elastic · nastasha-solomon · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
@@ -88,25 +88,6 @@ For self-managed {{kib}}:
 
 When you subsequently add assignees to cases, they receive an email.
 
-## Add files [add-case-files]
-
-After you create a case, you can upload and manage files on the **Files** tab. To find the tab:
-
-- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.0`: Go to the case's details page.  
-
-To download or delete the file or copy the file hash to your clipboard, open the action menu {icon}`boxes_horizontal`. The available hash functions are MD5, SHA-1, and SHA-256.
-
-When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list.
-
-::::{note}
-Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
-::::
-
-::::{important}
-When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported.
-::::
-
 ## Add visualizations [add-case-visualization]
 
 You can also optionally add visualizations. For example, you can portray event and alert data through charts and graphs.
@@ -144,10 +125,45 @@ To view a case, click on its name. You can then:
 * Add a connector (if you did not select one while creating the case).
 * Send updates to external systems (if external connections are configured).
 * Refresh the case to retrieve the latest updates.
-* Add and manage the following items:
-   * Alerts
-   * Files
-   * Observables
+
+## Add context and supporting materials [add-case-context]
+
+Provide additional context and resources by adding the following to the case:
+* [Alerts](#add-case-alerts) 
+* [Files](#add-case-files)
+* [Observables](#add-case-observables)
+
+::::{tip}
+:applies_to: {stack: ga 9.3}
+From the **Attachments** tab, you can search for specific observable values, alert IDs, and file names.
+::::
+
+### Add alerts [add-case-alerts]
+
+:::{include} /solutions/_snippets/add-case-alerts.md
+:::
+
+::::{note}
+Refer to [](../../../solutions/observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases) to learn how to add alerts to cases.
+::::
+
+### Add files [add-case-files]
+
+:::{include} ../../../solutions/_snippets/add-case-files.md
+:::
+
+::::{important}
+When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported.
+::::
+
+::::{note}
+Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+::::
+
+### Add observables [add-case-observables]
+
+:::{include} ../../../solutions/_snippets/add-case-observables.md
+:::
 
 ## Search cases [search-stack-management-cases]
 

@@ -0,0 +1,10 @@
+Escalate alerts and track them in a single place by attaching them to cases. To examine the alerts, click the **Alerts** tab in the case. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button.
+
+You can find the **Alerts** tab in the following places:
+
+- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
+- {applies_to}`stack: ga 9.0`: Go to the case's details page.  
+
+::::{important}
+Each case can have a maximum of 1,000 alerts.
+::::
@@ -0,0 +1,27 @@
+An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. 
+
+View and manage observables from the **Observables** tab. You can find the tab in the following places:
+
+- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
+- {applies_to}`stack: ga 9.0`: Go to the case's details page.  
+
+::::{important}
+Each case can have a maximum of 50 observables.
+::::
+
+To create an observable:
+
+1. Click **Add observable** from the **Observables** tab.
+2. Provide the necessary details:
+
+    * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](/solutions/security/investigate/configure-case-settings.md#cases-observable-types).
+    * **Value**: Enter a value for the observable. The value must align with the type you select.
+    * **Description** (Optional): Provide additional information about the observable.
+
+3. Click **Add observable**.
+
+After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**). 
+
+::::{tip}
+Go to the **Similar cases** tab to access other cases with the same observables.
+::::
@@ -74,13 +74,6 @@ You can also create a case from an alert or add an alert to an existing case. Fr
 
 ::::
 
-
-
-## Add files [observability-create-a-new-case-add-files]
-
-:::{include} /solutions/_snippets/add-case-files.md
-:::
-
 ## Send cases to external incident management systems [observability-create-a-new-case-send-cases-to-external-incident-management-systems]
 
 To send a case to an external system, click the ![push](/solutions/images/serverless-importAction.svg "") button in the **External incident management system** section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again.
@@ -100,11 +93,33 @@ To view a case, click on its name. You can then:
 * Add a connector (if you did not select one while creating the case).
 * Send updates to external systems (if external connections are configured).
 * Refresh the case to retrieve the latest updates.
-* Add and manage the following items:
-   * Alerts
-   * Files
 
-## Search cases [search-observability-cases]
+## Add context and supporting materials [observability-create-a-new-case-add-context]
+
+Provide additional context and resources by adding the following to the case:
+* [Alerts](#observability-create-a-new-case-examine-alerts) 
+* [Files](#observability-create-a-new-case-add-files)
+
+::::{tip}
+:applies_to: {stack: ga 9.3}
+From the **Attachments** tab, you can search for specific alert IDs and file names.
+::::
+
+### Add alerts [observability-create-a-new-case-examine-alerts]
+
+:::{include} /solutions/_snippets/add-case-alerts.md
+:::
+
+::::{note}
+[Add alerts](../../observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases) to new and existing cases from the **Alerts** page.
+::::
+
+### Add files [observability-create-a-new-case-add-files]
+
+:::{include} /solutions/_snippets/add-case-files.md
+:::
+
+## Search cases [search-stack-management-cases]
 
