diff --git a/deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md b/deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md
index 48a4d23747..663862babb 100644
--- a/deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md
+++ b/deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md
@@ -78,7 +78,7 @@ On a highly available deployment, autoscaling events are always applied to insta
## Notifications[ec-autoscaling-notifications]
In the event that a data tier or machine learning node scales up to its maximum possible size, you’ll receive an email, and a notice also appears on the deployment overview page prompting you to adjust your autoscaling settings to ensure optimal performance.
-In {{ece}} deployments, a warning is also issued in the ECE `service-constructor` logs with the field `labels.autoscaling_notification_type` and a value of `data-tier-at-limit` (for a fully scaled data tier) or `ml-tier-at-limit` (for a fully scaled machine learning node). The warning is indexed in the `logging-and-metrics` deployment, so you can use that event to [configure an email notification](../../explore-analyze/alerts-cases/watcher.md).
+In {{ece}} deployments, a warning is also issued in the ECE `service-constructor` logs with the field `labels.autoscaling_notification_type` and a value of `data-tier-at-limit` (for a fully scaled data tier) or `ml-tier-at-limit` (for a fully scaled machine learning node). The warning is indexed in the `logging-and-metrics` deployment, so you can use that event to [configure an email notification](../../explore-analyze/alerting/watcher.md).
## Restrictions and limitations[ec-autoscaling-restrictions]
diff --git a/deploy-manage/deploy/cloud-enterprise/edit-stack-settings-elasticsearch.md b/deploy-manage/deploy/cloud-enterprise/edit-stack-settings-elasticsearch.md
index 029c596167..2de7d85c23 100644
--- a/deploy-manage/deploy/cloud-enterprise/edit-stack-settings-elasticsearch.md
+++ b/deploy-manage/deploy/cloud-enterprise/edit-stack-settings-elasticsearch.md
@@ -43,7 +43,7 @@ To add or edit {{es}} user settings:
$$$ece-change-user-settings-examples$$$
## Example: enable email notifications [ece_enable_email_notifications_from_gmail]
-To enable email notifications in your {{es}} cluster, you need to configure an email account and related settings. For complete instructions, refer to [Configuring email accounts](/explore-analyze/alerts-cases/watcher/actions-email.md#configuring-email).
+To enable email notifications in your {{es}} cluster, you need to configure an email account and related settings. For complete instructions, refer to [Configuring email accounts](/explore-analyze/alerting/watcher/actions-email.md#configuring-email).
```yaml
xpack.notification.email.account:
diff --git a/deploy-manage/deploy/cloud-on-k8s/k8s-service-mesh-istio.md b/deploy-manage/deploy/cloud-on-k8s/k8s-service-mesh-istio.md
index a84cd1040a..11bf6b42b5 100644
--- a/deploy-manage/deploy/cloud-on-k8s/k8s-service-mesh-istio.md
+++ b/deploy-manage/deploy/cloud-on-k8s/k8s-service-mesh-istio.md
@@ -15,7 +15,7 @@ The instructions in this section describe how to connect the operator and manage
These instructions have been tested with Istio 1.24.3. Older or newer versions of Istio might require additional configuration steps not documented here.
::::{warning}
-Some {{stack}} features such as [{{kib}} alerting and actions](/explore-analyze/alerts-cases.md) rely on the {{es}} API keys feature which requires TLS to be enabled at the application level. If you want to use these features, you should not disable the self-signed certificate on the {{es}} resource and enable `PERMISSIVE` mode for the {{es}} service through a `DestinationRule` or `PeerAuthentication` resource. Strict mTLS mode is currently not compatible with {{stack}} features requiring TLS to be enabled for the {{es}} HTTP layer.
+Some {{stack}} features such as [{{kib}} alerting and actions](/explore-analyze/alerting.md) rely on the {{es}} API keys feature which requires TLS to be enabled at the application level. If you want to use these features, you should not disable the self-signed certificate on the {{es}} resource and enable `PERMISSIVE` mode for the {{es}} service through a `DestinationRule` or `PeerAuthentication` resource. Strict mTLS mode is currently not compatible with {{stack}} features requiring TLS to be enabled for the {{es}} HTTP layer.
::::
diff --git a/deploy-manage/deploy/deployment-comparison.md b/deploy-manage/deploy/deployment-comparison.md
index ddc7fee19c..433bbecb31 100644
--- a/deploy-manage/deploy/deployment-comparison.md
+++ b/deploy-manage/deploy/deployment-comparison.md
@@ -41,7 +41,7 @@ For more details about feature availability in {{serverless-short}}, refer to []
| Feature/capability | Fully self-managed, ECE, ECK | ECH | {{serverless-short}} |
|-------------------|-------------------------------|---------|----------------------|
| [Deployment health monitoring](/deploy-manage/monitor.md) | AutoOps or monitoring cluster | AutoOps or monitoring cluster | Managed by Elastic |
-| [Alerting](/explore-analyze/alerts-cases.md) | Watcher or {{kib}} alerts | Watcher or {{kib}} alerts | Alerts ([why?](/explore-analyze/alerts-cases.md#watcher)) |
+| [Alerting](/explore-analyze/alerting.md) | Watcher or {{kib}} alerts | Watcher or {{kib}} alerts | Alerts ([why?](/explore-analyze/alerting.md#watcher)) |
## Data lifecycle
diff --git a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
index 017545c1ed..3948b38dd6 100644
--- a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
+++ b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
@@ -101,7 +101,7 @@ This table compares Elasticsearch capabilities between {{ech}} deployments and S
| [**Search applications**](/solutions/elasticsearch-solution-project/search-applications.md) | - UI and APIs
- Maintenance mode (beta) | - API-only
- Maintenance mode (beta) | UI not available in Serverless |
| **Shard management** | User-configurable | Managed by Elastic | No manual shard allocation in Serverless |
| [**Synonyms**](/solutions/search/full-text/search-with-synonyms.md) | - Index time synonyms
- File-based synonyms
- Synonyms API | Synonyms API only (does not support index-time or file-based synonyms) | |
-| [**Watcher**](/explore-analyze/alerts-cases/watcher.md) | ✅ | ❌ | Use **Kibana Alerts** instead, which provides rich integrations across use cases |
+| [**Watcher**](/explore-analyze/alerting/watcher.md) | ✅ | ❌ | Use **Kibana Alerts** instead, which provides rich integrations across use cases |
| **Web crawler** | ❌ (Managed Elastic Crawler discontinued with Enterprise Search in 9.0) | Self-managed only | Use [**self-managed crawler**](https://github.com/elastic/crawler) |
^1^ $$$footnote-1$$$ In {{serverless-short}}, Elastic ensures data durability by storing indexed data in an [object store](https://www.elastic.co/blog/elastic-serverless-architecture) rather than local replicas. Writes are batched over a 200ms window to ensure durability while optimizing performance and cost, which means that single-document indexing can appear slower than in {{ech}}. However, this design makes {{serverless-short}} more scalable and resilient to high indexing loads without relying on in-cluster replication for fault tolerance. Because of a higher baseline write latency, {{serverless-short}} indexing can be scaled by increasing concurrent indexing clients.
diff --git a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
index 0718341a04..9e0a461fd0 100644
--- a/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
+++ b/deploy-manage/deploy/elastic-cloud/restrictions-known-problems.md
@@ -91,7 +91,7 @@ Changing the default throttle period is not possible. You can specify a throttle
Watcher comes preconfigured with a directly usable email account provided by Elastic. However, this account can’t be reconfigured and is subject to some limitations. For more information on the limits of the Elastic mail server, check the [cloud email service limits](/deploy-manage/deploy/elastic-cloud/tools-apis.md#email-service-limits).
-Alternatively, a custom mail server can be configured as described in [Configuring a custom mail server](../../../explore-analyze/alerts-cases/watcher/enable-watcher.md#watcher-custom-mail-server)
+Alternatively, a custom mail server can be configured as described in [Configuring a custom mail server](../../../explore-analyze/alerting/watcher/enable-watcher.md#watcher-custom-mail-server)
## Private connectivity and SSO to {{kib}} URLs [ec-restrictions-network-security-kibana-sso]
@@ -108,7 +108,7 @@ Currently you can’t use SSO to login directly from {{ecloud}} into {{kib}} end
## {{kib}} [ec-restrictions-kibana]
* The maximum size of a single {{kib}} instance is 8GB. This means, {{kib}} instances can be scaled up to 8GB before they are scaled out. For example, when creating a deployment with a {{kib}} instance of size 16GB, then 2x8GB instances are created. If you face performance issues with {{kib}} PNG or PDF reports, the recommendations are to create multiple, smaller dashboards to export the data, or to use a third party browser extension for exporting the dashboard in the format you need.
-* Running an external {{kib}} in parallel to {{ecloud}}’s {{kib}} instances may cause errors, for example [`Unable to decrypt attribute`](../../../explore-analyze/alerts-cases/alerts/alerting-common-issues.md#rule-cannot-decrypt-api-key), due to a mismatched [`xpack.encryptedSavedObjects.encryptionKey`](kibana://reference/configuration-reference/security-settings.md#security-encrypted-saved-objects-settings) as {{ecloud}} does not [allow users to set](edit-stack-settings.md) nor expose this value. While workarounds are possible, this is not officially supported nor generally recommended.
+* Running an external {{kib}} in parallel to {{ecloud}}’s {{kib}} instances may cause errors, for example [`Unable to decrypt attribute`](../../../explore-analyze/alerting/alerts/alerting-common-issues.md#rule-cannot-decrypt-api-key), due to a mismatched [`xpack.encryptedSavedObjects.encryptionKey`](kibana://reference/configuration-reference/security-settings.md#security-encrypted-saved-objects-settings) as {{ecloud}} does not [allow users to set](edit-stack-settings.md) nor expose this value. While workarounds are possible, this is not officially supported nor generally recommended.
* Workflows using the `elasticsearch.bulk` step might mishandle bulk operations in Elastic Cloud Hosted. Bulk action metadata (such as `index`, `create`, `update`, or `delete`) can be interpreted as document data, which might cause unexpected behavior for bulk operations beyond basic indexing. The workaround is to use a generic Elasticsearch request action in the workflow to call the Bulk API directly instead of using the `elasticsearch.bulk` step. For more information, refer to [Generic request actions](https://www.elastic.co/docs/explore-analyze/workflows/steps/elasticsearch#generic-request-actions). This issue is fixed in Serverless deployments.
diff --git a/deploy-manage/deploy/elastic-cloud/tools-apis.md b/deploy-manage/deploy/elastic-cloud/tools-apis.md
index aa3e6c17a6..780afda136 100644
--- a/deploy-manage/deploy/elastic-cloud/tools-apis.md
+++ b/deploy-manage/deploy/elastic-cloud/tools-apis.md
@@ -101,7 +101,7 @@ serverless: unavailable
## Elastic Cloud email service
-{{ecloud}} provides a built-in email service used by the preconfigured [email connector](kibana://reference/connectors-kibana/email-action-type.md), available in both {{ech}} deployments and {{serverless-full}} projects. This service can be used to send [alert](/explore-analyze/alerts-cases/alerts.md) notifications and is also supported in {{ech}} by [Watcher](/explore-analyze/alerts-cases/watcher/enable-watcher.md).
+{{ecloud}} provides a built-in email service used by the preconfigured [email connector](kibana://reference/connectors-kibana/email-action-type.md), available in both {{ech}} deployments and {{serverless-full}} projects. This service can be used to send [alert](/explore-analyze/alerting/alerts.md) notifications and is also supported in {{ech}} by [Watcher](/explore-analyze/alerting/watcher/enable-watcher.md).
### Email service limits
diff --git a/deploy-manage/deploy/self-managed/bootstrap-checks.md b/deploy-manage/deploy/self-managed/bootstrap-checks.md
index 51cf06420d..c3e6623a8d 100644
--- a/deploy-manage/deploy/self-managed/bootstrap-checks.md
+++ b/deploy-manage/deploy/self-managed/bootstrap-checks.md
@@ -187,7 +187,7 @@ $$$bootstrap-checks-xpack-encrypt-sensitive-data$$$
If you use {{watcher}} and have chosen to encrypt sensitive data (by setting `xpack.watcher.encrypt_sensitive_data` to `true`), you must also place a key in the secure settings store.
-To pass this bootstrap check, you must set the `xpack.watcher.encryption_key` on each node in the cluster. For more information, see [Encrypting sensitive data in Watcher](../../../explore-analyze/alerts-cases/watcher/encrypting-data.md).
+To pass this bootstrap check, you must set the `xpack.watcher.encryption_key` on each node in the cluster. For more information, see [Encrypting sensitive data in Watcher](../../../explore-analyze/alerting/watcher/encrypting-data.md).
:::
:::{dropdown} PKI realm check
diff --git a/deploy-manage/manage-connectors.md b/deploy-manage/manage-connectors.md
index 270668b82e..0edf8497d6 100644
--- a/deploy-manage/manage-connectors.md
+++ b/deploy-manage/manage-connectors.md
@@ -23,7 +23,7 @@ This page is about {{kib}} connectors that integrate with services like generati
## Required permissions [_required_permissions_2]
-Access to connectors is granted based on your privileges to alerting-enabled features. For more information, go to [Security](../explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-security).
+Access to connectors is granted based on your privileges to alerting-enabled features. For more information, go to [Security](../explore-analyze/alerting/alerts/alerting-setup.md#alerting-security).
## Connector networking configuration [_connector_networking_configuration]
@@ -91,6 +91,6 @@ If a connector is missing sensitive information after the import, a **Fix** butt
## Monitoring connectors [monitoring-connectors]
-You can query the [Event log index](/explore-analyze/alerts-cases/alerts/event-log-index.md) to gather information on connector successes and failures.
+You can query the [Event log index](/explore-analyze/alerting/alerts/event-log-index.md) to gather information on connector successes and failures.
If you're using {{stack}}, then you can also use the [Task Manager health API](/deploy-manage/monitor/kibana-task-manager-health-monitoring.md) to monitor connector performance. However, if connectors fail to run, they will report as successful to Task Manager. The failure stats will not accurately depict connector failures.
diff --git a/deploy-manage/monitor/kibana-task-manager-health-monitoring.md b/deploy-manage/monitor/kibana-task-manager-health-monitoring.md
index 17eea50055..99d04755f4 100644
--- a/deploy-manage/monitor/kibana-task-manager-health-monitoring.md
+++ b/deploy-manage/monitor/kibana-task-manager-health-monitoring.md
@@ -114,7 +114,7 @@ The Runtime `status` indicates whether task executions have exceeded any of the
::::{important}
Some tasks (such as [connectors](../manage-connectors.md)) will incorrectly report their status as successful even if the task failed. The runtime and workload block will return data about success and failures and will not take this into consideration.
-To get a better sense of action failures, refer to the [Event log index](../../explore-analyze/alerts-cases/alerts/event-log-index.md) for more accurate context into failures and successes.
+To get a better sense of action failures, refer to the [Event log index](../../explore-analyze/alerting/alerts/event-log-index.md) for more accurate context into failures and successes.
::::
diff --git a/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md b/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md
index 1cecdff528..9e71ff431b 100644
--- a/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md
+++ b/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md
@@ -15,7 +15,7 @@ products:
# Stack monitoring alerts [kibana-alerts]
-The {{stack}} {{monitor-features}} provide [Alerting rules](../../../explore-analyze/alerts-cases/alerts.md) out-of-the box to notify you of potential issues in the {{stack}}. These rules are preconfigured based on the best practices recommended by Elastic. However, you can tailor them to meet your specific needs.
+The {{stack}} {{monitor-features}} provide [Alerting rules](../../../explore-analyze/alerting/alerts.md) out-of-the box to notify you of potential issues in the {{stack}}. These rules are preconfigured based on the best practices recommended by Elastic. However, you can tailor them to meet your specific needs.
:::{image} /deploy-manage/images/kibana-monitoring-kibana-alerting-notification.png
:alt: {{kib}} alerting notifications in {{stack-monitor-app}}
diff --git a/deploy-manage/monitor/monitoring-data/elasticsearch-metrics.md b/deploy-manage/monitor/monitoring-data/elasticsearch-metrics.md
index 92c4754652..61c67e26b4 100644
--- a/deploy-manage/monitor/monitoring-data/elasticsearch-metrics.md
+++ b/deploy-manage/monitor/monitoring-data/elasticsearch-metrics.md
@@ -31,7 +31,7 @@ For more information, refer to [Monitor a cluster](../../monitor.md).
To view the key metrics that indicate the overall health of an {{es}} cluster, click **Overview** in the {{es}} section. Anything that needs your attention is highlighted in yellow or red.
::::{tip}
-Conditions that require your attention are listed at the top of the Clusters page. You can also set up watches to alert you when the status of your cluster changes. To learn how, see [Watching the status of an {{es}} cluster](../../../explore-analyze/alerts-cases/watcher/watch-cluster-status.md).
+Conditions that require your attention are listed at the top of the Clusters page. You can also set up watches to alert you when the status of your cluster changes. To learn how, see [Watching the status of an {{es}} cluster](../../../explore-analyze/alerting/watcher/watch-cluster-status.md).
