From d4d797e3b3427f5ddba7738ac1a0f18c01496915 Mon Sep 17 00:00:00 2001
From: Colleen McGinnis <colleen.mcginnis@elastic.co>
Date: Tue, 5 Nov 2024 17:23:51 -0600
Subject: [PATCH] update serverless asciidoc file instead of mdx file

---
 .../alerts/alerts-ui-manage.asciidoc          |  1 +
 .../alerts/view-alert-details.asciidoc        | 16 +++++-
 .../images/icons/timelineWithArrow.svg        |  1 +
 docs/serverless/index.asciidoc                |  1 +
 .../investigate/add-manage-notes.asciidoc     | 54 +++++++++++++++++++
 .../investigate/add-manage-notes.mdx          | 54 -------------------
 .../investigate/timelines-ui.asciidoc         |  3 +-
 .../settings/advanced-settings.asciidoc       |  6 +++
 8 files changed, 79 insertions(+), 57 deletions(-)
 create mode 100644 docs/serverless/images/icons/timelineWithArrow.svg
 create mode 100644 docs/serverless/investigate/add-manage-notes.asciidoc
 delete mode 100644 docs/serverless/investigate/add-manage-notes.mdx

diff --git a/docs/serverless/alerts/alerts-ui-manage.asciidoc b/docs/serverless/alerts/alerts-ui-manage.asciidoc
index 4ae1c42ab5..b51443485c 100644
--- a/docs/serverless/alerts/alerts-ui-manage.asciidoc
+++ b/docs/serverless/alerts/alerts-ui-manage.asciidoc
@@ -144,6 +144,7 @@ From the Alerts table or the alert details flyout, you can:
 * <<security-alerts-run-osquery,Run Osquery against an alert>>
 * <<signals-to-timelines,View alerts in Timeline>>
 * <<security-visual-event-analyzer,Visually analyze an alert's process relationships>>
+* <<notes-alerts-events,Add notes to alerts>>
 
 [discrete]
 [[detection-alert-status]]
diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc
index 8b1fd201bb..3e9050a415 100644
--- a/docs/serverless/alerts/view-alert-details.asciidoc
+++ b/docs/serverless/alerts/view-alert-details.asciidoc
@@ -50,10 +50,11 @@ If you've enabled grouping on the Alerts page, the alert details flyout won't op
 * Find basic details about the alert, such as the:
 +
 ** Associated rule
-** Alert status
+** Alert status and when the alert was created
 ** Date and time the alert was created
 ** Alert severity and risk score (these are inherited from rule that generated the alert)
 ** Users assigned to the alert (click the image:images/icons/plusInCircle.svg[Assign alert] icon to assign more users)
+** Notes attached to the alert (click the image:images/icons/plusInCircle.svg[Add note] icon to create a new note)
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs.
 
 [discrete]
@@ -312,3 +313,16 @@ The **Response** section is located on the **Overview** tab in the right panel.
 