 :::{include} /solutions/_snippets/search-cases.md
 :::
@@ -99,12 +99,6 @@ To explore a case, click on its name. You can then:
     Comments can contain Markdown. For syntax help, click the Markdown icon (![Click markdown icon](/solutions/images/security-markdown-icon.png "title =20x20")) in the bottom right of the comment.
     ::::
 
-* Add and manage the following items:
-    * [Alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts)
-    * [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case)
-    * {applies_to}`stack: ga 9.2.0` [Events](/solutions/security/investigate/open-manage-cases.md#cases-examine-events) 
-    * [Files](/solutions/security/investigate/open-manage-cases.md#cases-add-files)
-    * [Observables](/solutions/security/investigate/open-manage-cases.md#cases-add-observables)
 * [Manage connectors](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations) and send updates to external systems (if you’ve added a connector to the case)
 * [Copy the case UUID](/solutions/security/investigate/open-manage-cases.md#cases-copy-case-uuid)
 * Refresh the case to retrieve the latest updates
@@ -132,21 +126,30 @@ To edit, delete, or quote a comment, select the appropriate option from the **Mo
 :screenshot:
 :::
 
+## Add context and supporting materials [cases-add-context]
 
-### Examine alerts attached to a case [cases-examine-alerts]
+Provide additional context and resources by adding the following to the case:
+* [Alerts](#cases-examine-alerts)
+* [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case)
+* {applies_to}`stack: ga 9.2.0` [Events](#cases-examine-events) 
+* [Files](#cases-add-files)
+* [Observables](#cases-add-observables)
 
-To explore the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To [view alert details](/solutions/security/detect-and-alert/view-detection-alert-details.md), click the **View details** button.
+::::{tip}
+:applies_to: {stack: ga 9.3}
+From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names.
+::::
 
-You can find the **Alerts** tab in the following places:
+### Add alerts [cases-examine-alerts]
 
-- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.0`: Go to the case's details page.  
+:::{include} /solutions/_snippets/add-case-alerts.md
+:::
 
-::::{important}
-Each case can have a maximum of 1,000 alerts.
+::::{note}
+Add alerts to new and existing cases from [Timeline](/solutions/security/investigate/timeline.md) or the [**Alerts** page](/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md).
 ::::
 
-### Examine events attached to a case [cases-examine-events]
+### Add events [cases-examine-events]
 ```{applies_to}
 stack: ga 9.2
 ```
@@ -158,14 +161,31 @@ After adding events to a case, go to the **Events** tab to examine them. Within
 You can find the **Events** tab in the following places:
 
 - {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.2`: Go to the case's details page.  
+- {applies_to}`stack: ga 9.2`: Go to the case's details page.
 
 ### Add files [cases-add-files]
 
 :::{include} /solutions/_snippets/add-case-files.md
 :::
 
-### Add a Lens visualization [cases-lens-visualization]
+### Add observables [cases-add-observables]
+
+:::{include} /solutions/_snippets/add-case-observables.md
+:::
+
+{applies_to}`stack: ga 9.2` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can use **Auto-extract observables** to instantly extract observables from alerts that you're adding to the case. After creating a new case, you have the option to turn it off by toggling **Auto-extract observables** on the case's **Observables** tab.
+
+## Copy the case UUID [cases-copy-case-uuid]
+
+Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the **Cases** page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case’s details page, then from the **More actions** menu (…), select **Copy Case ID**.
+
+:::{image} /solutions/images/security-cases-copy-case-id.png
+:alt: Copy Case ID option in More actions menu
+:width: 250px
+:screenshot:
+:::
+
+## Add a Lens visualization [cases-lens-visualization]
 
 ::::{warning}
 This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
@@ -206,53 +226,6 @@ After a visualization has been added to a case, you can modify or interact with
 :screenshot:
 :::
 
-
-### Add observables [cases-add-observables]
-
-::::{admonition} Requirements
-Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-
-::::
-
-An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case. 
-
-To view and manage observables, go to the **Observables** tab. You can find the tab in the following places:
-
-- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.0`: Go to the case's details page.  
-
-::::{important}
-Each case can have a maximum of 50 observables.
-::::
-
-To create an observable:
-
-1. Click **Add observable** from the **Observables** tab.
-2. Provide the necessary details:
-
-    * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](/solutions/security/investigate/configure-case-settings.md#cases-observable-types).
-    * **Value**: Enter a value for the observable. The value must align with the type you select.
-    * **Description** (Optional): Provide additional information about the observable.
-
-3. Click **Add observable**.
-
-After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**).
-
-::::{tip}
-Go to the **Similar cases** tab to access other cases with the same observables.
-::::
-
-### Copy the case UUID [cases-copy-case-uuid]
-
-Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the Cases page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case’s details page, then from the **More actions** menu (…), select **Copy Case ID**.
-
-:::{image} /solutions/images/security-cases-copy-case-id.png
-:alt: Copy Case ID option in More actions menu
-:width: 250px
-:screenshot:
-:::
-
-
 ## Export and import cases [cases-export-import]
 
 Cases can be [exported](/solutions/security/investigate/open-manage-cases.md#cases-export) and [imported](/solutions/security/investigate/open-manage-cases.md#cases-import) as saved objects using the {{kib}} [Saved Objects](/explore-analyze/find-and-organize/saved-objects.md) UI.