::::
diff --git a/deploy-manage/monitor/monitoring-data/integrations-server-page.md b/deploy-manage/monitor/monitoring-data/integrations-server-page.md
index 19e66ff978..d6fc0b2c28 100644
--- a/deploy-manage/monitor/monitoring-data/integrations-server-page.md
+++ b/deploy-manage/monitor/monitoring-data/integrations-server-page.md
@@ -29,7 +29,7 @@ products:
2. Adjust the time period for the visualizations as needed.
-3. From this page you can also [create alerts](/explore-analyze/alerts-cases/alerts/create-manage-rules.md) to be triggered when the {{integrations-server}} metrics meet a defined set of conditions.
+3. From this page you can also [create alerts](/explore-analyze/alerting/alerts/create-manage-rules.md) to be triggered when the {{integrations-server}} metrics meet a defined set of conditions.
**To view metrics for a specific {{integrations-server}} instance:**
@@ -41,4 +41,4 @@ products:
1. Adjust the time period for the visualizations as needed.
-1. As with the **APM server overview** page, you can also [create alerts](/explore-analyze/alerts-cases/alerts/create-manage-rules.md) to be triggered when the instance metrics meet a defined set of conditions.
+1. As with the **APM server overview** page, you can also [create alerts](/explore-analyze/alerting/alerts/create-manage-rules.md) to be triggered when the instance metrics meet a defined set of conditions.
diff --git a/deploy-manage/production-guidance/kibana-alerting-production-considerations.md b/deploy-manage/production-guidance/kibana-alerting-production-considerations.md
index 6a3b3d01b7..23da104fc0 100644
--- a/deploy-manage/production-guidance/kibana-alerting-production-considerations.md
+++ b/deploy-manage/production-guidance/kibana-alerting-production-considerations.md
@@ -33,7 +33,7 @@ Rule and action tasks can run late or at an inconsistent schedule. This is typic
You can address such issues by tweaking the [Task Manager settings](kibana://reference/configuration-reference/task-manager-settings.md) or scaling the deployment to better suit your use case.
-For detailed guidance, see [Alerting Troubleshooting](../../explore-analyze/alerts-cases/alerts/alerting-troubleshooting.md).
+For detailed guidance, see [Alerting Troubleshooting](../../explore-analyze/alerting/alerts/alerting-troubleshooting.md).
::::
diff --git a/deploy-manage/production-guidance/kibana-in-production-environments.md b/deploy-manage/production-guidance/kibana-in-production-environments.md
index dc40b66371..3d38e28ff5 100644
--- a/deploy-manage/production-guidance/kibana-in-production-environments.md
+++ b/deploy-manage/production-guidance/kibana-in-production-environments.md
@@ -19,7 +19,7 @@ How you deploy {{kib}} largely depends on your use case. If you are the only use
## Scalability
-With the introduction of new capabilities such as [{{kib}} Alerting](/explore-analyze/alerts-cases.md) and the [Detection Rules](/solutions/security/detect-and-alert.md) engine, critical components for [Observability](/solutions/observability.md) and [Security](/solutions/security.md) solutions, the scalability factors have evolved significantly.
+With the introduction of new capabilities such as [{{kib}} Alerting](/explore-analyze/alerting.md) and the [Detection Rules](/solutions/security/detect-and-alert.md) engine, critical components for [Observability](/solutions/observability.md) and [Security](/solutions/security.md) solutions, the scalability factors have evolved significantly.
Now, Kibana’s resource requirements extend beyond user activity. The system must also handle workloads generated by automated processes, such as scheduled alerts, background detection rules, and other periodic tasks. These operations are managed by [{{kib}} Task Manager](./kibana-task-manager-scaling-considerations.md), which is responsible for scheduling, executing, and coordinating all background tasks.
diff --git a/deploy-manage/production-guidance/kibana-task-manager-scaling-considerations.md b/deploy-manage/production-guidance/kibana-task-manager-scaling-considerations.md
index 7fa326367f..79c097d696 100644
--- a/deploy-manage/production-guidance/kibana-task-manager-scaling-considerations.md
+++ b/deploy-manage/production-guidance/kibana-task-manager-scaling-considerations.md
@@ -14,7 +14,7 @@ products:
# {{kib}} task manager: performance and scaling guide [task-manager-production-considerations]
-{{kib}} Task Manager is leveraged by features such as [alerting](/explore-analyze/alerts-cases/alerts.md), [actions](/explore-analyze/alerts-cases/alerts.md#rules-actions), and [reporting](/explore-analyze/report-and-share.md) to run mission critical work as persistent background tasks. These background tasks distribute work across multiple {{kib}} instances. This has three major benefits:
+{{kib}} Task Manager is leveraged by features such as [alerting](/explore-analyze/alerting/alerts.md), [actions](/explore-analyze/alerting/alerts.md#rules-actions), and [reporting](/explore-analyze/report-and-share.md) to run mission critical work as persistent background tasks. These background tasks distribute work across multiple {{kib}} instances. This has three major benefits:
- **Persistence**: All task state and scheduling is stored in {{es}}, so if you restart {{kib}}, tasks will pick up where they left off.
- **Scaling**: Multiple {{kib}} instances can read from and update the same task queue in {{es}}, allowing the work load to be distributed across instances. If a {{kib}} instance no longer has capacity to run tasks, you can increase capacity by adding additional {{kib}} instances.
diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml
index 4bc3412276..33d02d41ff 100644
--- a/deploy-manage/toc.yml
+++ b/deploy-manage/toc.yml
@@ -555,9 +555,6 @@ toc:
- file: users-roles/cloud-enterprise-orchestrator/saml.md
- file: users-roles/cloud-enterprise-orchestrator/configure-sso-for-deployments.md
- file: users-roles/serverless-custom-roles.md
- children:
- - title: "Control access at the document and field level"
- crosslink: docs-content://deploy-manage/users-roles/cluster-or-deployment-auth/controlling-access-at-document-field-level.md
- file: users-roles/cluster-or-deployment-auth.md
children:
- file: users-roles/cluster-or-deployment-auth/quickstart.md
diff --git a/deploy-manage/tools/snapshot-and-restore/create-snapshots.md b/deploy-manage/tools/snapshot-and-restore/create-snapshots.md
index 728c20eb58..a9c6f4cd66 100644
--- a/deploy-manage/tools/snapshot-and-restore/create-snapshots.md
+++ b/deploy-manage/tools/snapshot-and-restore/create-snapshots.md
@@ -141,7 +141,7 @@ PUT _slm/policy/nightly-snapshots
}
```
-1. When to take snapshots, written in [Cron syntax](/explore-analyze/alerts-cases/watcher/schedule-types.md#schedule-cron).
+1. When to take snapshots, written in [Cron syntax](/explore-analyze/alerting/watcher/schedule-types.md#schedule-cron).
2. Snapshot name. Supports [date math](elasticsearch://reference/elasticsearch/rest-apis/api-conventions.md#api-date-math-index-names). To prevent naming conflicts, the policy also appends a UUID to each snapshot name.
3. [Registered snapshot repository](self-managed.md) used to store the policy’s snapshots.
4. Data streams and indices to include in the policy’s snapshots.
diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md b/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md
index b105d66e9d..131c05a7da 100644
--- a/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md
+++ b/deploy-manage/users-roles/cluster-or-deployment-auth/quickstart.md
@@ -20,7 +20,7 @@ This guide introduces you to three basic user and access management features: [s
Do you have multiple teams using {{kib}}? Do you want a “playground” to experiment with new visualizations or rules? If so, then [{{kib}} Spaces](../../manage-spaces.md) can help.
-Think of a space as another instance of {{kib}}. A space allows you to organize your [dashboards](../../../explore-analyze/dashboards.md), [rules](../../../explore-analyze/alerts-cases/alerts.md), [machine learning jobs](../../../explore-analyze/machine-learning/machine-learning-in-kibana.md), and much more into their own categories. For example, you might have a **Marketing** space for your marketers to track the results of their campaigns, and an **Engineering** space for your developers to [monitor application performance](/solutions/observability/apm/index.md).
+Think of a space as another instance of {{kib}}. A space allows you to organize your [dashboards](../../../explore-analyze/dashboards.md), [rules](../../../explore-analyze/alerting/alerts.md), [machine learning jobs](../../../explore-analyze/machine-learning/machine-learning-in-kibana.md), and much more into their own categories. For example, you might have a **Marketing** space for your marketers to track the results of their campaigns, and an **Engineering** space for your developers to [monitor application performance](/solutions/observability/apm/index.md).
The assets you create in one space are isolated from other spaces, so when you enter a space, you only see the assets that belong to that space.
diff --git a/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference.md b/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference.md
index 1798ba18e1..bc8722d7c2 100644
--- a/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference.md
+++ b/explore-analyze/ai-features/agent-builder/tools/builtin-tools-reference.md
@@ -78,7 +78,7 @@ $$$agent-builder-product-documentation-tool$$$ `platform.core.product_documentat
: Creates a [Lens](/explore-analyze/visualize/lens.md) visualization based on specifications. -->
`platform.core.cases` {applies_to}`stack: ga 9.3+`
-: Searches and retrieves [cases](/explore-analyze/alerts-cases/cases.md) for tracking and managing issues.
+: Searches and retrieves [cases](/explore-analyze/cases.md) for tracking and managing issues.
`platform.core.get_workflow_execution_status` {applies_to}`stack: ga 9.3+`
: Retrieves the execution status of a workflow.
diff --git a/explore-analyze/alerting.md b/explore-analyze/alerting.md
new file mode 100644
index 0000000000..d32e445ab1
--- /dev/null
+++ b/explore-analyze/alerting.md
@@ -0,0 +1,34 @@
+---
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html#alerting-concepts-differences
+ - https://www.elastic.co/guide/en/serverless/current/project-settings-alerts.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: cloud-serverless
+---
+
+# Alerting
+
+Alerting tools in Elasticsearch and Kibana provide functionality to monitor data and notify you about significant changes or events in real time. This page provides an overview of how the key components work.
+
+## Alerts
+
+Alerts are notifications generated when specific conditions are met. These notifications are sent to you through channels that you previously set such as email, Slack, webhooks, PagerDuty, and so on.
+
+Alerts are created based on rules, which define the criteria for triggering them. Rules monitor the data indexed in Elasticsearch and evaluate conditions on a defined schedule to identify matches. For example, a threshold rule can generate an alert when a value crosses a specific threshold, while a machine learning rule activates an alert when an anomaly detection job identifies an anomaly.
+
+## Watcher
+```{applies_to}
+serverless: unavailable
+```
+
+You can use Watcher for alerting and monitoring specific conditions in your data. It enables you to define rules and take automated actions when certain criteria are met. Watcher is a powerful alerting tool for custom use cases and more complex alerting logic. It allows advanced scripting using Painless to define complex conditions and transformations.
+
+:::{tip}
+For most use cases, you should use Kibana Alerts instead of Watcher. Kibana Alerts allows rich integrations across use cases like APM, metrics, security, and uptime. Prepackaged rule types simplify setup and hide the details of complex, domain-specific detections, while providing a consistent interface across Kibana.
+
+Watcher is not available in {{serverless-full}}.
+:::
diff --git a/explore-analyze/alerts-cases/alerts.md b/explore-analyze/alerting/alerts.md
similarity index 98%
rename from explore-analyze/alerts-cases/alerts.md
rename to explore-analyze/alerting/alerts.md
index 711c95b8c5..ccd9c103f0 100644
--- a/explore-analyze/alerts-cases/alerts.md
+++ b/explore-analyze/alerting/alerts.md
@@ -102,7 +102,7 @@ You can pass rule values to an action at the time a condition is detected. To vi
:screenshot:
:::
-For more information about common action variables, refer to [Rule actions variables](../../explore-analyze/alerts-cases/alerts/rule-action-variables.md)
+For more information about common action variables, refer to [Rule actions variables](alerts/rule-action-variables.md)
### Alerts [rules-alerts]
diff --git a/explore-analyze/alerts-cases/alerts/alerting-common-issues.md b/explore-analyze/alerting/alerts/alerting-common-issues.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/alerting-common-issues.md
rename to explore-analyze/alerting/alerts/alerting-common-issues.md
diff --git a/explore-analyze/alerts-cases/alerts/alerting-getting-started.md b/explore-analyze/alerting/alerts/alerting-getting-started.md
similarity index 84%
rename from explore-analyze/alerts-cases/alerts/alerting-getting-started.md
rename to explore-analyze/alerting/alerts/alerting-getting-started.md
index ec2fd6c4b7..ba1b7394e7 100644
--- a/explore-analyze/alerts-cases/alerts/alerting-getting-started.md
+++ b/explore-analyze/alerting/alerts/alerting-getting-started.md
@@ -16,14 +16,14 @@ products:
# Getting started with alerting [alerting-getting-started]
-Alerting enables you to define *rules*, which detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. Alerting is integrated with [**{{observability}}**](../../../solutions/observability/incident-management/alerting.md), [**Security**](detection-rules://index.md), [**Maps**](../../../explore-analyze/alerts-cases/alerts/geo-alerting.md) and [**{{ml-app}}**](../../../explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md). It can be centrally managed from **{{stack-manage-app}}** and provides a set of built-in [connectors](../../../deploy-manage/manage-connectors.md) and [rules](../../../explore-analyze/alerts-cases/alerts/rule-types.md#stack-rules) for you to use.
+Alerting enables you to define *rules*, which detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. Alerting is integrated with [**{{observability}}**](../../../solutions/observability/incident-management/alerting.md), [**Security**](detection-rules://index.md), [**Maps**](geo-alerting.md) and [**{{ml-app}}**](../../../explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md). It can be centrally managed from **{{stack-manage-app}}** and provides a set of built-in [connectors](../../../deploy-manage/manage-connectors.md) and [rules](rule-types.md#stack-rules) for you to use.
:::{image} /explore-analyze/images/kibana-alerting-overview.png
:alt: {{rules-ui}} UI
:::
::::{important}
-To make sure you can access alerting and actions, see the [setup and prerequisites](../../../explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-prerequisites) section.
+To make sure you can access alerting and actions, see the [setup and prerequisites](alerting-setup.md#alerting-prerequisites) section.
::::
@@ -31,7 +31,7 @@ Alerting works by running checks on a schedule to detect conditions defined by a
## Rules [_rules]
-A rule specifies a background task that runs on the {{kib}} server to check for specific conditions. {{kib}} provides two types of rules: stack rules that are built into {{kib}} and the rules that are registered by {{kib}} apps. For more information, refer to [*Rule types*](../../../explore-analyze/alerts-cases/alerts/rule-types.md).
+A rule specifies a background task that runs on the {{kib}} server to check for specific conditions. {{kib}} provides two types of rules: stack rules that are built into {{kib}} and the rules that are registered by {{kib}} apps. For more information, refer to [*Rule types*](rule-types.md).
A rule consists of three main parts:
@@ -57,9 +57,9 @@ Under the hood, {{kib}} rules detect conditions by running a JavaScript function
These conditions are packaged and exposed as *rule types*. A rule type hides the underlying details of the condition, and exposes a set of parameters to control the details of the conditions to detect.
-For example, an [index threshold rule type](../../../explore-analyze/alerts-cases/alerts/rule-type-index-threshold.md) lets you specify the index to query, an aggregation field, and a time window, but the details of the underlying {{es}} query are hidden.
+For example, an [index threshold rule type](rule-type-index-threshold.md) lets you specify the index to query, an aggregation field, and a time window, but the details of the underlying {{es}} query are hidden.
-See [*Rule types*](../../../explore-analyze/alerts-cases/alerts/rule-types.md) for the rules provided by {{kib}} and how they express their conditions.
+See [*Rule types*](rule-types.md) for the rules provided by {{kib}} and how they express their conditions.
### Schedule [alerting-concepts-scheduling]
@@ -117,14 +117,14 @@ A rule consists of conditions, actions, and a schedule. When conditions are met,
## Differences from {{watcher}} [alerting-concepts-differences]
-[{{watcher}}](../../../explore-analyze/alerts-cases/watcher.md) and the {{kib}} {{alert-features}} are both used to detect conditions and can trigger actions in response, but they are completely independent alerting systems.
+[{{watcher}}](../watcher.md) and the {{kib}} {{alert-features}} are both used to detect conditions and can trigger actions in response, but they are completely independent alerting systems.
This section will clarify some of the important differences in the function and intent of the two systems.
Functionally, the {{alert-features}} differ in that:
* Scheduled checks are run on {{kib}} instead of {{es}}
-* {{kib}} [rules hide the details of detecting conditions](../../../explore-analyze/alerts-cases/alerts/alerting-getting-started.md#alerting-concepts-conditions) through rule types, whereas watches provide low-level control over inputs, conditions, and transformations.
+* {{kib}} [rules hide the details of detecting conditions](#alerting-concepts-conditions) through rule types, whereas watches provide low-level control over inputs, conditions, and transformations.
* {{kib}} rules track and persist the state of each detected condition through alerts. This makes it possible to mute and throttle individual alerts, and detect changes in state such as resolution.