 [role="screenshot"]
 image::images/view-alert-details/-detections-response-action-rp.png[Response section of the Overview tab]
+
+[discrete]
+[[expanded-notes-view]]
+== Notes
+
+The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert.
+
+[TIP]
+====
+Go to the **Notes** <<manage-notes,page>> to find notes that were added to other alerts.
+====
+
+image::images/view-alert-details/-detections-notes-tab-lp.png[Notes tab in the left panel]
diff --git a/docs/serverless/images/icons/timelineWithArrow.svg b/docs/serverless/images/icons/timelineWithArrow.svg
new file mode 100644
index 0000000000..1ee4bea886
--- /dev/null
+++ b/docs/serverless/images/icons/timelineWithArrow.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 16 16" class="euiIcon eui-alignMiddle css-61rd3k-euiIcon-m-isLoaded" role="img" data-icon-type="timelineWithArrow" data-is-loaded="true" aria-hidden="true"><path fill-rule="evenodd" d="M7.854 4.854A.5.5 0 0 1 7 4.5V4H6a1 1 0 0 1-1-1V1a1 1 0 0 1 1-1h3a1 1 0 0 1 1 1v2a1 1 0 0 1-1 1H8v.5a.5.5 0 0 1-.146.354ZM6 3V1h3v2H6ZM2.146 9.146A.5.5 0 0 0 2 9.5v.5H1a1 1 0 0 0-1 1v2a1 1 0 0 0 1 1h3a1 1 0 0 0 1-1v-2a1 1 0 0 0-1-1H3v-.5a.5.5 0 0 0-.854-.354ZM4 13v-2H1v2h3ZM11.5 15a4.5 4.5 0 1 0 0-9 4.5 4.5 0 0 0 0 9Zm.354-6.854 2 2a.5.5 0 0 1 0 .708l-2 2a.5.5 0 0 1-.707-.708L12.293 11H9.5a.5.5 0 0 1 0-1h2.793l-1.146-1.146a.5.5 0 1 1 .707-.708ZM8.337 6H3.915a1.5 1.5 0 0 0-2.83 0H.5a.5.5 0 0 0 0 1h.585a1.5 1.5 0 0 0 2.83 0h3.342c.314-.38.677-.716 1.08-1ZM2 6.5a.5.5 0 1 1 1 0 .5.5 0 0 1-1 0Z"></path></svg>
\ No newline at end of file
diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc
index e088caa2f4..353d48a090 100644
--- a/docs/serverless/index.asciidoc
+++ b/docs/serverless/index.asciidoc
@@ -183,6 +183,7 @@ include::./investigate/cases-overview.asciidoc[leveloffset=+3]
 include::./investigate/case-permissions.asciidoc[leveloffset=+4]
 include::./investigate/cases-open-manage.asciidoc[leveloffset=+4]
 include::./investigate/cases-settings.asciidoc[leveloffset=+4]
+include::./investigate/add-manage-notes.asciidoc[leveloffset=+4]
 
 include::./assets/asset-management.asciidoc[leveloffset=+2]
 
