update serverless asciidoc file instead of mdx file

elastic · Nov 5, 2024 · d4d797e · d4d797e
1 parent 3caa173
commit d4d797e
Show file tree

Hide file tree

Showing 8 changed files with 79 additions and 57 deletions.
diff --git a/docs/serverless/alerts/alerts-ui-manage.asciidoc b/docs/serverless/alerts/alerts-ui-manage.asciidoc
@@ -144,6 +144,7 @@ From the Alerts table or the alert details flyout, you can:
 * <<security-alerts-run-osquery,Run Osquery against an alert>>
 * <<signals-to-timelines,View alerts in Timeline>>
 * <<security-visual-event-analyzer,Visually analyze an alert's process relationships>>
+* <<notes-alerts-events,Add notes to alerts>>
 
 [discrete]
 [[detection-alert-status]]

diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc
@@ -50,10 +50,11 @@ If you've enabled grouping on the Alerts page, the alert details flyout won't op
 * Find basic details about the alert, such as the:
 +
 ** Associated rule
-** Alert status
+** Alert status and when the alert was created
 ** Date and time the alert was created
 ** Alert severity and risk score (these are inherited from rule that generated the alert)
 ** Users assigned to the alert (click the image:images/icons/plusInCircle.svg[Assign alert] icon to assign more users)
+** Notes attached to the alert (click the image:images/icons/plusInCircle.svg[Add note] icon to create a new note)
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs.
 
 [discrete]
@@ -312,3 +313,16 @@ The **Response** section is located on the **Overview** tab in the right panel.
 
 [role="screenshot"]
 image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab]
+
+[discrete]
+[[expanded-notes-view]]
+== Notes
+
+The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert.
+
+[TIP]
+====
+Go to the **Notes** <<manage-notes,page>> to find notes that were added to other alerts.
+====
+
+image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel]
diff --git a/docs/serverless/images/icons/timelineWithArrow.svg b/docs/serverless/images/icons/timelineWithArrow.svg
diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc
@@ -183,6 +183,7 @@ include::./investigate/cases-overview.asciidoc[leveloffset=+3]
 include::./investigate/case-permissions.asciidoc[leveloffset=+4]
 include::./investigate/cases-open-manage.asciidoc[leveloffset=+4]
 include::./investigate/cases-settings.asciidoc[leveloffset=+4]
+include::./investigate/add-manage-notes.asciidoc[leveloffset=+4]
 
 include::./assets/asset-management.asciidoc[leveloffset=+2]
 

diff --git a/docs/serverless/investigate/add-manage-notes.asciidoc b/docs/serverless/investigate/add-manage-notes.asciidoc
@@ -0,0 +1,54 @@
+[[security-add-manage-notes]]
+= Notes
+
+// :description: Create and manage notes for alerts, events, and Timeline.
+// :keywords: serverless, security, how-to, manage
+
+preview:[]
+
+Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page.
+
+[NOTE]
+====
+Configure the `securitySolution:maxUnassociatedNotes` <<max-notes-alerts-events,advanced settings>> to specify the maximum number of notes that you can attach to alerts and events.
+====
+
+[discrete]
+[[notes-alerts-events]]
+== View and add notes to alerts and events
+
+Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (image:images/icons/editorComment.svg[The action that lets you to add a new note]) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.
+
+After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.
+
+image::images/notes/-notes-new-note-alert-event.png[New note added to an alert]
+
+[discrete]
+[[notes-timelines]]
+== View and add notes to Timelines
+
+[IMPORTANT]
+====
+You can only add notes to saved Timelines.
+====
+
+Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option.
+
+After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline.
+
+image::images/notes/-notes-new-note-timeline-tab.png[New note added to a Timeline]
+
+[discrete]
+[[manage-notes]]
+== Manage notes
+
+Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to **Investigations** in the main navigation menu or by using the global search field, then go to **Notes**. From the **Notes** page, you can:
+
+* Search for specific notes
+* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
+* Examine the contents of a note (select the text in the **Note content** column)
+* Delete one or more notes
+* Examine the alert or event that a note is attached to (click the **Expand alert/event details** image:images/icons/expand.svg[Preview alert or event details action] icon)
+* Open the Timeline that the note is attached to (click the **Open saved timeline** image:images/icons/timelineWithArrow.svg[Preview alert or event details action] icon)
+
+image::images/notes/-notes-management-page.png[Notes management page]
diff --git a/docs/serverless/investigate/add-manage-notes.mdx b/docs/serverless/investigate/add-manage-notes.mdx
diff --git a/docs/serverless/investigate/timelines-ui.asciidoc b/docs/serverless/investigate/timelines-ui.asciidoc
@@ -80,8 +80,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard
 * Change how the name, value, or description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete <<security-add-manage-notes,notes>> attached to alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 [discrete]

diff --git a/docs/serverless/settings/advanced-settings.asciidoc b/docs/serverless/settings/advanced-settings.asciidoc
@@ -134,6 +134,12 @@ Security **Overview** page.
 * `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
 retrieved.
 
+[discrete]
+[[max-notes-alerts-events]]
+== Set the maximum notes limit for alerts and events
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <<security-add-manage-notes,notes>> that you can attach to alerts and events. The maximum limit and default value is 1000.
+
 [discrete]
 [[security-advanced-settings-exclude-cold-and-frozen-tier-data-from-analyzer-queries]]
 == Exclude cold and frozen tier data from analyzer queries