* Actions are linked to alerts. Actions are fired for each occurrence of a detected condition, rather than for the entire rule.
diff --git a/explore-analyze/alerts-cases/alerts/alerting-setup.md b/explore-analyze/alerting/alerts/alerting-setup.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/alerting-setup.md
rename to explore-analyze/alerting/alerts/alerting-setup.md
diff --git a/explore-analyze/alerts-cases/alerts/alerting-troubleshooting.md b/explore-analyze/alerting/alerts/alerting-troubleshooting.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/alerting-troubleshooting.md
rename to explore-analyze/alerting/alerts/alerting-troubleshooting.md
diff --git a/explore-analyze/alerts-cases/alerts/create-manage-rules.md b/explore-analyze/alerting/alerts/create-manage-rules.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/create-manage-rules.md
rename to explore-analyze/alerting/alerts/create-manage-rules.md
diff --git a/explore-analyze/alerts-cases/alerts/event-log-index.md b/explore-analyze/alerting/alerts/event-log-index.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/event-log-index.md
rename to explore-analyze/alerting/alerts/event-log-index.md
diff --git a/explore-analyze/alerts-cases/alerts/geo-alerting.md b/explore-analyze/alerting/alerts/geo-alerting.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/geo-alerting.md
rename to explore-analyze/alerting/alerts/geo-alerting.md
diff --git a/explore-analyze/alerts-cases/alerts/maintenance-windows.md b/explore-analyze/alerting/alerts/maintenance-windows.md
similarity index 90%
rename from explore-analyze/alerts-cases/alerts/maintenance-windows.md
rename to explore-analyze/alerting/alerts/maintenance-windows.md
index 4ec1cd1462..f30dd360f2 100644
--- a/explore-analyze/alerts-cases/alerts/maintenance-windows.md
+++ b/explore-analyze/alerting/alerts/maintenance-windows.md
@@ -67,7 +67,7 @@ If you turn on **Filter alerts**, you can use KQL to filter the alerts affected
::::{note}
* {applies_to}`stack: removed 9.2` {applies_to}`serverless: removed` You can select only a single category when you turn on filters.
-* Some rules are not affected by maintenance window filters because their alerts do not contain requisite data. In particular, [{{stack-monitor-app}}](../../../deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md), [tracking containment](../../../explore-analyze/alerts-cases/alerts/geo-alerting.md), [{{anomaly-jobs}} health](../../../explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md), and [transform health](../../../explore-analyze/transforms/transform-alerts.md) rules are not affected by the filters.
+* Some rules are not affected by maintenance window filters because their alerts do not contain requisite data. In particular, [{{stack-monitor-app}}](../../../deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md), [tracking containment](geo-alerting.md), [{{anomaly-jobs}} health](../../../explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md), and [transform health](../../../explore-analyze/transforms/transform-alerts.md) rules are not affected by the filters.
::::
@@ -78,4 +78,4 @@ A maintenance window can have any one of the following statuses:
* `Finished`: It ended and does not have a repeat schedule.
* `Archived`: It is archived. In a future release, archived maintenance windows will be queued for deletion.
-When you [view alert details](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#rule-details) in {{kib}}, each alert shows unique identifiers for maintenance windows that affected it.
+When you [view alert details](create-manage-rules.md#rule-details) in {{kib}}, each alert shows unique identifiers for maintenance windows that affected it.
diff --git a/explore-analyze/alerts-cases/alerts/notifications-domain-allowlist.md b/explore-analyze/alerting/alerts/notifications-domain-allowlist.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/notifications-domain-allowlist.md
rename to explore-analyze/alerting/alerts/notifications-domain-allowlist.md
diff --git a/explore-analyze/alerts-cases/alerts/rule-action-variables.md b/explore-analyze/alerting/alerts/rule-action-variables.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/rule-action-variables.md
rename to explore-analyze/alerting/alerts/rule-action-variables.md
diff --git a/explore-analyze/alerts-cases/alerts/rule-type-es-query.md b/explore-analyze/alerting/alerts/rule-type-es-query.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/rule-type-es-query.md
rename to explore-analyze/alerting/alerts/rule-type-es-query.md
diff --git a/explore-analyze/alerts-cases/alerts/rule-type-index-threshold.md b/explore-analyze/alerting/alerts/rule-type-index-threshold.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/rule-type-index-threshold.md
rename to explore-analyze/alerting/alerts/rule-type-index-threshold.md
diff --git a/explore-analyze/alerts-cases/alerts/rule-types.md b/explore-analyze/alerting/alerts/rule-types.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/rule-types.md
rename to explore-analyze/alerting/alerts/rule-types.md
diff --git a/explore-analyze/alerts-cases/alerts/testing-connectors.md b/explore-analyze/alerting/alerts/testing-connectors.md
similarity index 100%
rename from explore-analyze/alerts-cases/alerts/testing-connectors.md
rename to explore-analyze/alerting/alerts/testing-connectors.md
diff --git a/explore-analyze/alerts-cases/alerts/view-alerts.md b/explore-analyze/alerting/alerts/view-alerts.md
similarity index 98%
rename from explore-analyze/alerts-cases/alerts/view-alerts.md
rename to explore-analyze/alerting/alerts/view-alerts.md
index e2204e140b..de11507f47 100644
--- a/explore-analyze/alerts-cases/alerts/view-alerts.md
+++ b/explore-analyze/alerting/alerts/view-alerts.md
@@ -62,7 +62,7 @@ There are four common alert statuses:
`flapping`
-: The alert switched repeatedly between active and recovered states. If actions are configured to run when its status changes, they are suppressed. Refer to [Alert flapping](/explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-flapping-details) to learn more about configuring alert flapping for rules.
+: The alert switched repeatedly between active and recovered states. If actions are configured to run when its status changes, they are suppressed. Refer to [Alert flapping](create-manage-rules.md#defining-rules-flapping-details) to learn more about configuring alert flapping for rules.
`recovered`
: The conditions for the rule are no longer met. If the rule has [recovery actions](create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one.
diff --git a/explore-analyze/alerts-cases/watcher.md b/explore-analyze/alerting/watcher.md
similarity index 97%
rename from explore-analyze/alerts-cases/watcher.md
rename to explore-analyze/alerting/watcher.md
index e6e27429d4..a90e3a4787 100644
--- a/explore-analyze/alerts-cases/watcher.md
+++ b/explore-analyze/alerting/watcher.md
@@ -17,7 +17,7 @@ products:
# {{watcher}}
::::{tip}
-{{kib}} Alerting provides a set of built-in actions and alerts that are integrated with applications such as APM, Metrics, Security, and Uptime. You can use {{kib}} Alerting to detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. For more information, refer to [Alerts and Cases](../alerts-cases.md).
+{{kib}} Alerting provides a set of built-in actions and alerts that are integrated with applications such as APM, Metrics, Security, and Uptime. You can use {{kib}} Alerting to detect complex conditions within different {{kib}} apps and trigger actions when those conditions are met. For more information, refer to [Alerting](../alerting.md).
::::
You can use {{watcher}} to watch for changes or anomalies in your data and perform the necessary actions in response. For example, you might want to:
@@ -64,6 +64,6 @@ To restore your defined watches, restore the `watcher` feature state from a snap
### Exporting watches using the {{watcher}} API
-As an alternative, you can export watch definitions using the `/_watcher/_query/watches` API, as described in [Listing watches](/explore-analyze/alerts-cases/watcher/managing-watches.md#listing-watches).
+As an alternative, you can export watch definitions using the `/_watcher/_query/watches` API, as described in [Listing watches](/explore-analyze/alerting/watcher/managing-watches.md#listing-watches).
This approach allows you to retrieve watch definitions in JSON format and is useful for inspection, migration between clusters, or storing watches in version control systems. Using the API, you can also filter and export only specific watches instead of all defined watches.
diff --git a/explore-analyze/alerts-cases/watcher/action-conditions.md b/explore-analyze/alerting/watcher/action-conditions.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/action-conditions.md
rename to explore-analyze/alerting/watcher/action-conditions.md
diff --git a/explore-analyze/alerts-cases/watcher/action-foreach.md b/explore-analyze/alerting/watcher/action-foreach.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/action-foreach.md
rename to explore-analyze/alerting/watcher/action-foreach.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-email.md b/explore-analyze/alerting/watcher/actions-email.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-email.md
rename to explore-analyze/alerting/watcher/actions-email.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-index.md b/explore-analyze/alerting/watcher/actions-index.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-index.md
rename to explore-analyze/alerting/watcher/actions-index.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-jira.md b/explore-analyze/alerting/watcher/actions-jira.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-jira.md
rename to explore-analyze/alerting/watcher/actions-jira.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-logging.md b/explore-analyze/alerting/watcher/actions-logging.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-logging.md
rename to explore-analyze/alerting/watcher/actions-logging.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-pagerduty.md b/explore-analyze/alerting/watcher/actions-pagerduty.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-pagerduty.md
rename to explore-analyze/alerting/watcher/actions-pagerduty.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-slack.md b/explore-analyze/alerting/watcher/actions-slack.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-slack.md
rename to explore-analyze/alerting/watcher/actions-slack.md
diff --git a/explore-analyze/alerts-cases/watcher/actions-webhook.md b/explore-analyze/alerting/watcher/actions-webhook.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions-webhook.md
rename to explore-analyze/alerting/watcher/actions-webhook.md
diff --git a/explore-analyze/alerts-cases/watcher/actions.md b/explore-analyze/alerting/watcher/actions.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/actions.md
rename to explore-analyze/alerting/watcher/actions.md
diff --git a/explore-analyze/alerts-cases/watcher/condition-always.md b/explore-analyze/alerting/watcher/condition-always.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/condition-always.md
rename to explore-analyze/alerting/watcher/condition-always.md
diff --git a/explore-analyze/alerts-cases/watcher/condition-array-compare.md b/explore-analyze/alerting/watcher/condition-array-compare.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/condition-array-compare.md
rename to explore-analyze/alerting/watcher/condition-array-compare.md
diff --git a/explore-analyze/alerts-cases/watcher/condition-compare.md b/explore-analyze/alerting/watcher/condition-compare.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/condition-compare.md
rename to explore-analyze/alerting/watcher/condition-compare.md
diff --git a/explore-analyze/alerts-cases/watcher/condition-never.md b/explore-analyze/alerting/watcher/condition-never.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/condition-never.md
rename to explore-analyze/alerting/watcher/condition-never.md
diff --git a/explore-analyze/alerts-cases/watcher/condition-script.md b/explore-analyze/alerting/watcher/condition-script.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/condition-script.md
rename to explore-analyze/alerting/watcher/condition-script.md
diff --git a/explore-analyze/alerts-cases/watcher/condition.md b/explore-analyze/alerting/watcher/condition.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/condition.md
rename to explore-analyze/alerting/watcher/condition.md
diff --git a/explore-analyze/alerts-cases/watcher/enable-watcher.md b/explore-analyze/alerting/watcher/enable-watcher.md
similarity index 90%
rename from explore-analyze/alerts-cases/watcher/enable-watcher.md
rename to explore-analyze/alerting/watcher/enable-watcher.md
index 2d7694556f..e4ca04d971 100644
--- a/explore-analyze/alerts-cases/watcher/enable-watcher.md
+++ b/explore-analyze/alerting/watcher/enable-watcher.md
@@ -10,7 +10,7 @@ products:
# Enable Watcher [enable-watcher]
::::{note}
-If you are looking for Kibana alerting, check [Alerts and Cases](../../../explore-analyze/alerts-cases.md).
+If you are looking for Kibana alerting, check [Alerting](../../../explore-analyze/alerting.md).
::::
Watcher can be enabled when configuring your cluster. You can run Alerting on a separate cluster from the cluster whose data you are actually watching.
@@ -23,7 +23,7 @@ To enable Watcher on a cluster, you may first need to perform one or several of
* To receive default Elasticsearch Watcher alerts (cluster status, nodes changed, version mismatch), you need to have monitoring enabled to send to the Admin email address specified in Kibana. To enable this, go to **Advanced Settings > Admin email**.
-To learn more about Kibana alerting and how to use it, check [Alerting and Actions](../../../explore-analyze/alerts-cases.md).
+To learn more about Kibana alerting and how to use it, check [Alerting and Actions](../../../explore-analyze/alerting.md).
## Send alerts by email [watcher-allowlist]
@@ -31,9 +31,9 @@ You can configure notifications similar to the [operational emails](../../../dep
Watcher in Elastic Cloud is preconfigured with an email service and can be used without any additional configuration. Alternatively, a custom mail server can be configured as described in [Configuring a custom mail server](#watcher-custom-mail-server)
-You can optionally add [HTML sanitization](../../../explore-analyze/alerts-cases/watcher/actions-email.md#email-html-sanitization) settings under [Elasticsearch User settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) in the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) so that HTML elements are sanitized in the email notification.
+You can optionally add [HTML sanitization](actions-email.md#email-html-sanitization) settings under [Elasticsearch User settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) in the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body) so that HTML elements are sanitized in the email notification.
-For more information on sending alerts by email, check [Email action](../../../explore-analyze/alerts-cases/watcher/actions-email.md).
+For more information on sending alerts by email, check [Email action](actions-email.md).
## Cloud email service limits [cloud-email-service-limits]
@@ -132,7 +132,7 @@ PUT _watcher/watch/test-alarm
## Configuring a custom mail server [watcher-custom-mail-server]
-It is possible to use a custom mail service instead of the one configured by default. It can be configured by following the [Elasticsearch documentation for configuring email accounts](/explore-analyze/alerts-cases/watcher/actions-email.md).
+It is possible to use a custom mail service instead of the one configured by default. It can be configured by following the [Elasticsearch documentation for configuring email accounts](/explore-analyze/alerting/watcher/actions-email.md).
An example on how to configure a new account from the Elastic cloud console:
diff --git a/explore-analyze/alerts-cases/watcher/encrypting-data.md b/explore-analyze/alerting/watcher/encrypting-data.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/encrypting-data.md
rename to explore-analyze/alerting/watcher/encrypting-data.md
diff --git a/explore-analyze/alerts-cases/watcher/example-watches.md b/explore-analyze/alerting/watcher/example-watches.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/example-watches.md
rename to explore-analyze/alerting/watcher/example-watches.md
diff --git a/explore-analyze/alerts-cases/watcher/execute-watch.md b/explore-analyze/alerting/watcher/execute-watch.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/execute-watch.md
rename to explore-analyze/alerting/watcher/execute-watch.md
diff --git a/explore-analyze/alerts-cases/watcher/how-watcher-works.md b/explore-analyze/alerting/watcher/how-watcher-works.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/how-watcher-works.md
rename to explore-analyze/alerting/watcher/how-watcher-works.md
diff --git a/explore-analyze/alerts-cases/watcher/input-chain.md b/explore-analyze/alerting/watcher/input-chain.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/input-chain.md
rename to explore-analyze/alerting/watcher/input-chain.md
diff --git a/explore-analyze/alerts-cases/watcher/input-http.md b/explore-analyze/alerting/watcher/input-http.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/input-http.md
rename to explore-analyze/alerting/watcher/input-http.md
diff --git a/explore-analyze/alerts-cases/watcher/input-search.md b/explore-analyze/alerting/watcher/input-search.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/input-search.md
rename to explore-analyze/alerting/watcher/input-search.md
diff --git a/explore-analyze/alerts-cases/watcher/input-simple.md b/explore-analyze/alerting/watcher/input-simple.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/input-simple.md
rename to explore-analyze/alerting/watcher/input-simple.md
diff --git a/explore-analyze/alerts-cases/watcher/input.md b/explore-analyze/alerting/watcher/input.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/input.md
rename to explore-analyze/alerting/watcher/input.md
diff --git a/explore-analyze/alerts-cases/watcher/managing-watches.md b/explore-analyze/alerting/watcher/managing-watches.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/managing-watches.md
rename to explore-analyze/alerting/watcher/managing-watches.md
diff --git a/explore-analyze/alerts-cases/watcher/schedule-types.md b/explore-analyze/alerting/watcher/schedule-types.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/schedule-types.md
rename to explore-analyze/alerting/watcher/schedule-types.md
diff --git a/explore-analyze/alerts-cases/watcher/throttling.md b/explore-analyze/alerting/watcher/throttling.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/throttling.md
rename to explore-analyze/alerting/watcher/throttling.md
diff --git a/explore-analyze/alerts-cases/watcher/transform-chain.md b/explore-analyze/alerting/watcher/transform-chain.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/transform-chain.md
rename to explore-analyze/alerting/watcher/transform-chain.md
diff --git a/explore-analyze/alerts-cases/watcher/transform-script.md b/explore-analyze/alerting/watcher/transform-script.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/transform-script.md
rename to explore-analyze/alerting/watcher/transform-script.md
diff --git a/explore-analyze/alerts-cases/watcher/transform-search.md b/explore-analyze/alerting/watcher/transform-search.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/transform-search.md
rename to explore-analyze/alerting/watcher/transform-search.md
diff --git a/explore-analyze/alerts-cases/watcher/transform.md b/explore-analyze/alerting/watcher/transform.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/transform.md
rename to explore-analyze/alerting/watcher/transform.md
diff --git a/explore-analyze/alerts-cases/watcher/trigger-schedule.md b/explore-analyze/alerting/watcher/trigger-schedule.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/trigger-schedule.md
rename to explore-analyze/alerting/watcher/trigger-schedule.md
diff --git a/explore-analyze/alerts-cases/watcher/trigger.md b/explore-analyze/alerting/watcher/trigger.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/trigger.md
rename to explore-analyze/alerting/watcher/trigger.md
diff --git a/explore-analyze/alerts-cases/watcher/watch-cluster-status.md b/explore-analyze/alerting/watcher/watch-cluster-status.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/watch-cluster-status.md
rename to explore-analyze/alerting/watcher/watch-cluster-status.md
diff --git a/explore-analyze/alerts-cases/watcher/watcher-getting-started.md b/explore-analyze/alerting/watcher/watcher-getting-started.md
similarity index 96%
rename from explore-analyze/alerts-cases/watcher/watcher-getting-started.md
rename to explore-analyze/alerting/watcher/watcher-getting-started.md
index e62aaf2b46..6357e3e8d8 100644
--- a/explore-analyze/alerts-cases/watcher/watcher-getting-started.md
+++ b/explore-analyze/alerting/watcher/watcher-getting-started.md
@@ -19,7 +19,7 @@ To set up a watch to start sending alerts:
A watch [schedule](trigger-schedule.md) controls how often a watch is triggered. The watch [input](input.md) gets the data that you want to evaluate.
