manage observables, go to the **Observables** tab. You can find the tab in the following places: + +- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. +- {applies_to}`stack: ga 9.0`: Go to the case's details page. + +::::{important} +Each case can have a maximum of 50 observables. +:::: + +To create an observable: + +1. Click **Add observable** from the **Observables** tab. +2. Provide the necessary details: + + * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](/solutions/security/investigate/configure-case-settings.md#cases-observable-types). + * **Value**: Enter a value for the observable. The value must align with the type you select. + * **Description** (Optional): Provide additional information about the observable. + +3. Click **Add observable**. + +After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**). + +::::{tip} +Go to the **Similar cases** tab to access other cases with the same observables. +:::: \ No newline at end of file diff --git a/solutions/observability/incident-management/create-manage-cases.md b/solutions/observability/incident-management/create-manage-cases.md index a002dbde8b..82b29fa9d3 100644 --- a/solutions/observability/incident-management/create-manage-cases.md +++ b/solutions/observability/incident-management/create-manage-cases.md @@ -94,9 +94,9 @@ To view a case, click on its name. You can then: * Send updates to external systems (if external connections are configured). * Refresh the case to retrieve the latest updates. -## Add context and supporting evidence [observability-create-a-new-case-add-context] +## Add context and supporting materials [observability-create-a-new-case-add-context] -Provide additional context for the case and helpful resources by adding the following items: +Provide additional context and resources by adding the following to the case: * [Alerts](#observability-create-a-new-case-examine-alerts) * [Files](#observability-create-a-new-case-add-files) @@ -107,14 +107,12 @@ From the **Attachments** tab, you can search for specific observable values, ale ### Add alerts [observability-create-a-new-case-examine-alerts] -Escalate alerts and track them in a single place by [adding them to cases](../../observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases). - -To examine the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button. - -You can find the **Alerts** tab in the following places: +:::{include} /solutions/_snippets/add-case-alerts.md +::: -- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.0`: Go to the case's details page. +::::{note} +[Add alerts](../../observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases) to new and existing cases from the **Alerts** page. +:::: ### Add files [observability-create-a-new-case-add-files] diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index 5a2f209eaa..0ea005b793 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -126,9 +126,9 @@ To edit, delete, or quote a comment, select the appropriate option from the **Mo :screenshot: ::: -## Add context and supporting evidence [cases-add-context] +## Add context and supporting materials [cases-add-context] -Provide additional context for the case and helpful resources by adding the following items: +Provide additional context and resources by adding the following to the case: * [Alerts](#cases-examine-alerts) * [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) * {applies_to}`stack: ga 9.2.0` [Events](#cases-examine-events) @@ -142,17 +142,11 @@ From the **Attachments** tab, you can search for specific observable values, ale ### Add alerts [cases-examine-alerts] -Escalate alerts and track them in a single place by attaching them to cases. You can add alerts from an investigation that you've opened in Timeline, or from the **Alerts** page. - -To examine the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button. - -You can find the **Alerts** tab in the following places: - -- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.0`: Go to the case's details page. +:::{include} /solutions/_snippets/add-case-alerts.md +::: -::::{important} -Each case can have a maximum of 1,000 alerts. +::::{note} +Add alerts to new and existing cases from [Timeline](/solutions/security/investigate/timeline.md) or the [**Alerts** page](/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md). :::: ### Add events [cases-examine-events] @@ -167,7 +161,7 @@ After adding events to a case, go to the **Events** tab to examine them. Within You can find the **Events** tab in the following places: - {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.2`: Go to the case's details page. +- {applies_to}`stack: ga 9.2`: Go to the case's details page. ### Add files [cases-add-files] @@ -176,38 +170,10 @@ You can find the **Events** tab in the following places: ### Add observables [cases-add-observables] -::::{admonition} Requirements -Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - -An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. - -To view and manage observables, go to the **Observables** tab. You can find the tab in the following places: - -- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. -- {applies_to}`stack: ga 9.2`: Go to the case's details page. - -::::{important} -Each case can have a maximum of 50 observables. -:::: - -To create an observable: - -1. Click **Add observable** from the **Observables** tab. -2. Provide the necessary details: - - * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](/solutions/security/investigate/configure-case-settings.md#cases-observable-types). - * **Value**: Enter a value for the observable. The