diff --git a/docs/serverless/investigate/add-manage-notes.asciidoc b/docs/serverless/investigate/add-manage-notes.asciidoc
new file mode 100644
index 0000000000..63540f13a4
--- /dev/null
+++ b/docs/serverless/investigate/add-manage-notes.asciidoc
@@ -0,0 +1,54 @@
+[[security-add-manage-notes]]
+= Notes
+
+// :description: Create and manage notes for alerts, events, and Timeline.
+// :keywords: serverless, security, how-to, manage
+
+preview:[]
+
+Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page.
+
+[NOTE]
+====
+Configure the `securitySolution:maxUnassociatedNotes` <<max-notes-alerts-events,advanced settings>> to specify the maximum number of notes that you can attach to alerts and events.
+====
+
+[discrete]
+[[notes-alerts-events]]
+== View and add notes to alerts and events
+
+Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (image:images/icons/editorComment.svg[The action that lets you to add a new note]) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.
+
+After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.
+
+image::images/notes/-notes-new-note-alert-event.png[New note added to an alert]
+
+[discrete]
+[[notes-timelines]]
+== View and add notes to Timelines
+
+[IMPORTANT]
+====
+You can only add notes to saved Timelines.
+====
+
+Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option.
+
+After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline.
+
+image::images/notes/-notes-new-note-timeline-tab.png[New note added to a Timeline]
+
+[discrete]
+[[manage-notes]]
+== Manage notes
+
+Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to **Investigations** in the main navigation menu or by using the global search field, then go to **Notes**. From the **Notes** page, you can:
+
+* Search for specific notes
+* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
+* Examine the contents of a note (select the text in the **Note content** column)
+* Delete one or more notes
+* Examine the alert or event that a note is attached to (click the **Expand alert/event details** image:images/icons/expand.svg[Preview alert or event details action] icon)
+* Open the Timeline that the note is attached to (click the **Open saved timeline** image:images/icons/timelineWithArrow.svg[Preview alert or event details action] icon)
+
+image::images/notes/-notes-management-page.png[Notes management page]
\ No newline at end of file
diff --git a/docs/serverless/investigate/add-manage-notes.mdx b/docs/serverless/investigate/add-manage-notes.mdx
deleted file mode 100644
index 840c6db93d..0000000000
--- a/docs/serverless/investigate/add-manage-notes.mdx
+++ /dev/null
@@ -1,54 +0,0 @@
----
-slug: /serverless/security/add-manage-notes
-title: Notes
-description: Create and manage notes for alerts, events, and Timeline.
-tags: ["serverless","security","how-to","manage"]
----
-
-<DocBadge template="technical preview" />
-<div id="add-manage-notes"></div>
-
-Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. 
-
-<DocCallOut title="Note">
-Configure the `securitySolution:maxUnassociatedNotes` <DocLink slug="/serverless/security/advanced-settings" section="max-notes-alerts-events">advanced settings</DocLink> to specify the maximum number of notes that you can attach to alerts and events.
-</DocCallOut>
-
-<div id="notes-alerts-events"></div>
-
-## View and add notes to alerts and events 
-
-Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (<DocIcon type="editorComment" title="The action that lets you to add a new note" />) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.
-
-After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.
-
-<DocImage size="xl" url="../images/notes/-notes-new-note-alert-event.png" alt="New note added to an alert"/>
-
-<div id="notes-timelines"></div>
-
-## View and add notes to Timelines
-
-<DocCallOut title="Important" color="warning">
-You can only add notes to saved Timelines.
-</DocCallOut>
-
-Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option. 
-
-After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline. 
-
-<DocImage size="xl" url="../images/notes/-notes-new-note-timeline-tab.png" alt="New note added to a Timeline"/>
-
-<div id="manage-notes"></div>
-
-## Manage notes 
-
-Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to **Investigations** in the main navigation menu or by using the global search field, then go to **Notes**. From the **Notes** page, you can:
-
-* Search for specific notes
-* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
-* Examine the contents of a note (select the text in the **Note content** column)
-* Delete one or more notes 
-* Examine the alert or event that a note is attached to (click the **Expand alert/event details** <DocIcon type="expand" title="Preview alert or event details action" /> icon)
-* Open the Timeline that the note is attached to (click the **Open saved timeline** <DocIcon type="timelineWithArrow" title="Preview alert or event details action" /> icon)
-
-<DocImage size="xl" url="../images/notes/-notes-management-page.png" alt="Notes management page"/>
diff --git a/docs/serverless/investigate/timelines-ui.asciidoc b/docs/serverless/investigate/timelines-ui.asciidoc
index 642dee0691..bd8ec2aaa7 100644
--- a/docs/serverless/investigate/timelines-ui.asciidoc
+++ b/docs/serverless/investigate/timelines-ui.asciidoc
@@ -80,8 +80,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard
 * Change how the name, value, or description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete <<security-add-manage-notes,notes>> attached to alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 [discrete]
diff --git a/docs/serverless/settings/advanced-settings.asciidoc b/docs/serverless/settings/advanced-settings.asciidoc
index 74892308d3..3f28e023cd 100644
--- a/docs/serverless/settings/advanced-settings.asciidoc
+++ b/docs/serverless/settings/advanced-settings.asciidoc
@@ -134,6 +134,12 @@ Security **Overview** page.
 * `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
 retrieved.
 
+[discrete]
+[[max-notes-alerts-events]]
+== Set the maximum notes limit for alerts and events
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <<security-add-manage-notes,notes>> that you can attach to alerts and events. The maximum limit and default value is 1000.
+
 [discrete]
 [[security-advanced-settings-exclude-cold-and-frozen-tier-data-from-analyzer-queries]]
 == Exclude cold and frozen tier data from analyzer queries