-To periodically search log data and load the results into the watch, you could use an [interval](/explore-analyze/alerts-cases/watcher/schedule-types.md#schedule-interval) schedule and a [search](input-search.md) input. For example, the following Watch searches the `logs` index for errors every 10 seconds:
+To periodically search log data and load the results into the watch, you could use an [interval](schedule-types.md#schedule-interval) schedule and a [search](input-search.md) input. For example, the following Watch searches the `logs` index for errors every 10 seconds:
```console
PUT _watcher/watch/log_error_watch
diff --git a/explore-analyze/alerts-cases/watcher/watcher-limitations.md b/explore-analyze/alerting/watcher/watcher-limitations.md
similarity index 100%
rename from explore-analyze/alerts-cases/watcher/watcher-limitations.md
rename to explore-analyze/alerting/watcher/watcher-limitations.md
diff --git a/explore-analyze/alerts-cases/watcher/watcher-ui.md b/explore-analyze/alerting/watcher/watcher-ui.md
similarity index 90%
rename from explore-analyze/alerts-cases/watcher/watcher-ui.md
rename to explore-analyze/alerting/watcher/watcher-ui.md
index f93d26566e..2f01624d59 100644
--- a/explore-analyze/alerts-cases/watcher/watcher-ui.md
+++ b/explore-analyze/alerting/watcher/watcher-ui.md
@@ -21,7 +21,7 @@ Go to the **Watcher** page using the navigation menu or the [global search field
-[Alerting on cluster and index events](../../../explore-analyze/alerts-cases/watcher.md) is a good source for detailed information on how watches work. If you are using the UI to create a threshold watch, take a look at the different watcher actions. If you are creating an advanced watch, you should be familiar with the parts of a watch—input, schedule, condition, and actions.
+[Alerting on cluster and index events](../watcher.md) is a good source for detailed information on how watches work. If you are using the UI to create a threshold watch, take a look at the different watcher actions. If you are creating an advanced watch, you should be familiar with the parts of a watch—input, schedule, condition, and actions.
::::{note}
There are limitations in **Watcher** that affect {{kib}}. For information, refer to [Limitations](watcher-limitations.md).
@@ -75,9 +75,9 @@ You should now see a panel with default conditions and a visualization of the da
### Add an action [_add_an_action]
-Now that the condition is set, you must add an action. The action triggers when the watch condition is met. For a complete list of actions and how to configure them, see [Adding conditions to actions](../../../explore-analyze/alerts-cases/watcher/action-conditions.md).
+Now that the condition is set, you must add an action. The action triggers when the watch condition is met. For a complete list of actions and how to configure them, see [Adding conditions to actions](action-conditions.md).
-In this example, you’ll configure an email action. You must have an [email account configured](../../../explore-analyze/alerts-cases/watcher/actions-email.md#configuring-email) in {{es}} for this example to work.
+In this example, you’ll configure an email action. You must have an [email account configured](actions-email.md#configuring-email) in {{es}} for this example to work.
1. Click **Add action** and select **Email**.
2. In the **To email address** field, enter one or more email addresses to whom you want to send the message when the condition is met.
@@ -116,7 +116,7 @@ The **Execution history** tab shows each time the watch is triggered and the res
### Acknowledge action status [_acknowledge_action_status]
-The **Action statuses** tab lists all actions associated with the watch and the state of each action. Some actions can be acknowledged, which will prevent too many executions of that action for the relevant watch. See [Acknowledgement and throttling](../../../explore-analyze/alerts-cases/watcher/actions.md#actions-ack-throttle) for details.
+The **Action statuses** tab lists all actions associated with the watch and the state of each action. Some actions can be acknowledged, which will prevent too many executions of that action for the relevant watch. See [Acknowledgement and throttling](actions.md#actions-ack-throttle) for details.
@@ -133,7 +133,7 @@ Advanced watches are for users who are more familiar with {{es}} query syntax an
### Create the watch [_create_the_watch]
-On the Watch overview page, click **Create** and choose **Create advanced watch**. An advanced watch requires a name and ID. Name is a user-friendly way to identify the watch, and ID refers to the identifier used by {{es}}. Refer to [Watch definition](../../../explore-analyze/alerts-cases/watcher/how-watcher-works.md#watch-definition) for how to input the watch JSON.
+On the Watch overview page, click **Create** and choose **Create advanced watch**. An advanced watch requires a name and ID. Name is a user-friendly way to identify the watch, and ID refers to the identifier used by {{es}}. Refer to [Watch definition](how-watcher-works.md#watch-definition) for how to input the watch JSON.
diff --git a/explore-analyze/alerts-cases.md b/explore-analyze/alerts-cases.md
deleted file mode 100644
index 7f05b9208e..0000000000
--- a/explore-analyze/alerts-cases.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html#alerting-concepts-differences
- - https://www.elastic.co/guide/en/serverless/current/project-settings-alerts.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: kibana
- - id: cloud-serverless
----
-
-# Alerts and cases
-
-Alerting tools in Elasticsearch and Kibana provide functionality to monitor data and notify you about significant changes or events in real time. This page provides an overview of how the key components work.
-
-## Alerts
-
-Alerts are notifications generated when specific conditions are met. These notifications are sent to you through channels that you previously set such as email, Slack, webhooks, PagerDuty, and so on. Alerts are created based on rules, which define the criteria for triggering them. Rules monitor the data indexed in Elasticsearch and evaluate conditions on a defined schedule to identify matches. For example, a threshold rule can generate an alert when a value crosses a specific threshold, while a machine learning rule activates an alert when an anomaly detection job identifies an anomaly.
-
-## Cases
-
-Cases are a collaboration and tracking tool, which is particularly useful for incidents or issues that arise from alerts. You can group related alerts into a case for easier management, add notes and comments to provide context, track investigation progress, and assign cases to team members or link them to external systems. Cases ensure that teams have a central place to track and resolve alerts efficiently.
-
-## Maintenance windows
-
-If you have a planned outage, maintenance windows prevent rules from generating notifications in that period. Alerts still occur but their notifications are suppressed.
-
-### Workflow Example
-
-1. **Rule Creation**: You set up a rule to monitor server logs for failed login attempts exceeding 5 within a 10-minute window.
-1. **Alert Generation**: When the rule's condition is met, an alert is created.
-1. **Notification**: The alert runs an action, such as sending a Slack message or an email, unless a maintenance window is active.
-1. **Case Management**: If the alert is part of an ongoing investigation, it's added to a case for further analysis and resolution.
-
-By combining these tools, Elasticsearch and Kibana enable incident response workflows, helping teams to detect, investigate, and resolve issues efficiently.
-
-## Watcher
-```{applies_to}
-serverless: unavailable
-```
-
-You can use Watcher for alerting and monitoring specific conditions in your data. It enables you to define rules and take automated actions when certain criteria are met. Watcher is a powerful alerting tool for custom use cases and more complex alerting logic. It allows advanced scripting using Painless to define complex conditions and transformations.
-
-:::{tip}
-For most use cases, you should use Kibana Alerts instead of Watcher. Kibana Alerts allows rich integrations across use cases like APM, metrics, security, and uptime. Prepackaged rule types simplify setup and hide the details of complex, domain-specific detections, while providing a consistent interface across Kibana.
-
-Watcher is not available in {{serverless-full}}.
-:::
diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md
deleted file mode 100644
index 20a5a71f15..0000000000
--- a/explore-analyze/alerts-cases/cases.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-navigation_title: Cases
-mapped_pages:
- - https://www.elastic.co/guide/en/kibana/current/cases.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: kibana
----
-
-# Cases in {{kib}} [cases]
-
-Cases are used to open and track issues directly in {{kib}}. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can create cases automatically when alerts occur or send cases to external incident management systems by configuring connectors.
-
-You can also optionally add custom fields and case templates.
-
-{applies_to}`stack: ga 9.2` Cases are automatically assigned human-readable numeric IDs, which you can use for easier referencing. Each time you create a new case in your [space](docs-content://deploy-manage/manage-spaces.md), the case ID increments by one. IDs are assigned to cases by a background task that runs every 10 minutes, which can cause a delay in ID assignment, especially in spaces with many cases. You can find the case ID after the case's name and can use it while searching the Cases table.
-
-:::{image} /explore-analyze/images/kibana-cases-list.png
-:alt: Cases page
-:screenshot:
-:::
-
-::::{note}
-If you create cases in the {{observability}} or {{security-app}}, they are not visible in **{{stack-manage-app}}**. Likewise, the cases you create in **{{stack-manage-app}}** are not visible in the {{observability}} or {{security-app}}. You also cannot attach alerts from the {{observability}} or {{security-app}} to cases in **{{stack-manage-app}}**.
-::::
-
-* [Configure access to cases](cases/setup-cases.md)
-* [Open and manage cases](cases/manage-cases.md)
-* [Configure case settings](cases/manage-cases-settings.md)
-* {applies_to}`stack: preview 9.2` {applies_to}`serverless: unavailable`[Use cases as data](cases/cases-as-data.md)
-
-## Limitations [kibana-case-limitations]
-
-* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}} are not visible in {{stack-manage-app}} or {{elastic-sec}}.
-* You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}.
diff --git a/explore-analyze/alerts-cases/cases/manage-cases-settings.md b/explore-analyze/alerts-cases/cases/manage-cases-settings.md
deleted file mode 100644
index 7659bd2f6d..0000000000
--- a/explore-analyze/alerts-cases/cases/manage-cases-settings.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-navigation_title: Manage case settings
-mapped_pages:
- - https://www.elastic.co/guide/en/kibana/current/manage-cases-settings.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: kibana
----
-
-# Manage case settings in {{kib}} [manage-cases-settings]
-
-To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to **{{stack-manage-app}} > Cases** and click **Settings**.
-
-To perform these tasks, you must have [full access](setup-cases.md) to the appropriate case and connector features in {{kib}}.
-
-:::{image} /explore-analyze/images/kibana-cases-settings.png
-:alt: View case settings
-:screenshot:
-:::
-
-## Case closures [case-closures]
-
-If you close cases in your external incident management system, they will remain open in **Cases** until you close them manually.
-
-To change whether cases are automatically closed after they are sent to an external system, update the case closure options.
-
-## External incident management systems [case-connectors]
-
-You can add connectors to cases to push information to these external incident management systems:
-
-* {{ibm-r}}
-* {{jira}}
-* {{sn-itsm}}
-* {{sn-sir}}
-* {{swimlane}}
-* {{hive}}
-* {{webhook-cm}}
-
-::::{note}
-To create connectors and send cases to external systems, you must have the appropriate {{kib}} feature privileges. Refer to [Configure access to cases](setup-cases.md).
-::::
-
-You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**, as described in [*Connectors*](../../../deploy-manage/manage-connectors.md). Alternatively, you can create them in **{{stack-manage-app}} > Cases > Settings**:
-
-1. From the **Incident management system** list, select **Add new connector**.
-2. Select an external incident management system.
-3. Enter your required settings. Refer to [{{ibm-r}}](kibana://reference/connectors-kibana/resilient-action-type.md), [Jira](kibana://reference/connectors-kibana/jira-action-type.md), [{{sn-itsm}}](kibana://reference/connectors-kibana/servicenow-action-type.md), [{{sn-sir}}](kibana://reference/connectors-kibana/servicenow-sir-action-type.md), [Swimlane](kibana://reference/connectors-kibana/swimlane-action-type.md), [{{hive}}](kibana://reference/connectors-kibana/thehive-action-type.md), or [{{webhook-cm}}](kibana://reference/connectors-kibana/cases-webhook-action-type.md) for connector configuration details.
-
-You can subsequently choose the connector when you create cases and use it in case templates. To change the default connector for new cases, select the connector from the **Incident management system** list.
-
-To update a connector, click **Update ** and edit the connector fields as required.
-
-## Custom fields [case-custom-fields]
-
-:::{admonition} Added in 8.15.0
-This functionality was added in 8.15.0.
-:::
-
-You can add optional and required fields for customized case collaboration.
-
-To create a custom field:
-
-1. In the **Custom fields** section, click **Add field**.
- :::{image} /explore-analyze/images/kibana-cases-custom-fields-add.png
- :alt: Add a custom field in case settings
- :screenshot:
- :::
-
-2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value.
-
-When you create a custom field, it’s added to all new and existing cases. Existing cases have null values for new text fields until you set them in each case.
-
-You can subsequently remove or edit custom fields on the **Settings** page.
-
-## Templates [case-templates]
-
-You can make the case creation process faster and more consistent by adding templates. A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
-
-To create a template:
-
-1. In the **Templates** section, click **Add template**.
- :::{image} /explore-analyze/images/kibana-cases-templates-add.png
- :alt: Add a template in case settings
- :screenshot:
- :::
-
-2. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector.
-
-When users create cases, they can optionally select a template and use its values or override them.
-
-::::{note}
-If you update or delete templates, existing cases are unaffected.
-::::
diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md
deleted file mode 100644
index c8d6999795..0000000000
--- a/explore-analyze/alerts-cases/cases/manage-cases.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-navigation_title: Open and manage cases
-mapped_pages:
- - https://www.elastic.co/guide/en/kibana/current/manage-cases.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: kibana
----
-
-# Open and manage cases in {{kib}} [manage-cases]
-
-Open a new case to keep track of issues and share their details with colleagues. You can create and manage cases using the cases UI.
-
-:::{note}
-**Requirements**
-
-To access and send cases to external systems, you need the appropriate [subscription or feature tier](https://www.elastic.co/pricing), and your role must have the required {{kib}} feature privileges. Refer to [](../../../explore-analyze/alerts-cases/cases/setup-cases.md) for more information.
-:::
-
-## Open a new case [open-case]
-
-To open a case:
-
-1. Go to **Management > {{stack-manage-app}} > Cases**, then click **Create case**.
- :::{image} /explore-analyze/images/kibana-cases-create.png
- :alt: Create a case in {{stack-manage-app}}
- :screenshot:
- :::
-
-2. If you defined [templates](manage-cases-settings.md#case-templates), you can optionally select one to use its default field values.
-3. Give the case a name, severity, and description.
- ::::{tip}
- In the `Description` area, you can use [Markdown](https://www.markdownguide.org/cheat-sheet) syntax to create formatted text.
- ::::
-
-4. Optionally, add a category, assignees, and tags. You can add users only if they meet the necessary [prerequisites](setup-cases.md).
-5. If you defined any [custom fields](manage-cases-settings.md#case-custom-fields), they appear in the **Additional fields** section.
-6. (Optional) Under **External Connector Fields**, you can select a connector to send cases to an external system. If you’ve created any connectors previously, they will be listed here. If there are no connectors listed, you can create one. For more information, refer to [External incident management systems](manage-cases-settings.md#case-connectors).
-
- ::::{note}
- :applies_to:{stack: ga 9.3}
- When specifying **Additional fields** for an {{ibm-r}} connector, fields that are set when an incident is created or changed (for example, an incident is closed) won't display as an option.
- ::::
-
-
-7. After you’ve completed all of the required fields, click **Create case**.
-
-{applies_to}`stack: preview` {applies_to}`serverless: preview` Alternatively, you can configure your rules to automatically create cases by using [case actions](kibana://reference/connectors-kibana/cases-action-type.md). By default, the rule adds all of the alerts within a specified time window to a single case. You can optionally choose a field to group the alerts and create separate cases for each group. You can also choose whether you want the rule to reopen cases or open new ones when the time window elapses.
-
-## Add email notifications [add-case-notifications]
-
-You can configure email notifications that occur when users are assigned to cases.
-
-For {{kib}} on {{ecloud}}:
-
-1. Add the email domains to the [notifications domain allowlist](../alerts.md).
-
- You do not need to take any more steps to configure an email connector or update {{kib}} user settings, since the preconfigured Elastic-Cloud-SMTP connector is used by default.
-
-For self-managed {{kib}}:
-
-1. Create a preconfigured email connector.
- ::::{note}
- At this time, email notifications support only preconfigured connectors, which are defined in the [`kibana.yml`](/deploy-manage/stack-settings.md) file. For examples, refer to [Email connectors](kibana://reference/connectors-kibana/pre-configured-connectors.md#preconfigured-email-configuration) and [Configure email accounts for well-known services](kibana://reference/connectors-kibana/email-action-type.md#configuring-email).
- ::::
-
-2. Set the `notifications.connectors.default.email` {{kib}} setting in kibana.yml to the name of your email connector.
