diff --git a/docs/detections/alerts-add-to-cases.asciidoc b/docs/detections/alerts-add-to-cases.asciidoc new file mode 100644 index 0000000000..cb3365bdc3 --- /dev/null +++ b/docs/detections/alerts-add-to-cases.asciidoc @@ -0,0 +1,50 @@ +[[signals-to-cases]] +== Add detection alerts to cases +:frontmatter-description: Add alerts to new or existing cases in {elastic-sec}. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [analyze] + +From the Alerts table, you can attach one or more alerts to a <> or <>. Alerts from any rule type can be added to a case. + +NOTE: After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the <>. + +[role="screenshot"] +image::images/add-alert-to-case.gif[width=50%][height=50%][Animation of adding an alert to a case] + +[float] +[[signals-to-new-cases]] +=== Add alerts to a new case +To add alerts to a new case: + +. Do one of the following: +** To add a single alert to a case, select the *More actions* menu (*...*) in the Alerts table or **Take action** in the alert details flyout, then select *Add to a new case*. +** To add multiple alerts, select the alerts, then select *Add to a new case* from the *Bulk actions* menu. +. Give the case a name, assign a severity level, and provide a description. You can use +https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax[Markdown] syntax in the case description. ++ +NOTE: If you do not assign your case a severity level, it will be assigned *Low* by default. + +. Optionally, add a category, assignees and relevant tags. You can add users only if they +meet the necessary <>. +. Specify whether you want to sync the status of associated alerts. It is enabled by default; however, you can toggle this setting on or off at any time. If it remains enabled, the alert's status updates whenever the case's status is modified. +. Select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`. +. Click *Create case* after you've completed all of the required fields. A confirmation message is displayed with an option to view the new case. Click the link in the notification or go to the Cases page to view the case. + +[role="screenshot"] +image::images/add-alert-to-new-case.png[width=60%][height=60%][Create case flyout with sample data filled in] + +[float] +[[signals-to-existing-cases]] +=== Add alerts to an existing case +To add alerts to an existing case: + +. Do one of the following: +** To add a single alert to a case, select the *More actions* menu (*...*) in the Alerts table or **Take action** in the alert details flyout, then select **Add to existing case**. +** To add multiple alerts, select the alerts, then select *Add to an existing case* from the *Bulk actions* menu. +. From the **Select case** dialog box, select the case to which you want to attach the alert. A confirmation message is displayed with an option to view the updated case. Click the link in the notification or go to the Cases page to view the case's details. ++ +NOTE: If you attach the alert to a case that has been configured to sync its status with associated alerts, the alert's status updates any time the case's status is modified. + +[role="screenshot"] +image::images/add-alert-to-existing-case.png[Select case dialog listing existing cases]