diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc index 824f8c4d06..907df47311 100644 --- a/docs/detections/alerts-ui-manage.asciidoc +++ b/docs/detections/alerts-ui-manage.asciidoc @@ -111,7 +111,11 @@ The *Highlighted Fields* section displays the most relevant fields for the alert NOTE: The *Session ID* field provides a unique ID for tracking a given Linux session and is stored in the `process.entry_leader.entity_id` field in the alert's document. To collect the session ID and other session data, you must enable the *Include session data* setting on your {endpoint-cloud-sec} integration policy. Refer to <> for more information. -The *Alert prevalence* column shows the total number of alerts within the selected time frame that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given time frame. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert. +The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert prevalence of 3 for `host.name` means three alerts with the same `host.name` value exist within the timeframe. + +Alert prevalence data can help you investigate relationships with other alerts and gain context about the events producing alerts. You can also click the alert prevalence count to explore the alerts in Timeline. + +IMPORTANT: Before investigating alert prevalence data in Timeline, save any Timelines you're working on to ensure you can access them later. The *Enriched data* section displays available threat indicator matches and threat intelligence data. Click the info icon to learn more about what data is collected.