-
- ```js
- notifications.connectors.default.email: ‘mail-dev’
-
- xpack.actions.preconfigured:
- mail-dev:
- name: preconfigured-email-notification-maildev
- actionTypeId: .email
- config:
- service: other
- from: from address
- host: host name
- port: port number
- secure: true/false
- hasAuth: true/false
- ```
-
-3. If you want the email notifications to contain links back to the case, you must configure the [server.publicBaseUrl](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) setting.
-
-When you subsequently add assignees to cases, they receive an email.
-
-## Add visualizations [add-case-visualization]
-
-You can also optionally add visualizations. For example, you can portray event and alert data through charts and graphs.
-
-:::{image} /explore-analyze/images/kibana-cases-visualization.png
-:alt: Adding a visualization as a comment within a case
-:screenshot:
-:::
-
-To add a visualization to a comment within your case:
-
-1. Click the **Visualization** button. The **Add visualization** dialog appears.
-2. Select an existing visualization from your Visualize Library or create a new visualization.
- ::::{important}
- Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case and provides important context for viewers.
- ::::
-
-3. After you’ve finished creating your visualization, click **Save and return** to go back to your case.
-4. Click **Preview** to see how the visualization will appear in the case comment.
-5. Click **Add Comment** to add the visualization to your case.
-
-Alternatively, while viewing a [dashboard](../../dashboards.md) you can open a panel’s menu then click **More > Add to existing case** or **More > Add to new case**.
-
-After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case’s comment menu.
-
-## Manage cases [manage-case]
-
-In **Management > {{stack-manage-app}} > Cases**, you can search cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes.
-
-{applies_to}`stack: ga 9.3.0` To find cases that were created during a specific time range, use the date time picker above the Cases table. The default time selection is the last 30 days. Clicking **Show all cases** displays every {{stack-manage-app}} case in your space. The action also adjusts the starting time range to the date of when the first case was created.
-
-To view a case, click on its name. You can then:
-
-* Add and edit the case's description, comments, assignees, tags, status, severity, and category.
-
- {applies_to}`stack: ga 9.2+` Copy and paste images into case comments using `Ctrl/Cmd` + `C` and `Ctrl/Cmd` + `V` shortcuts. Pasted images are preformatted in Markdown.
-
-* Add a connector (if you did not select one while creating the case).
-* Send updates to external systems (if external connections are configured).
-* Refresh the case to retrieve the latest updates.
-
-## Add context and supporting materials [add-case-context]
-
-Provide additional context and resources by adding the following to the case:
-* [Alerts](#add-case-alerts)
-* [Files](#add-case-files)
-* [Observables](#add-case-observables)
-
-::::{tip}
-:applies_to: {stack: ga 9.3}
-From the **Attachments** tab, you can search for specific observable values, alert IDs, and file names.
-::::
-
-### Add alerts [add-case-alerts]
-
-:::{include} /solutions/_snippets/add-case-alerts.md
-:::
-
-::::{note}
-Refer to [](../../../solutions/observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases) to learn how to add alerts to cases.
-::::
-
-### Add files [add-case-files]
-
-:::{include} ../../../solutions/_snippets/add-case-files.md
-:::
-
-::::{important}
-When you export cases as [saved objects](/explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported.
-::::
-
-::::{note}
-Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
-::::
-
-### Add observables [add-case-observables]
-
-:::{include} ../../../solutions/_snippets/add-case-observables.md
-:::
-
-## Search cases [search-stack-management-cases]
-
-:::{include} /solutions/_snippets/search-cases.md
-:::
\ No newline at end of file
diff --git a/explore-analyze/alerts-cases/cases/setup-cases.md b/explore-analyze/alerts-cases/cases/setup-cases.md
deleted file mode 100644
index dead430097..0000000000
--- a/explore-analyze/alerts-cases/cases/setup-cases.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-navigation_title: Configure access to cases
-mapped_pages:
- - https://www.elastic.co/guide/en/kibana/current/setup-cases.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: kibana
----
-
-# Configure access to cases in {{kib}} [setup-cases]
-
-To access cases in **{{stack-manage-app}}**, you must have the appropriate {{kib}} privileges:
-
-## Give full access to manage cases and settings [_give_full_access_to_manage_cases_and_settings]
-
-**{{kib}} privileges**
-
-* `All` for the **Cases** feature under **Management**.
-* `All` for the **{{connectors-feature}}** feature under **Management**.
-
-::::{note}
-The **{{connectors-feature}}** feature privilege is required to create, add, delete, and modify case connectors and to send updates to external systems.
-
-By default, `All` for the **Cases** feature allows you to have full control over cases, including deleting them, editing case settings, and more. You can customize the sub-feature privileges to limit feature access.
-
-::::
-
-## Give assignee access to cases [_give_assignee_access_to_cases]
-
-**{{kib}} privileges**
-
-* `All` for the **Cases** feature under **Management**.
-
-::::{note}
-Before a user can be assigned to a case, they must log into {{kib}} at least once, which creates a user profile.
-
-This privilege is also required to add [case actions](kibana://reference/connectors-kibana/cases-action-type.md) to rules.
-
-::::
-
-## Give view-only access to cases [_give_view_only_access_to_cases]
-
-**{{kib}} privileges**
-
-* `Read` for the **Cases** feature under **Management**.
-
-::::{note}
-You can customize sub-feature privileges for deleting cases and comments, editing case settings, adding case comments and attachments, and re-opening cases.
-::::
-
-## Revoke all access to cases [_revoke_all_access_to_cases]
-
-**{{kib}} privileges**
-
-`None` for the **Cases** feature under **Management**.
-
-## More details [_more_details_2]
-
-For more details, refer to [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md).
-
-::::{note}
-If you are using an on-premises {{kib}} deployment and you want the email notifications and the external incident management systems to contain links back to {{kib}}, you must configure the [`server.publicBaseUrl`](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) setting.
-::::
diff --git a/explore-analyze/cases.md b/explore-analyze/cases.md
new file mode 100644
index 0000000000..c6dcdd89a1
--- /dev/null
+++ b/explore-analyze/cases.md
@@ -0,0 +1,32 @@
+---
+navigation_title: Cases
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/cases.html
+ - https://www.elastic.co/guide/en/security/current/cases-overview.html
+ - https://www.elastic.co/guide/en/observability/current/create-cases.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-overview.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-cases.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Track incidents, document findings, and coordinate response efforts with cases in Elastic Security, Observability, or Stack Management.
+---
+
+# Cases [cases]
+
+Cases provide a central place to track incidents, document findings, and coordinate response efforts. Whether you're a security analyst triaging threats, a site reliability engineer responding to outages, or a platform engineer monitoring your Elastic Stack, cases bring together alerts, evidence, and team communication in one place.
+
+You can create cases in {{elastic-sec}}, {{observability}}, or {{stack-manage-app}} depending on your workflow. Attach alerts and files, add comments and context, assign team members, and push updates to external systems like Jira or ServiceNow.
+
+## Get started [cases-get-started]
+
+Start by [creating your first case](cases/create-cases.md), then [configure case settings](cases/configure-case-settings.md) to add external connectors, custom fields, and templates. Once you have cases, you can [attach alerts, files, and visualizations](cases/attach-objects-to-cases.md) to document your investigation, [manage case details](cases/manage-cases.md), and [share cases](cases/search-share-cases.md) with external systems.
+
+:::{note}
+If you're using {{elastic-sec}}, explore [Security case features](/solutions/security/investigate/security-cases.md#security-cases-features) for additional capabilities like adding events and Timelines to cases.
+:::
\ No newline at end of file
diff --git a/explore-analyze/cases/attach-objects-to-cases.md b/explore-analyze/cases/attach-objects-to-cases.md
new file mode 100644
index 0000000000..13daa8458e
--- /dev/null
+++ b/explore-analyze/cases/attach-objects-to-cases.md
@@ -0,0 +1,104 @@
+---
+navigation_title: Attach objects
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/manage-cases.html
+ - https://www.elastic.co/guide/en/security/current/cases-open-manage.html
+ - https://www.elastic.co/guide/en/observability/current/manage-cases.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-create-a-new-case.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Attach alerts, files, observables, and Lens visualizations to cases to provide context and supporting materials.
+---
+
+# Attach objects to cases [attach-objects-to-cases]
+
+After [creating a case](create-cases.md), you can attach supporting materials to build a complete picture of an incident. Add [alerts](#add-case-alerts) to escalate and track detections, [files](#add-case-files) like screenshots or logs as evidence, [observables](#add-case-observables) such as IP addresses or file hashes to identify patterns, and [Lens visualizations](#cases-lens-visualization) to illustrate trends with charts and graphs.
+
+In {{elastic-sec}}, you can also attach [events](/solutions/security/investigate/security-cases.md#cases-add-events) and [threat intelligence indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case) to connect cases to known threats.
+
+## Supported object types [supported-object-types]
+
+| Object | Description | Stack solutions | Serverless projects |
+| --- | --- | --- | --- |
+| [Alerts](#add-case-alerts) | Attach alerts to escalate and track detections. | Security, Observability | Security, Observability |
+| [Files](#add-case-files) | Upload screenshots, logs, or other supporting files. | Security, Observability, Stack Management | Security, Observability |
+| [Observables](#add-case-observables) | Add IP addresses, file hashes, domains, or URLs to identify patterns. | Security, Stack Management | Security |
+| [Lens visualizations](#cases-lens-visualization) | Embed charts and graphs to illustrate event and alert data. | Security, Observability, Stack Management | Security, Observability |
+| [Events](/solutions/security/investigate/security-cases.md#cases-add-events) | Attach host, network, or user events from Timeline. | Security | Security |
+| [Indicators](/solutions/security/investigate/indicators-of-compromise.md#attach-indicator-to-case) | Link threat intelligence indicators to document evidence of compromise. | Security | Security |
+| [Timelines](/solutions/security/investigate/security-cases.md#cases-timeline) | Preserve investigation context by linking Timeline queries and filters. | Security | Security |
+
+## Add alerts [add-case-alerts]
+
+Escalate alerts and track them in a single place by attaching them to cases.
+
+To add alerts, select **More actions (…)** on a single alert or use the **Bulk actions** menu for multiple alerts, then choose **Add to a new case** or **Add to existing case**. You can add up to 1,000 alerts to a case.
+
+After adding alerts, you can review them from the **Alerts** tab in the case. Alerts are organized from oldest to newest, and you can select **View details** to inspect individual alerts. To find the **Alerts** tab:
+
+- {applies_to}`stack: ga 9.3+`: Go to the case's details page, then select the **Attachments** tab.
+- {applies_to}`stack: ga 9.0-9.2`: Go to the case's details page.
+
+## Add files [add-case-files]
+
+After you create a case, you can upload and manage files on the **Files** tab. To find the tab:
+
+- {applies_to}`stack: ga 9.3+`: Go to the case's details page, then select the **Attachments** tab.
+- {applies_to}`stack: ga 9.0-9.2`: Go to the case's details page.
+
+To download or delete the file or copy the file hash to your clipboard, open the action menu {icon}`boxes_horizontal`. The available hash functions are MD5, SHA-1, and SHA-256.
+
+When you upload a file, a comment is added to the case activity log. To view an image, select its name in the activity or file list. Uploaded files are also accessible from the **Files** management page.
+
+## Add observables [add-case-observables]
+
+Observables are discrete pieces of data relevant to an investigation, such as IP addresses, file hashes, domain names, or URLs. By attaching observables to cases, you can spot patterns across incidents or events. For example, if the same malicious IP appears in multiple cases, you may be dealing with a coordinated attack or shared threat infrastructure. This correlation helps you assess the true scope of an incident and prioritize your response.
+
+From the **Observables** tab, you can view and manage case observables:
+
+- {applies_to}`stack: ga 9.3+`: Go to the case's details page, then select the **Attachments** tab.
+- {applies_to}`stack: ga 9.0-9.2`: Go to the case's details page.
+
+You can manually add observables to cases or with the appropriate subscription, auto-extract them from alerts. Each case supports up to 50 observables.
+
+:::{note}
+Auto-extracting observables is only available in {{sec-serverless}} and {{elastic-sec}} 9.2+.
+:::
+
+To manually add an observable:
+
+1. Select **Add observable** from the **Observables** tab.
+2. Provide the necessary details:
+
+ * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](/explore-analyze/cases/configure-case-settings.md#cases-observable-types).
+ * **Value**: Enter a value for the observable. The value must align with the type you select.
+ * **Description** (Optional): Provide additional information about the observable.
+
+3. Select **Add observable**.
+
+After adding an observable to a case, you can remove or edit it using the action menu {icon}`boxes_horizontal`. To find related investigations, check the **Similar cases** tab for other cases that share the same observables.
+
+## Add Lens visualizations [cases-lens-visualization]
+
+::::{warning}
+This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
+::::
+
+Add Lens visualizations to case descriptions or comments to portray event and alert data through charts and graphs. You can add them from dashboard panels or create visualizations directly in a case. To add a visualization from a dashboard, open a panel's menu, select the action menu {icon}`boxes_horizontal`, then **Add to existing case** or **Add to new case**.
+
+To create a visualization in a case:
+
+1. Click **Visualization** to open the visualization dialog.
+2. Select an existing visualization from your Visualize Library or create a new one. Use an absolute time range so the visualization remains consistent over time.
+3. (Optional) Click **Save to library** to save the visualization for reuse. Enter a title and description, then save.
+4. Click **Save and return** to go back to your case.
+5. Click **Preview** to see how the visualization will appear, then click **Add Comment** to attach it.
+
+To modify a visualization after adding it, click **Open Visualization** in the case comment menu.
diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/cases/cases-as-data.md
similarity index 89%
rename from explore-analyze/alerts-cases/cases/cases-as-data.md
rename to explore-analyze/cases/cases-as-data.md
index 207cc033f1..129c9d846b 100644
--- a/explore-analyze/alerts-cases/cases/cases-as-data.md
+++ b/explore-analyze/cases/cases-as-data.md
@@ -1,4 +1,5 @@
---
+navigation_title: Cases as data
applies_to:
stack: preview 9.2
serverless: unavailable
@@ -8,6 +9,7 @@ products:
- id: cloud-enterprise
- id: cloud-kubernetes
- id: elastic-stack
+description: Query case data from dedicated indices to build dashboards and track operational metrics like MTTR and analyst workload.
---
# Use cases as data [use-cases-as-data]
@@ -39,19 +41,19 @@ You also do not need to manually manage the lifecycle policies of the analytics
## Grant access to case analytics indices [case-analytics-indices-privs]
-Ensure your role has at least `read` and `view_index_metadata` access to the appropriate [case analytics indices](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names).
+Ensure your role has at least `read` and `view_index_metadata` access to the appropriate [case analytics indices](#case-analytics-indices-names).
## Explore case data with Discover and Lens [explore-case-data]
-Use [Discover](../../discover.md) and [Lens](../../visualize/lens.md) to search and filter your case data and display your findings in visualizations.
+Use [Discover](../discover.md) and [Lens](../visualize/lens.md) to search and filter your case data and display your findings in visualizations.
-To get started, create a [{{data-source}}](../../find-and-organize/data-views.md) that points to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). To point to all case analytics indices in your space, use the `.internal.cases*` index pattern.
+To get started, create a [{{data-source}}](../find-and-organize/data-views.md) that points to one or more [case analytics indices or their aliases](#case-analytics-indices-names). To point to all case analytics indices in your space, use the `.internal.cases*` index pattern.
::::{note}
Case data is stored in hidden indices. You can display hidden indices by selecting **Show advanced settings**, then turning on **Allow hidden and system indices**.
::::
-You can also interact with your case data using [{{esql}} in Discover](../../../explore-analyze/discover/try-esql.md). Here are some sample queries to get you started:
+You can also interact with your case data using [{{esql}} in Discover](../discover/try-esql.md). Here are some sample queries to get you started:
* Find the total number of open {{observability}} cases in the default space:
diff --git a/explore-analyze/cases/configure-case-settings.md b/explore-analyze/cases/configure-case-settings.md
new file mode 100644
index 0000000000..1568696f4a
--- /dev/null
+++ b/explore-analyze/cases/configure-case-settings.md
@@ -0,0 +1,124 @@
+---
+navigation_title: Configure settings
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/manage-cases-settings.html
+ - https://www.elastic.co/guide/en/security/current/cases-manage-settings.html
+ - https://www.elastic.co/guide/en/observability/current/manage-cases-settings.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-settings.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-case-settings.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Configure case closure options, custom fields, templates, and connectors for external incident management systems.
+---
+
+# Configure case settings [configure-case-settings]
+
+Customize how your team works with cases by setting up templates for faster case creation, adding custom fields to capture data specific to your workflow, and connecting to external systems like Jira or ServiceNow to keep incidents in sync.
+
+To perform these tasks, you must have [full access](control-case-access.md) to the appropriate case and connector features.
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+To access case settings:
+* **{{stack-manage-app}}**: Go to **{{stack-manage-app}}** > **Cases**, then click **Settings**.
+* **{{elastic-sec}}**: Find **Cases** in the navigation menu or search for `Security/Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**.
+* **{{observability}}**: Find **Cases** in the navigation menu or search for `Observability/Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**.
