[8.x] [Serverless][8.16] Notes docs (backport #6006) (#6074)

* [Serverless][8.16] Notes docs (#6006) * First draft * First draft * Updates titles * Fixes toc and introduces images * Fixes serverless toc * Adds missing image * Typo * Adds more images and content * Removes kib ref * Removed extra kib ref * Adjusted image name * Completed ref link * Adds ref to adv setting * Removed unnecessary ref * Missing s * More minor adjustments * first draft of flyout changes * Fix image size * Moves image over even more * Update docs/events/add-manage-notes.asciidoc * Incorporates dev input - ESS * Serverless changes * removed extra space * fixes serverless doc bugs * One more small fix * Missing s * Adds missing image * Update docs/events/add-manage-notes.asciidoc * Revision round two * Added image ext * Adds nav instructions * Fixes styling * Removed extra s * Removed tab * Removing asset criticality adv setting again * Removes comment for now * Update docs/events/add-manage-notes.asciidoc Co-authored-by: natasha-moore-elastic <[email protected]> * Update docs/events/add-manage-notes.asciidoc * Adds icon names to Serverless docs * update serverless asciidoc file instead of mdx file * trigger checks --------- Co-authored-by: natasha-moore-elastic <[email protected]> Co-authored-by: Colleen McGinnis <[email protected]> (cherry picked from commit 264ac5e) # Conflicts: # docs/serverless/alerts/alerts-ui-manage.asciidoc # docs/serverless/alerts/view-alert-details.asciidoc # docs/serverless/index.asciidoc # docs/serverless/investigate/timelines-ui.asciidoc # docs/serverless/settings/advanced-settings.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: Nastasha Solomon <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
elastic · Nov 8, 2024 · 2523bd2 · 2523bd2
1 parent 8e921a3
commit 2523bd2
Show file tree

Hide file tree

Showing 16 changed files with 67 additions and 4 deletions.
diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc
@@ -150,6 +150,7 @@ From the Alerts table or the alert details flyout, you can:
 * <<alerts-run-osquery, Run Osquery against an alert>>
 * <<signals-to-timelines>>
 * <<visual-event-analyzer,Visually analyze an alert's process relationships>>
+* <<notes-alerts-events,Add notes to alerts>>
 
 [float]
 [[detection-alert-status]]

diff --git a/docs/detections/alerts-view-details.asciidoc b/docs/detections/alerts-view-details.asciidoc
@@ -41,10 +41,10 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo
 * Find basic details about the alert, such as the:
 
 ** Associated rule
-** Alert status
-** Date and time the alert was created
+** Alert status and when the alert was created
 ** Alert severity and risk score (these are inherited from rule that generated the alert)
 ** Users assigned to the alert (click the **Assign alert** image:images/assign-alert.png[Assign alert,15,15] icon to assign more users)
+** Notes attached to the alert (click the **Add note** image:images/add-note-icon.png[Add note,15,15] icon to create a new note)
 
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. 
 
@@ -312,3 +312,13 @@ The **Response** section is located on the **Overview** tab in the right panel.
 image::images/response-action-rp.png[Response section of the Overview tab, 50%]
 
 
+[discrete]
+[[expanded-notes-view]]
+== Notes
+
+The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. 
+
+TIP: Go to the **Notes** <<manage-notes,page>> to find notes that were added to other alerts.
+
+[role="screenshot"]
+image::images/notes-tab-lp.png[Notes tab in the left panel, 70%]
diff --git a/docs/detections/images/add-note-icon.png b/docs/detections/images/add-note-icon.png
diff --git a/docs/detections/images/notes-tab-lp.png b/docs/detections/images/notes-tab-lp.png
diff --git a/docs/detections/notes-page-timeline-details.png b/docs/detections/notes-page-timeline-details.png
diff --git a/docs/events/add-manage-notes.asciidoc b/docs/events/add-manage-notes.asciidoc
@@ -0,0 +1,46 @@
+[[add-manage-notes]]
+= Notes
+
+Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. 
+
+NOTE: Configure the `securitySolution:maxUnassociatedNotes` <<max-notes-alerts-events,advanced setting>> to specify the maximum number of notes that you can attach to alerts and events. 
+
+[discrete]
+[[notes-alerts-events]]
+== View and add notes to alerts and events
+
+Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (image:images/create-note-icon.png[Add note action,15,15]) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.
+
+After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.
+
+[role="screenshot"]
+image::images/new-note-alert-event.png[New note added to an alert]
+
+[discrete]
+[[notes-timelines]]
+== View and add notes to Timelines
+
+IMPORTANT: You can only add notes to saved Timelines.  
+
+Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option. 
+
+After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline. 
+
+[role="screenshot"]
+image::images/new-note-timeline-tab.png[New note added to a Timeline]
+
+[discrete]
+[[manage-notes]]
+== Manage all notes 
+
+Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to *Investigations* in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **Notes**. From the **Notes** page, you can:
+
+* Search for specific notes
+* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
+* Examine the contents of a note (click the text in the **Note content** column)
+* Delete one or more notes 
+* Examine the alert or event that a note is attached to (click the **Expand alert/event details** image:images/notes-page-document-details.png[Preview alert or event action,15,15] icon)
+* Open the Timeline that the note is attached to (click the **Open saved timeline** image:images/notes-page-timeline-details.png[Open Timeline action,15,15] icon)
+
+[role="screenshot"]
+image::images/notes-management-page.png[Notes management page]
diff --git a/docs/events/images/add-note-icon.png b/docs/events/images/add-note-icon.png
diff --git a/docs/events/images/create-note-icon.png b/docs/events/images/create-note-icon.png
diff --git a/docs/events/images/new-note-alert-event.png b/docs/events/images/new-note-alert-event.png
diff --git a/docs/events/images/new-note-timeline-tab.png b/docs/events/images/new-note-timeline-tab.png
diff --git a/docs/events/images/notes-management-page.png b/docs/events/images/notes-management-page.png
diff --git a/docs/events/images/notes-page-document-details.png b/docs/events/images/notes-page-document-details.png
diff --git a/docs/events/images/notes-page-timeline-details.png b/docs/events/images/notes-page-timeline-details.png
diff --git a/docs/events/investigations-index.asciidoc b/docs/events/investigations-index.asciidoc
@@ -9,3 +9,4 @@ include::timeline-templates.asciidoc[leveloffset=+2]
 include::../detections/visual-event-analyzer.asciidoc[leveloffset=+1]
 include::../cloud-native-security/session-view.asciidoc[leveloffset=+1]
 include::../osquery/osquery-index.asciidoc[leveloffset=+1]
+include::add-manage-notes.asciidoc[leveloffset=+1]
diff --git a/docs/events/timeline-ui-overview.asciidoc b/docs/events/timeline-ui-overview.asciidoc
@@ -72,8 +72,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard 
 * Change how the name, value, and description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete <<add-manage-notes,notes>> attached to alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 [discrete]

diff --git a/docs/getting-started/advanced-setting.asciidoc b/docs/getting-started/advanced-setting.asciidoc
@@ -179,6 +179,12 @@ By default, Elastic prebuilt rules in the *Rules* and *Rule Monitoring* tables i
 
 The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <<apply-alert-tags>>.
 
+[discrete]
+[[max-notes-alerts-events]]
+== Set the maximum notes limit for alerts and events 
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <<add-manage-notes,notes>> that you can attach to alerts and events. The maximum limit and default value is 1000. 
+
 [discrete]
 [[exclude-cold-frozen-data-rule-executions]]
 == Exclude cold and frozen data from rule executions