value must align with the type you select. - * **Description** (Optional): Provide additional information about the observable. - -3. Click **Add observable**. - -After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**). +:::{include} /solutions/_snippets/add-case-observables.md +::: -::::{tip} -Go to the **Similar cases** tab to access other cases with the same observables. -:::: +{applies_to}`stack: ga 9.2` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can choose to automatically extract observables from alerts that you're adding to the case. After creating a new case, you can turn it off by toggling **Auto-extract observables** on the case's **Observables** tab. ## Copy the case UUID [cases-copy-case-uuid] From f9466b8c21fb67b8264fd0aedb0ccac0f1d97bbd Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 16 Dec 2025 15:44:09 -0500 Subject: [PATCH 3/6] Updated note about attachment search --- explore-analyze/alerts-cases/cases/manage-cases.md | 2 +- .../observability/incident-management/create-manage-cases.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md index 9d54e98978..83b4723fea 100644 --- a/explore-analyze/alerts-cases/cases/manage-cases.md +++ b/explore-analyze/alerts-cases/cases/manage-cases.md @@ -135,7 +135,7 @@ Provide additional context and resources by adding the following to the case: ::::{tip} :applies_to: {stack: ga 9.3} -From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names. +From the **Attachments** tab, you can search for specific observable values, alert IDs, and file names. :::: ### Add alerts [add-case-alerts] diff --git a/solutions/observability/incident-management/create-manage-cases.md b/solutions/observability/incident-management/create-manage-cases.md index 82b29fa9d3..abb8cb812b 100644 --- a/solutions/observability/incident-management/create-manage-cases.md +++ b/solutions/observability/incident-management/create-manage-cases.md @@ -102,7 +102,7 @@ Provide additional context and resources by adding the following to the case: ::::{tip} :applies_to: {stack: ga 9.3} -From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names. +From the **Attachments** tab, you can search for specific alert IDs and file names. :::: ### Add alerts [observability-create-a-new-case-examine-alerts] From 69e79ef8ec2b107ce45706071a403fb23972e749 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 16 Dec 2025 17:15:52 -0500 Subject: [PATCH 4/6] Update solutions/security/investigate/open-manage-cases.md Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> --- solutions/security/investigate/open-manage-cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index 0ea005b793..edfbe906f0 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -177,7 +177,7 @@ You can find the **Events** tab in the following places: ## Copy the case UUID [cases-copy-case-uuid] -Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the Cases page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case’s details page, then from the **More actions** menu (…), select **Copy Case ID**. +Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the **Cases** page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case’s details page, then from the **More actions** menu (…), select **Copy Case ID**. :::{image} /solutions/images/security-cases-copy-case-id.png :alt: Copy Case ID option in More actions menu From aa65ad785ad3f8d805d120f6b9ab7216ef59da4c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 16 Dec 2025 17:16:11 -0500 Subject: [PATCH 5/6] Update solutions/_snippets/add-case-observables.md Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com> --- solutions/_snippets/add-case-observables.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/_snippets/add-case-observables.md b/solutions/_snippets/add-case-observables.md index f76eebe88e..9fe0ccb8ca 100644 --- a/solutions/_snippets/add-case-observables.md +++ b/solutions/_snippets/add-case-observables.md @@ -1,6 +1,6 @@ An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. -To view and manage observables, go to the **Observables** tab. You can find the tab in the following places: +View and manage observables from the **Observables** tab. You can find the tab in the following places: - {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab. - {applies_to}`stack: ga 9.0`: Go to the case's details page. From 7df8a0b14d4f7d46f20a9d4cd28563ed6ae18d73 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 16 Dec 2025 18:15:31 -0500 Subject: [PATCH 6/6] Update solutions/security/investigate/open-manage-cases.md --- solutions/security/investigate/open-manage-cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md index 1819f3a886..96b6531c16 100644 --- a/solutions/security/investigate/open-manage-cases.md +++ b/solutions/security/investigate/open-manage-cases.md @@ -173,7 +173,7 @@ You can find the **Events** tab in the following places: :::{include} /solutions/_snippets/add-case-observables.md ::: -{applies_to}`stack: ga 9.2` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can choose to automatically extract observables from alerts that you're adding to the case. After creating a new case, you can turn it off by toggling **Auto-extract observables** on the case's **Observables** tab. +{applies_to}`stack: ga 9.2` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can use **Auto-extract observables** to instantly extract observables from alerts that you're adding to the case. After creating a new case, you have the option to turn it off by toggling **Auto-extract observables** on the case's **Observables** tab. ## Copy the case UUID [cases-copy-case-uuid]