+:::
+
+:::{applies-item} serverless: ga
+To access case settings:
+* **{{elastic-sec}}**: Find **Cases** in the navigation menu or search for `Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**.
+* **{{observability}}**: Find **Cases** in the navigation menu or search for `Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**.
+
+:::
+
+::::
+
+
+## Close cases automatically [case-closures]
+
+If you close cases in your external incident management system, the cases will remain open in {{kib}} until you close them manually.
+
+To close cases when they are sent to an external system, select the option to automatically close cases when pushing a new incident to an external system.
+
+## Configure external connectors [case-connectors]
+
+Connectors let you send cases to external incident management systems. To create and manage connectors, you need the appropriate {{kib}} feature privileges and subscription or project feature tier. Refer to [Control access to cases](control-case-access.md).
+
+### Create a connector [create-connector]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}** (see [Connectors](/deploy-manage/manage-connectors.md)) or from the case **Settings** page:
+
+1. From the **Incident management system** list, select **Add new connector**.
+2. Select the system to send cases to:
+
+ * [{{ibm-r}} connector](kibana://reference/connectors-kibana/resilient-action-type.md)
+ * [{{jira}} connector](kibana://reference/connectors-kibana/jira-action-type.md)
+ * [{{sn-itsm}} connector](kibana://reference/connectors-kibana/servicenow-action-type.md)
+ * [{{sn-sir}} connector](kibana://reference/connectors-kibana/servicenow-sir-action-type.md)
+ * [{{swimlane}} connector](kibana://reference/connectors-kibana/swimlane-action-type.md)
+ * [{{hive}} connector](kibana://reference/connectors-kibana/thehive-action-type.md)
+ * [{{webhook-cm}} connector](kibana://reference/connectors-kibana/cases-webhook-action-type.md)
+
+3. Enter your required settings, then click **Save**.
+
+### Edit a connector [edit-connector]
+
+1. Select the required connector from the incident management system list.
+2. Click **Update **.
+3. Modify the connector fields as needed, then click **Save & close**.
+
+### Set the default connector [default-connector]
+
+Select a connector from the **Incident management system** list to set it as the default for new cases. You can also choose a connector when creating individual cases or in case templates.
+
+### About field mappings [mapped-case-fields]
+
+When you push a case to an external system, case fields are automatically mapped to corresponding fields in that system. For example, the case title maps to the short description in {{sn}} and the summary in {{jira}}. Case tags map to labels in {{jira}}, and comments map to work notes in {{sn}}.
+
+With a {{webhook-cm}} connector, you can map case fields to custom or existing fields.
+
+When you push updates, mapped fields are either overwritten or appended, depending on the field and connector. Retrieving data from external systems is not supported.
+
+## Add custom fields [case-custom-fields]
+
+You can add optional and required fields for customized case collaboration.
+
+To create a custom field:
+
+1. In the **Custom fields** section, click **Add field**.
+2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value.
+
+When you create a custom field, it's added to all new and existing cases. In existing cases, new custom text fields initially have null values.
+
+You can subsequently remove or edit custom fields on the **Settings** page.
+
+## Create templates [case-templates]
+
+Templates let you pre-fill case fields like severity, tags, title, description, and custom fields—speeding up case creation and ensuring consistency across your team. When creating a case, you can select a template and use its values or override them. Updating or deleting templates does not affect existing cases.
+
+To create a template:
+
+1. In the **Templates** section, click **Add template**.
+2. Provide a template name and case severity.
+3. (Optional) Add template tags and a description, values for each case field, and a case connector.
+
+## Add observable types [cases-observable-types]
+
+::::{admonition} Requirements
+Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](/deploy-manage/deploy/elastic-cloud/project-settings.md).
+::::
+
+In addition to the preset observable types (such as IP addresses and file hashes), you can create up to 10 custom types to match your investigation needs. Custom observable types appear as options when you [add observables to cases](attach-objects-to-cases.md#add-case-observables).
+
+1. In the **Observable types** section, click **Add observable type**.
+2. Enter a descriptive label for the observable type, then click **Save**.
+
+You can edit or remove custom observable types from the **Settings** page. Be aware that deleting a custom observable type also deletes all instances of it from your cases.
\ No newline at end of file
diff --git a/explore-analyze/cases/control-case-access.md b/explore-analyze/cases/control-case-access.md
new file mode 100644
index 0000000000..baf352f7c3
--- /dev/null
+++ b/explore-analyze/cases/control-case-access.md
@@ -0,0 +1,143 @@
+---
+navigation_title: Control access
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/setup-cases.html
+ - https://www.elastic.co/guide/en/security/current/case-permissions.html
+ - https://www.elastic.co/guide/en/observability/current/grant-cases-access.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-requirements.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Create custom roles and configure Kibana feature privileges to control access to cases.
+---
+
+# Control access to cases [setup-cases]
+
+To manage cases, users need the appropriate {{kib}} feature privileges. You can grant different levels of access depending on what users need to do, from full control over cases to view-only access.
+
+## Create custom roles for cases [create-custom-roles]
+
+To grant users the appropriate case privileges, create a custom role with the required {{kib}} feature privileges.
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+1. Go to the **Roles** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+2. Click **Create role**.
+3. Enter a role name and (optional) description.
+4. Under **{{kib}} privileges**, click **Add {{kib}} privilege**.
+5. Select the appropriate spaces or **All Spaces** and expand the feature privileges for **Cases** under your solution (**Management**, **Security**, or **{{observability}}**).
+6. Set the privilege level (`All`, `Read`, or `None`) and customize sub-feature privileges as needed.
+7. Click **Create role**.
+:::
+
+:::{applies-item} serverless: ga
+1. Go to the **Custom Roles** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+2. Click **Create role**.
+3. Enter a role name and (optional) description.
+4. Select the appropriate spaces or **All Spaces** and expand the feature privileges for **Cases** under your solution (**Security** or **{{observability}}**).
+5. Set the privilege level (`All`, `Read`, or `None`) and customize sub-feature privileges as needed.
+6. Click **Create role**.
+:::
+
+::::
+
+## Give full access to manage cases and settings [give-full-access]
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+
+* `All` for the **Cases** feature under the appropriate solution (**Management**, **Security**, or **{{observability}}**). This grants full control over cases, including creating, deleting, and editing case settings. You can customize sub-feature privileges to limit access.
+* `All` for the **{{connectors-feature}}** feature under **Management**. This is required to create, add, delete, and modify connectors that push cases to external systems.
+
+:::
+
+:::{applies-item} serverless: ga
+
+* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+* `All` for the **{{connectors-feature}}** feature under **Management**. This is required to create, add, delete, and modify case connectors and send updates to external systems.
+:::
+
+::::
+
+## Give assignee access to cases [give-assignee-access]
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+
+`All` for the **Cases** feature under the appropriate solution (**Management**, **Security**, or **{{observability}}**).
+
+Users must log in to their deployment at least once before they can be assigned to cases. Logging in creates the required user profile.
+
+:::
+
+:::{applies-item} serverless: ga
+
+`All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+
+Users must log in to their deployment at least once before they can be assigned to cases. Logging in creates the required user profile.
+:::
+
+::::
+
+## Give view-only access to cases [give-view-access]
+
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+
+`Read` for the **Cases** feature under the appropriate solution (**Management**, **Security**, or **{{observability}}**).
+
+:::
+
+:::{applies-item} serverless: ga
+`Read` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+:::
+
+::::
+
+## Give access to add alerts to cases [give-alerts-access]
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+
+* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+* `Read` for a solution that has alerts (for example, **{{observability}}** or **Security**).
+
+:::
+
+:::{applies-item} serverless: ga
+
+* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+* `Read` for a solution that has alerts (for example, **{{observability}}** or **Security**).
+
+:::
+
+::::
+
+
+## Revoke all access to cases [revoke-access]
+
+::::{applies-switch}
+
+:::{applies-item} stack: ga
+
+`None` for the **Cases** feature under the appropriate solution (**Management**, **Security**, or **{{observability}}**).
+
+:::
+
+:::{applies-item} serverless: ga
+`None` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+
+:::
+
+::::
diff --git a/explore-analyze/cases/create-cases.md b/explore-analyze/cases/create-cases.md
new file mode 100644
index 0000000000..b9d4d644a1
--- /dev/null
+++ b/explore-analyze/cases/create-cases.md
@@ -0,0 +1,120 @@
+---
+navigation_title: Create cases
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/manage-cases.html
+ - https://www.elastic.co/guide/en/security/current/cases-open-manage.html
+ - https://www.elastic.co/guide/en/observability/current/manage-cases.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-create-a-new-case.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Create cases to track incidents, attach alerts and files, assign team members, and push updates to external systems.
+---
+
+# Create cases [create-cases]
+
+To create a new case:
+
+1. Go to the **Cases** page, then select **Create case**.
+
+ ::::{applies-switch}
+
+ :::{applies-item} stack: ga
+ To access the **Cases** page:
+ * **{{stack-manage-app}}**: Go to **{{stack-manage-app}}** > **Cases**.
+ * **{{elastic-sec}}**: Find **Cases** in the navigation menu or search for `Security/Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+ * **{{observability}}**: Find **Cases** in the navigation menu or search for `Observability/Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+ :::
+
+ :::{applies-item} serverless: ga
+ To access the **Cases** page:
+ * **{{elastic-sec}}**: Find **Cases** in the navigation menu or search for `Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+ * **{{observability}}**: Find **Cases** in the navigation menu or search for `Cases` using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+
+ :::
+
+ ::::
+
+2. (Optional) Select a [template](configure-case-settings.md#case-templates) to pre-fill field values.
+
+3. Enter a name, severity, and description. If you do not assign your case a severity level, it will be assigned **Low** by default. The description supports [Markdown](https://www.markdownguide.org/cheat-sheet).
+
+4. (Optional) Add a category, [assignees](control-case-access.md), and tags.
+
+5. (Optional) Fill in any [custom fields](configure-case-settings.md#case-custom-fields) in the **Additional fields** section.
+
+6. Configure sync and extraction options:
+ * **Sync alert status** syncs alert statuses with the case status (on by default).
+ * **Auto-extract observables** extracts observables from attached alerts (on by default, requires appropriate subscription).
+
+ :::{note}
+ Auto-extracting observables is only available in {{sec-serverless}} and {{elastic-sec}} 9.2+.
+ :::
+
+7. (Optional) Select a [connector](configure-case-settings.md#case-connectors) to send the case to an external system.
+
+8. Select **Create case**. If you've selected a connector for the case, the case is automatically pushed to the third-party system it's connected to.
+
+After creating a case, you can [attach objects](attach-objects-to-cases.md) like alerts, files, observables, and visualizations to provide context and supporting evidence. You can also [set up email notifications](#add-case-notifications) so users are alerted when they're assigned to a case.
+
+## Set up email notifications [add-case-notifications]
+
+Set up email notifications to alert users when they're assigned to a case, so they can respond promptly.
+
+:::::{tab-set}
+
+:::{tab-item} {{ecloud}}
+
+Add the email domains to the [notifications domain allowlist](/explore-analyze/alerting/alerts.md).
+
+You do not need to configure an email connector or update {{kib}} user settings—the preconfigured Elastic-Cloud-SMTP connector is used by default.
+
+:::
+
+:::{tab-item} Self-managed
+
+1. Create a preconfigured email connector.
+
+ ::::{note}
+ Email notifications support only [preconfigured email connectors](kibana://reference/connectors-kibana/pre-configured-connectors.md), which are defined in the [`kibana.yml`](/deploy-manage/stack-settings.md) file. For examples, refer to [Email connectors](kibana://reference/connectors-kibana/pre-configured-connectors.md#preconfigured-email-configuration) and [Configure email accounts for well-known services](kibana://reference/connectors-kibana/email-action-type.md#configuring-email).
+ ::::
+
+2. Set the `notifications.connectors.default.email` {{kib}} setting to the name of your email connector.
+
+ ```yaml
+ notifications.connectors.default.email: 'mail-dev'
+
+ xpack.actions.preconfigured:
+ mail-dev:
+ name: preconfigured-email-notification-maildev
+ actionTypeId: .email
+ config:
+ service: other
+ from: from address
+ host: host name
+ port: port number
+ secure: true/false
+ hasAuth: true/false
+ ```
+
+3. If you want the email notifications to contain links back to the case, configure the [server.publicBaseUrl](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) setting.
+
+:::
+
+:::::
+
+## Case visibility across solutions [cases-limitations]
+
+A case created in one solution is only visible within that solution:
+
+* **{{stack-manage-app}}** cases are not visible in {{observability}} or {{elastic-sec}}
+* **{{observability}}** cases are not visible in {{stack-manage-app}} or {{elastic-sec}}
+* **{{elastic-sec}}** cases are not visible in {{stack-manage-app}} or {{observability}}
+
+Alerts also can't cross solution boundaries. You can only attach alerts from the same solution to cases. For example, you can't attach {{observability}} alerts to an {{elastic-sec}} case.
\ No newline at end of file
diff --git a/explore-analyze/cases/manage-cases.md b/explore-analyze/cases/manage-cases.md
new file mode 100644
index 0000000000..76376efd93
--- /dev/null
+++ b/explore-analyze/cases/manage-cases.md
@@ -0,0 +1,60 @@
+---
+navigation_title: Manage cases
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/manage-cases.html
+ - https://www.elastic.co/guide/en/security/current/cases-open-manage.html
+ - https://www.elastic.co/guide/en/observability/current/manage-cases.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-create-a-new-case.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Edit case details, perform bulk actions, and export or import cases between spaces or across stack upgrades.
+---
+
+# Manage cases [manage-cases]
+
+Edit case details, perform bulk actions like deleting or updating multiple cases at once, and export or import cases between spaces or when upgrading to a new stack version.
+
+## Edit case details [edit-case-details]
+
+To view a case, go to the **Cases** page and select its name. From the case details page you can:
+
+- Edit the description.
+- Add or edit comments.
+- {applies_to}`stack: ga 9.2+` Paste images directly into comments using {kbd}`cmd+v` (Mac) or {kbd}`ctrl+v` (Windows/Linux). Pasted images are preformatted in Markdown.
+- Update assignees, status, and severity.
+- Add or change connectors and push updates to external systems.
+
+To attach alerts, files, observables, or visualizations to a case, refer to [Attach objects to cases](attach-objects-to-cases.md).
+
+## Bulk-manage cases [bulk-manage-cases]
+
+From the **Cases** page, select one or more cases to perform bulk actions such as deleting cases or changing their status, severity, assignees, or tags.
+
+## Export and import cases [export-import-cases]
+
+Use export and import to move cases between {{kib}} spaces. Exports are saved as newline-delimited JSON (`.ndjson`) files and include user actions, text string comments, and Lens visualizations.
+
+Files and alerts attached to the case are **not** included; you must re-add them after importing. Before importing cases, also ensure that any referenced data (such as Lens visualizations, Timelines, or alerts) already exists in the destination space, otherwise those references won't work.
+
+### Export cases [cases-export]
+
+1. Find **Saved Objects** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+2. Filter by type or search by case title to find the cases you want to export.
+3. Select one or more cases, then click **Export**.
+4. In the export dialog, keep **Include related objects** enabled to include connectors, then click **Export**.
+
+### Import cases [cases-import]
+
+1. Find **Saved Objects** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Import**.
+2. Select the `.ndjson` file containing the exported cases.
+3. Configure the import options and click **Import**.
+4. Review the import log, then click **Done**.
+
+If the imported case had connectors attached, you'll be prompted to re-authenticate them. Click **Go to connectors** and complete the required steps.
\ No newline at end of file
diff --git a/explore-analyze/cases/search-share-cases.md b/explore-analyze/cases/search-share-cases.md
new file mode 100644
index 0000000000..d6fa52989a
--- /dev/null
+++ b/explore-analyze/cases/search-share-cases.md
@@ -0,0 +1,53 @@
+---
+navigation_title: Search and share
+mapped_pages:
+ - https://www.elastic.co/guide/en/kibana/current/manage-cases.html
+ - https://www.elastic.co/guide/en/security/current/cases-open-manage.html
+ - https://www.elastic.co/guide/en/observability/current/manage-cases.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-create-a-new-case.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: kibana
+ - id: security
+ - id: observability
+ - id: cloud-serverless
+description: Search, filter, and share cases with colleagues or external ticketing systems.
+---
+
+# Search and share cases [search-share-cases]
+
+Quickly locate relevant cases and share them with others or external ticketing systems to streamline collaboration and handoffs.
+
+## Search cases [search-cases]
+
+The **Cases** page has a search bar for quickly finding cases and case data. You can search for case titles, descriptions, and IDs using keywords and text.
+
+Note the following rules for search:
+
+* **Keywords**: Searches for keywords (like case and alert IDs) must be exact.
+* **Text**: Text searches (such as case titles and descriptions) are case-insensitive.
+* **Syntax**: No special syntax is required when entering your search criteria.
+
+{applies_to}`stack: ga 9.3+` You can also search for alert and event IDs, observable values, case comments, and custom fields (text type only). For example, you can search {{elastic-sec}} for a specific IP address that's been specified as an observable, a colleague's comment, or the ID of an alert that's attached to the case.
+
+## Filter cases [filter-cases]
+
+You can filter cases by attributes such as assignees, categories, severity, status, and tags.
+
+{applies_to}`stack: ga 9.3+` To find cases created during a specific time range, use the date time picker above the Cases table. The default selection is the last 30 days—click **Show all cases** to display every case in your space.
+
+## Send cases to external systems [send-cases-external]
+
+To send a case to an external system, select the push button in the **External incident management system** section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again.
+
+For more information about configuring connections to external incident management systems, refer to [Configure case settings](configure-case-settings.md).
+
+## Use case identifiers [case-identifiers]
+
+Cases have two types of identifiers:
+
+* {applies_to}`stack: ga 9.2+` **Numeric ID**: A short, human-readable number that appears after the case name. Use it for quick reference in conversations or searches. Numeric IDs increment by one for each new case in your [space](docs-content://deploy-manage/manage-spaces.md) and are assigned by a background task that runs every 10 minutes.
+* **UUID**: A longer alphanumeric identifier for the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases). Copy it from **Actions** → **Copy Case ID** on the Cases page or from the action menu {icon}`boxes_horizontal` in a case.
\ No newline at end of file
diff --git a/explore-analyze/discover/discover-get-started.md b/explore-analyze/discover/discover-get-started.md
index 803fcd0cbe..d6ad57b4e3 100644
--- a/explore-analyze/discover/discover-get-started.md
+++ b/explore-analyze/discover/discover-get-started.md
@@ -395,10 +395,10 @@ From **Discover**, you can create a rule to periodically check when data goes ab
The **Create rule** form is pre-filled with the latest query sent to {{es}}.
-3. [Configure your query](../alerts-cases/alerts/rule-type-es-query.md) and [select a connector type](../../deploy-manage/manage-connectors.md).
+3. [Configure your query](../alerting/alerts/rule-type-es-query.md) and [select a connector type](../../deploy-manage/manage-connectors.md).
4. Click **Save**.
-For more about this and other rules provided in {{alert-features}}, go to [Alerting](../alerts-cases/alerts.md).
+For more about this and other rules provided in {{alert-features}}, go to [Alerting](../alerting/alerts.md).
## What’s next? [_whats_next_4]
diff --git a/explore-analyze/find-and-organize/files.md b/explore-analyze/find-and-organize/files.md
index a3abc1ac62..56a9a5507f 100644
--- a/explore-analyze/find-and-organize/files.md
+++ b/explore-analyze/find-and-organize/files.md
@@ -10,7 +10,7 @@ products:
# Files [files]
-Several features let you upload files. For example, you can add files to [cases](../../solutions/observability/incident-management/cases.md) or upload a logo to an [Image panel](../visualize/image-panels.md) in a dashboard.
+Several features let you upload files. For example, you can add files to [cases](../../solutions/observability/incident-management/observability-cases.md) or upload a logo to an [Image panel](../visualize/image-panels.md) in a dashboard.
You can access and manage all of the files currently stored in {{kib}} from the **Files** page.
diff --git a/explore-analyze/geospatial-analysis.md b/explore-analyze/geospatial-analysis.md
index 36ac20f341..3138d6e040 100644
--- a/explore-analyze/geospatial-analysis.md
+++ b/explore-analyze/geospatial-analysis.md
@@ -89,7 +89,7 @@ Put machine learning to work for you and find the data that should stand out wit
## Alerting [geospatial-alerting]
-Let your location data drive insights and action with [geographic alerts](alerts-cases/alerts/geo-alerting.md). Commonly referred to as geo-fencing, track moving objects as they enter or exit a boundary to receive notifications through common business systems (email, Slack, Teams, PagerDuty, and more).
+Let your location data drive insights and action with [geographic alerts](alerting/alerts/geo-alerting.md). Commonly referred to as geo-fencing, track moving objects as they enter or exit a boundary to receive notifications through common business systems (email, Slack, Teams, PagerDuty, and more).
Interested in learning more? Follow [step-by-step instructions](visualize/maps/asset-tracking-tutorial.md) for setting up tracking containment alerts to monitor moving vehicles.
diff --git a/explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md b/explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md
index c5b45be7b5..27ddac5d13 100644
--- a/explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md
+++ b/explore-analyze/machine-learning/anomaly-detection/ml-configuring-alerts.md
@@ -249,14 +249,14 @@ and the **Alerts** panel.
If necessary, you can snooze rules to prevent them from generating actions. For
more details, refer to
-[Snooze and disable rules](/explore-analyze/alerts-cases/alerts/create-manage-rules.md#controlling-rules).
+[Snooze and disable rules](/explore-analyze/alerting/alerts/create-manage-rules.md#controlling-rules).
## Action variables [action-variables]
The following variables are specific to the {{ml}} rule types. An asterisk (`*`)
marks the variables that you can use in actions related to recovered alerts.
-You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
### {{anomaly-detect-cap}} alert action variables [anomaly-alert-action-variables]
diff --git a/explore-analyze/query-filter/languages/esql-kibana.md b/explore-analyze/query-filter/languages/esql-kibana.md
index ee489f1c7f..fdcd97c19d 100644
--- a/explore-analyze/query-filter/languages/esql-kibana.md
+++ b/explore-analyze/query-filter/languages/esql-kibana.md
@@ -19,7 +19,7 @@ The {{esql}} editor is available in the following areas of {{kib}}:
- [**Discover**](/explore-analyze/discover/try-esql.md): Explore and analyze your data using {{esql}} queries, visualize results, and save your findings to dashboards.
- [**Dashboards**](/explore-analyze/dashboards.md): Create {{esql}}-powered visualization panels and interactive controls.
-- [**Alerting**](/explore-analyze/alerts-cases/alerts/rule-type-es-query.md): Create alerting rules based on {{esql}} queries.
+- [**Alerting**](/explore-analyze/alerting/alerts/rule-type-es-query.md): Create alerting rules based on {{esql}} queries.
- [**{{elastic-sec}} solution**](/solutions/security/esql-for-security.md): Use {{esql}} for threat hunting, detection rules, and investigation workflows.
:::{tip}
diff --git a/explore-analyze/report-and-share/automating-report-generation.md b/explore-analyze/report-and-share/automating-report-generation.md
index 80e67ee3df..c6ce3a3d86 100644
--- a/explore-analyze/report-and-share/automating-report-generation.md
+++ b/explore-analyze/report-and-share/automating-report-generation.md
@@ -51,7 +51,7 @@ To create the POST URL for CSV reports:
## Use Watcher [use-watcher]
-To configure a watch to email reports, use the `reporting` attachment type in an `email` action. For more information, refer to [Configuring email accounts](../alerts-cases/watcher/actions-email.md#configuring-email).
+To configure a watch to email reports, use the `reporting` attachment type in an `email` action. For more information, refer to [Configuring email accounts](../alerting/watcher/actions-email.md#configuring-email).
For example, the following watch generates a PDF report and emails the report every hour:
@@ -89,7 +89,7 @@ PUT _watcher/watch/error_report
}
```
-1. Configure at least one email account to enable Watcher to send email. For more information, refer to [Configuring email accounts](../alerts-cases/watcher/actions-email.md#configuring-email).
+1. Configure at least one email account to enable Watcher to send email. For more information, refer to [Configuring email accounts](../alerting/watcher/actions-email.md#configuring-email).
2. An example POST URL. You can copy and paste the URL for any report.
3. Optional, default is `40`.
4. Optional, default is `15s`.
@@ -101,7 +101,7 @@ PUT _watcher/watch/error_report
The report generation URL might contain date-math expressions that cause the watch to fail with a `parse_exception`. To avoid a failed watch, remove curly braces `{` `}` from date-math expressions and URL-encode characters. For example, `...(range:(%27@timestamp%27:(gte:now-15m%2Fd,lte:now%2Fd))))...`
-For more information about configuring watches, refer to [How Watcher works](../alerts-cases/watcher/how-watcher-works.md).
+For more information about configuring watches, refer to [How Watcher works](../alerting/watcher/how-watcher-works.md).
::::
@@ -226,7 +226,7 @@ Save time by setting up a recurring task that automatically generates reports an
notifications.connectors.default.email: my-email
```
-* (Optional) To control who can receive email notifications from {{kib}}, add the [`xpack.actions.email.domain_allowlist` setting](kibana://reference/configuration-reference/alerting-settings.md) to your `kibana.yml` file. To learn more about configuring this setting, refer to [Notifications domain allowlist](../alerts-cases/alerts/notifications-domain-allowlist.md).
+* (Optional) To control who can receive email notifications from {{kib}}, add the [`xpack.actions.email.domain_allowlist` setting](kibana://reference/configuration-reference/alerting-settings.md) to your `kibana.yml` file. To learn more about configuring this setting, refer to [Notifications domain allowlist](../alerting/alerts/notifications-domain-allowlist.md).
### Create a schedule [create-scheduled-report]
@@ -253,7 +253,7 @@ Save time by setting up a recurring task that automatically generates reports an
* **Message**: Keep the default email message, or enter your own. To format and structure your message text, use Markdown.
::::{note}
- In the subject and message, you can also use the [Mustache](https://mustache.github.io/mustache.5.html) template syntax (`{{variable name}}`) to dynamically pass values from data sources when the email is generated. Enhancing the values passed by Mustache variables is also supported. Refer to [](../../explore-analyze/alerts-cases/alerts/rule-action-variables.md#enhance-mustache-variables) to learn more.
+ In the subject and message, you can also use the [Mustache](https://mustache.github.io/mustache.5.html) template syntax (`{{variable name}}`) to dynamically pass values from data sources when the email is generated. Enhancing the values passed by Mustache variables is also supported. Refer to [](../../explore-analyze/alerting/alerts/rule-action-variables.md#enhance-mustache-variables) to learn more.
::::
6. Click **Schedule exports** to save the schedule.
diff --git a/explore-analyze/scripting/modules-scripting-painless.md b/explore-analyze/scripting/modules-scripting-painless.md
index 3304c62989..b2c13db5e8 100644
--- a/explore-analyze/scripting/modules-scripting-painless.md
+++ b/explore-analyze/scripting/modules-scripting-painless.md
@@ -79,7 +79,7 @@ You can use Painless in multiple contexts throughout {{es}}:
* [**Search queries**](/solutions/search.md)**:** for custom scoring and script fields
* [**Runtime fields**](/manage-data/data-store/mapping/runtime-fields.md)**:** for dynamic field creation
* [**Update API:**](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-update) for document modification
-* [**Watcher**](/explore-analyze/alerts-cases/watcher.md)**:** for alert conditions and actions
+* [**Watcher**](/explore-analyze/alerting/watcher.md)**:** for alert conditions and actions
## Start scripting
diff --git a/explore-analyze/scripting/painless-lab.md b/explore-analyze/scripting/painless-lab.md
index d0e392ccc5..95eec75454 100644
--- a/explore-analyze/scripting/painless-lab.md
+++ b/explore-analyze/scripting/painless-lab.md
@@ -16,7 +16,7 @@ products:
This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
::::
-The **Painless Lab** is an interactive code editor that lets you test and debug [Painless scripts](modules-scripting-painless.md) in real-time. You can use the Painless scripting language to create [{{kib}} runtime fields](../find-and-organize/data-views.md#runtime-fields), process [reindexed data](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex), define complex [Watcher conditions](../alerts-cases/watcher.md), and work with data in other contexts.
+The **Painless Lab** is an interactive code editor that lets you test and debug [Painless scripts](modules-scripting-painless.md) in real-time. You can use the Painless scripting language to create [{{kib}} runtime fields](../find-and-organize/data-views.md#runtime-fields), process [reindexed data](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex), define complex [Watcher conditions](../alerting/watcher.md), and work with data in other contexts.
Find **Painless Lab** by navigating to the **Developer tools** page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md).
diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml
index 50638b1aa7..817b8e2ae5 100644
--- a/explore-analyze/toc.yml
+++ b/explore-analyze/toc.yml
@@ -354,80 +354,83 @@ toc:
children:
- file: report-and-share/reporting-troubleshooting-csv.md
- file: report-and-share/reporting-troubleshooting-pdf.md
- - file: alerts-cases.md
+ - file: alerting.md
children:
- - file: alerts-cases/alerts.md
+ - file: alerting/alerts.md
children:
- - file: alerts-cases/alerts/alerting-getting-started.md
- - file: alerts-cases/alerts/alerting-setup.md
- - file: alerts-cases/alerts/create-manage-rules.md
- - file: alerts-cases/alerts/view-alerts.md
- - file: alerts-cases/alerts/rule-types.md
- children:
- - file: alerts-cases/alerts/rule-type-index-threshold.md
- - file: alerts-cases/alerts/rule-type-es-query.md
- - file: alerts-cases/alerts/geo-alerting.md
- - file: alerts-cases/alerts/rule-action-variables.md
- - file: alerts-cases/alerts/notifications-domain-allowlist.md
- - file: alerts-cases/alerts/alerting-troubleshooting.md
- children:
- - file: alerts-cases/alerts/alerting-common-issues.md
- - file: alerts-cases/alerts/event-log-index.md
- - file: alerts-cases/alerts/testing-connectors.md
- - file: alerts-cases/alerts/maintenance-windows.md
- - file: alerts-cases/watcher.md
+ - file: alerting/alerts/alerting-getting-started.md
+ - file: alerting/alerts/alerting-setup.md
+ - file: alerting/alerts/create-manage-rules.md
+ - file: alerting/alerts/view-alerts.md
+ - file: alerting/alerts/rule-types.md
+ children:
+ - file: alerting/alerts/rule-type-index-threshold.md
+ - file: alerting/alerts/rule-type-es-query.md
+ - file: alerting/alerts/geo-alerting.md
+ - file: alerting/alerts/rule-action-variables.md
+ - file: alerting/alerts/notifications-domain-allowlist.md
+ - file: alerting/alerts/alerting-troubleshooting.md
+ children:
+ - file: alerting/alerts/alerting-common-issues.md
+ - file: alerting/alerts/event-log-index.md
+ - file: alerting/alerts/testing-connectors.md
+ - file: alerting/alerts/maintenance-windows.md
+ - file: alerting/watcher.md
children:
- - file: alerts-cases/watcher/watcher-getting-started.md
- - file: alerts-cases/watcher/how-watcher-works.md
- - file: alerts-cases/watcher/enable-watcher.md
- - file: alerts-cases/watcher/watcher-ui.md
- - file: alerts-cases/watcher/encrypting-data.md
- - file: alerts-cases/watcher/input.md
- children:
- - file: alerts-cases/watcher/input-simple.md
- - file: alerts-cases/watcher/input-search.md
- - file: alerts-cases/watcher/input-http.md
- - file: alerts-cases/watcher/input-chain.md
- - file: alerts-cases/watcher/trigger.md
- children:
- - file: alerts-cases/watcher/trigger-schedule.md
- - file: alerts-cases/watcher/throttling.md
- - file: alerts-cases/watcher/schedule-types.md
- - file: alerts-cases/watcher/condition.md
- children:
- - file: alerts-cases/watcher/condition-always.md
- - file: alerts-cases/watcher/condition-never.md
- - file: alerts-cases/watcher/condition-compare.md
- - file: alerts-cases/watcher/condition-array-compare.md
- - file: alerts-cases/watcher/condition-script.md
- - file: alerts-cases/watcher/actions.md
- children:
- - file: alerts-cases/watcher/action-foreach.md
- - file: alerts-cases/watcher/action-conditions.md
- - file: alerts-cases/watcher/actions-email.md
- - file: alerts-cases/watcher/actions-webhook.md
- - file: alerts-cases/watcher/actions-index.md
- - file: alerts-cases/watcher/actions-logging.md
- - file: alerts-cases/watcher/actions-slack.md
- - file: alerts-cases/watcher/actions-pagerduty.md
- - file: alerts-cases/watcher/actions-jira.md
- - file: alerts-cases/watcher/transform.md
- children:
- - file: alerts-cases/watcher/transform-search.md
- - file: alerts-cases/watcher/transform-script.md
- - file: alerts-cases/watcher/transform-chain.md
- - file: alerts-cases/watcher/managing-watches.md
- - file: alerts-cases/watcher/example-watches.md
- children:
- - file: alerts-cases/watcher/watch-cluster-status.md
- - file: alerts-cases/watcher/execute-watch.md
- - file: alerts-cases/watcher/watcher-limitations.md
- - file: alerts-cases/cases.md
- children:
- - file: alerts-cases/cases/setup-cases.md
- - file: alerts-cases/cases/manage-cases.md
- - file: alerts-cases/cases/manage-cases-settings.md
- - file: alerts-cases/cases/cases-as-data.md
+ - file: alerting/watcher/watcher-getting-started.md
+ - file: alerting/watcher/how-watcher-works.md
+ - file: alerting/watcher/enable-watcher.md
+ - file: alerting/watcher/watcher-ui.md
+ - file: alerting/watcher/encrypting-data.md
+ - file: alerting/watcher/input.md
+ children:
+ - file: alerting/watcher/input-simple.md
+ - file: alerting/watcher/input-search.md
+ - file: alerting/watcher/input-http.md
+ - file: alerting/watcher/input-chain.md
+ - file: alerting/watcher/trigger.md
+ children:
+ - file: alerting/watcher/trigger-schedule.md
+ - file: alerting/watcher/throttling.md
+ - file: alerting/watcher/schedule-types.md
+ - file: alerting/watcher/condition.md
+ children:
+ - file: alerting/watcher/condition-always.md
+ - file: alerting/watcher/condition-never.md
+ - file: alerting/watcher/condition-compare.md
+ - file: alerting/watcher/condition-array-compare.md
+ - file: alerting/watcher/condition-script.md
+ - file: alerting/watcher/actions.md
+ children:
+ - file: alerting/watcher/action-foreach.md
+ - file: alerting/watcher/action-conditions.md
+ - file: alerting/watcher/actions-email.md
+ - file: alerting/watcher/actions-webhook.md
+ - file: alerting/watcher/actions-index.md
+ - file: alerting/watcher/actions-logging.md
+ - file: alerting/watcher/actions-slack.md
+ - file: alerting/watcher/actions-pagerduty.md
+ - file: alerting/watcher/actions-jira.md
+ - file: alerting/watcher/transform.md
+ children:
+ - file: alerting/watcher/transform-search.md
+ - file: alerting/watcher/transform-script.md
+ - file: alerting/watcher/transform-chain.md
+ - file: alerting/watcher/managing-watches.md
+ - file: alerting/watcher/example-watches.md
+ children:
+ - file: alerting/watcher/watch-cluster-status.md
+ - file: alerting/watcher/execute-watch.md
+ - file: alerting/watcher/watcher-limitations.md
+ - file: cases.md
+ children:
+ - file: cases/control-case-access.md
+ - file: cases/create-cases.md
+ - file: cases/manage-cases.md
+ - file: cases/attach-objects-to-cases.md
+ - file: cases/search-share-cases.md
+ - file: cases/configure-case-settings.md
+ - file: cases/cases-as-data.md
- file: workflows.md
children:
- file: workflows/setup.md
diff --git a/explore-analyze/transforms/transform-alerts.md b/explore-analyze/transforms/transform-alerts.md
index 3b27450846..ced21c8f00 100644
--- a/explore-analyze/transforms/transform-alerts.md
+++ b/explore-analyze/transforms/transform-alerts.md
@@ -10,7 +10,7 @@ products:
# Generating alerts for transforms [transform-alerts]
-{{kib}} {{alert-features}} include support for transform health rules, which check the health of {{ctransforms}} with certain conditions. If the conditions of the rule are met, an alert is created and the associated actions run. For example, you can create a rule to check if a {{ctransform}} is started and to notify you in an email if it is not. To learn more about {{kib}} {{alert-features}}, refer to [Alerting](../alerts-cases/alerts/alerting-getting-started.md).
+{{kib}} {{alert-features}} include support for transform health rules, which check the health of {{ctransforms}} with certain conditions. If the conditions of the rule are met, an alert is created and the associated actions run. For example, you can create a rule to check if a {{ctransform}} is started and to notify you in an email if it is not. To learn more about {{kib}} {{alert-features}}, refer to [Alerting](../alerting/alerts/alerting-getting-started.md).
## Creating a rule [creating-transform-rules]
@@ -75,7 +75,7 @@ The name of an alert is always the same as the transform ID of the associated tr
## Action variables [transform-action-variables]
-The following variables are specific to the transform health rule type. You can also specify [variables common to all rules](../alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to the transform health rule type. You can also specify [variables common to all rules](../alerting/alerts/rule-action-variables.md).
`context.message`
: A preconstructed message for the rule. For example: `Transform test-1 is not started.`
@@ -104,4 +104,4 @@ The following variables are specific to the transform health rule type. You can
{{/context.results}}
```
-For more examples, refer to [Rule action variables](../alerts-cases/alerts/rule-action-variables.md).
+For more examples, refer to [Rule action variables](../alerting/alerts/rule-action-variables.md).
diff --git a/explore-analyze/visualize/_snippets/emoji-table-esql.md b/explore-analyze/visualize/_snippets/emoji-table-esql.md
index 9c9165181f..3222d27a1d 100644
--- a/explore-analyze/visualize/_snippets/emoji-table-esql.md
+++ b/explore-analyze/visualize/_snippets/emoji-table-esql.md
@@ -55,4 +55,4 @@ To create the visualization:
6. Optionally, once the panel is saved, select the panel title to give it a meaningful name like `Status per host`.
-Once you have your visualization working, you can add [controls](/explore-analyze/dashboards/add-controls.md#add-variable-control) to filter by host or time range, use [LOOKUP JOIN](elasticsearch://reference/query-languages/esql/esql-lookup-join.md) to enrich your data with metadata from other indices, or create [alerts](/explore-analyze/alerts-cases/alerts/rule-type-es-query.md) based on the same query to get notified when status changes.
\ No newline at end of file
+Once you have your visualization working, you can add [controls](/explore-analyze/dashboards/add-controls.md#add-variable-control) to filter by host or time range, use [LOOKUP JOIN](elasticsearch://reference/query-languages/esql/esql-lookup-join.md) to enrich your data with metadata from other indices, or create [alerts](/explore-analyze/alerting/alerts/rule-type-es-query.md) based on the same query to get notified when status changes.
\ No newline at end of file
diff --git a/explore-analyze/workflows/data.md b/explore-analyze/workflows/data.md
index 7f911aba5b..d0ee09ca53 100644
--- a/explore-analyze/workflows/data.md
+++ b/explore-analyze/workflows/data.md
@@ -64,7 +64,7 @@ steps:
In this example:
1. The `find_user_by_id` step searches an index for a document.
-2. The `create_case_for_user` step uses the output of the first step to enrich a new [{{elastic-sec}} case](../../solutions/security/investigate/cases.md).
+2. The `create_case_for_user` step uses the output of the first step to enrich a new [{{elastic-sec}} case](../../solutions/security/investigate/security-cases.md).
3. The `description` field accesses `steps.find_user_by_id.output.hits.hits[0]._source.user.fullName` to dynamically include the user's full name in the case description.
## Error handling [workflows-error-handling]
diff --git a/get-started/_snippets/observability-overview.md b/get-started/_snippets/observability-overview.md
index 935dce2630..1f6ee8d74d 100644
--- a/get-started/_snippets/observability-overview.md
+++ b/get-started/_snippets/observability-overview.md
@@ -43,6 +43,6 @@ At the heart of Elastic {{observability}} are several key components that enable
* [**OpenTelemetry:**](/solutions/observability/apm/opentelemetry/index.md) {{Observability}} offers first-class, production-grade support for OpenTelemetry. This allows organizations to use vendor-neutral instrumentation and stream native OTel data without proprietary agents, leveraging the {{edot}} (EDOT).
* [**AIOps and AI Assistant:**](/solutions/observability/ai/observability-ai-assistant.md) Leverages predictive analytics and an LLM-powered AI Assistant to reduce the time required to detect, investigate, and resolve incidents. This includes zero-config {{anomaly-detect}}, pattern analysis, and the ability to surface correlations and root causes.
* **[Alerting](/solutions/observability/incident-management/alerting.md)**: Allows you to create rules to detect complex conditions and perform actions.
-* **[Cases](/solutions/observability/incident-management/cases.md):** Cases allows teams to stay aware of potential issues and track investigation details, assign tasks, and collaborate on resolutions.
+* **[Cases](/solutions/observability/incident-management/observability-cases.md):** Cases allows teams to stay aware of potential issues and track investigation details, assign tasks, and collaborate on resolutions.
* [**Service Level Objectives (SLOs):**](/solutions/observability/incident-management/service-level-objectives-slos.md) A framework for defining and monitoring the reliability of a service. Elastic {{observability}} allows for creating and tracking SLOs to ensure you meet your performance targets.
:::
\ No newline at end of file
diff --git a/get-started/_snippets/security-overview.md b/get-started/_snippets/security-overview.md
index 8948a44208..76d4932e7b 100644
--- a/get-started/_snippets/security-overview.md
+++ b/get-started/_snippets/security-overview.md
@@ -41,7 +41,7 @@ Before diving into setup and configuration, familiarize yourself with the founda
* [**Alerts:**](/solutions/security/detect-and-alert/manage-detection-alerts.md) Notifications that are generated when rule conditions are met. Alerts include a wide range of information about potential threats, including host, user, network, and other contextual data to assist your investigation.
* [**Machine learning and anomaly detection:**](/solutions/security/advanced-entity-analytics/anomaly-detection.md) Anomaly detection jobs identify anomalous events or patterns in your data. Use these with machine learning detection rules to generate alerts when behavior deviates from normal activity.
* [**Entity analytics:**](/solutions/security/advanced-entity-analytics/overview.md) A threat detection feature that combines the power of Elastic’s detection engine and machine learning capabilities to identify unusual behavior for hosts, users, and services.
-* [**Cases:**](/solutions/security/investigate/cases.md) Allows you to collect and share information about security issues. Opening a case lets you track key investigation details and collect alerts in a central location. You can also send cases to external systems.
+* [**Cases:**](/solutions/security/investigate/security-cases.md) Allows you to collect and share information about security issues. Opening a case lets you track key investigation details and collect alerts in a central location. You can also send cases to external systems.
* [**Timeline:**](/solutions/security/investigate/timeline.md) Investigate security events so you can gather and analyze data related to alerts or suspicious activity. You can add events to Timeline from various sources, build custom queries, and import/export a Timeline to collaborate and share.
* [**Security posture management:**](/solutions/security/cloud.md) Includes native cloud security features, such as Cloud Security Posture Management (CSPM) and Cloud Native Vulnerability Management (CNVM), that help you evaluate your cloud infrastructure's configuration against security best practices and identify vulnerabilities. You can use Elastic's native tools or ingest third-party cloud security data and incorporate it into {{elastic-sec}}'s workflows.
* [**AI Assistant:**](/solutions/security/ai/ai-assistant.md) Helps with tasks like alert investigation, incident response, and query generation. It utilizes natural language processing and knowledge retrieval to provide context-aware assistance, summarize threats, suggest next steps, and automate workflows. Use AI Assistant to better understand and respond to security incidents.
diff --git a/get-started/evaluate-elastic.md b/get-started/evaluate-elastic.md
index 13c79b8969..06069646fe 100644
--- a/get-started/evaluate-elastic.md
+++ b/get-started/evaluate-elastic.md
@@ -307,7 +307,7 @@ For the second week, focus on the following activities:
- Add a few additional data sources relevant to your use case. Refer to [Fleet integrations](/reference/fleet/manage-integrations.md) for available integrations.
- Focus on metrics that demonstrate clear business value. Use [Lens visualizations](/explore-analyze/visualize/lens.md) to highlight KPIs.
-- Set up alerts for critical conditions or thresholds. Refer to [Alerting](/explore-analyze/alerts-cases.md) for configuration options.
+- Set up alerts for critical conditions or thresholds. Refer to [Alerting](/explore-analyze/alerting.md) for configuration options.
- Create dashboards that answer key stakeholder questions. Refer to [Create a dashboard](/explore-analyze/dashboards/create-dashboard.md) for guidance.
- Compare results against your success criteria.
- Quantify time savings, efficiency gains, or risk reduction.
diff --git a/get-started/the-stack.md b/get-started/the-stack.md
index 69b2ab4811..67fec86113 100644
--- a/get-started/the-stack.md
+++ b/get-started/the-stack.md
@@ -81,7 +81,7 @@ With {{kib}}, you can:
- Build custom [visualizations](/explore-analyze/visualize.md) like charts, graphs, and metrics with tools like **Lens**, which offers a drag-and-drop experience.
- Assemble your visualizations into interactive [dashboards](/explore-analyze/dashboards.md) to get a comprehensive overview of your information.
- Perform [geospatial analysis](/explore-analyze/geospatial-analysis.md) and add maps to your dashboards.
-- Configure notifications for significant data events and track incidents with [alerts and cases](/explore-analyze/alerts-cases.md).
+- Configure notifications for significant data events and track incidents with [alerts and cases](/explore-analyze/alerting.md).
- Manage resources such as processors, pipelines, data streams, trained models, and more.
Each solution or project type provides access to customized features in {{kib}} such as built-in dashboards and [AI assistants](/explore-analyze/ai-features/ai-chat-experiences/ai-assistant.md).
diff --git a/manage-data/data-store/data-streams/failure-store-recipes.md b/manage-data/data-store/data-streams/failure-store-recipes.md
index ceec58f016..ee56d86aaf 100644
--- a/manage-data/data-store/data-streams/failure-store-recipes.md
+++ b/manage-data/data-store/data-streams/failure-store-recipes.md
@@ -307,7 +307,7 @@ Without tags in place it would not be as clear where in the pipeline the indexin
## Alerting on failed ingestion [failure-store-examples-alerting]
-Since failure stores can be searched like a normal data stream, we can use them as inputs to [alerting rules](../../../explore-analyze/alerts-cases/alerts.md) in
+Since failure stores can be searched like a normal data stream, we can use them as inputs to [alerting rules](../../../explore-analyze/alerting/alerts.md) in
{{kib}}. Here is a simple alerting example that is triggered when more than ten indexing failures have occurred in the last five minutes for a data stream:
:::::{stepper}
diff --git a/redirects.yml b/redirects.yml
index 5c4add9fc1..6c33d97dfd 100644
--- a/redirects.yml
+++ b/redirects.yml
@@ -701,3 +701,81 @@ redirects:
# Related to https://github.com/elastic/docs-content/pull/5033
'solutions/observability/observability-ai-assistant.md': 'solutions/observability/ai/observability-ai-assistant.md'
'solutions/observability/llm-performance-matrix.md': 'solutions/observability/ai/llm-performance-matrix.md'
+
+# Related to cases and alerting documentation restructuring
+ # Main pages
+ 'explore-analyze/alerts-cases.md': 'explore-analyze/alerting.md'
+ 'explore-analyze/alerts-cases/cases.md': 'explore-analyze/cases.md'
+ 'explore-analyze/alerts-cases/alerts.md': 'explore-analyze/alerting/alerts.md'
+ 'explore-analyze/alerts-cases/watcher.md': 'explore-analyze/alerting/watcher.md'
+
+ # Cases redirects
+ 'explore-analyze/alerts-cases/cases/setup-cases.md': 'explore-analyze/cases/control-case-access.md'
+ 'explore-analyze/alerts-cases/cases/manage-cases.md': 'explore-analyze/cases/manage-cases.md'
+ 'explore-analyze/alerts-cases/cases/manage-cases-settings.md': 'explore-analyze/cases/configure-case-settings.md'
+ 'explore-analyze/cases/manage-cases-settings.md': 'explore-analyze/cases/configure-case-settings.md'
+ 'explore-analyze/alerts-cases/cases/cases-as-data.md': 'explore-analyze/cases/cases-as-data.md'
+ 'explore-analyze/cases/setup-cases.md': 'explore-analyze/cases/control-case-access.md'
+ 'explore-analyze/cases/configure-case-access.md': 'explore-analyze/cases/control-case-access.md'
+ 'explore-analyze/cases/find-share-cases.md': 'explore-analyze/cases/search-share-cases.md'
+
+ # Alerts redirects
+ 'explore-analyze/alerts-cases/alerts/alerting-getting-started.md': 'explore-analyze/alerting/alerts/alerting-getting-started.md'
+ 'explore-analyze/alerts-cases/alerts/alerting-setup.md': 'explore-analyze/alerting/alerts/alerting-setup.md'
+ 'explore-analyze/alerts-cases/alerts/create-manage-rules.md': 'explore-analyze/alerting/alerts/create-manage-rules.md'
+ 'explore-analyze/alerts-cases/alerts/view-alerts.md': 'explore-analyze/alerting/alerts/view-alerts.md'
+ 'explore-analyze/alerts-cases/alerts/rule-types.md': 'explore-analyze/alerting/alerts/rule-types.md'
+ 'explore-analyze/alerts-cases/alerts/rule-type-index-threshold.md': 'explore-analyze/alerting/alerts/rule-type-index-threshold.md'
+ 'explore-analyze/alerts-cases/alerts/rule-type-es-query.md': 'explore-analyze/alerting/alerts/rule-type-es-query.md'
+ 'explore-analyze/alerts-cases/alerts/geo-alerting.md': 'explore-analyze/alerting/alerts/geo-alerting.md'
+ 'explore-analyze/alerts-cases/alerts/rule-action-variables.md': 'explore-analyze/alerting/alerts/rule-action-variables.md'
+ 'explore-analyze/alerts-cases/alerts/notifications-domain-allowlist.md': 'explore-analyze/alerting/alerts/notifications-domain-allowlist.md'
+ 'explore-analyze/alerts-cases/alerts/alerting-troubleshooting.md': 'explore-analyze/alerting/alerts/alerting-troubleshooting.md'
+ 'explore-analyze/alerts-cases/alerts/alerting-common-issues.md': 'explore-analyze/alerting/alerts/alerting-common-issues.md'
+ 'explore-analyze/alerts-cases/alerts/event-log-index.md': 'explore-analyze/alerting/alerts/event-log-index.md'
+ 'explore-analyze/alerts-cases/alerts/testing-connectors.md': 'explore-analyze/alerting/alerts/testing-connectors.md'
+ 'explore-analyze/alerts-cases/alerts/maintenance-windows.md': 'explore-analyze/alerting/alerts/maintenance-windows.md'
+
+ # Watcher redirects
+ 'explore-analyze/alerts-cases/watcher/watcher-getting-started.md': 'explore-analyze/alerting/watcher/watcher-getting-started.md'
+ 'explore-analyze/alerts-cases/watcher/how-watcher-works.md': 'explore-analyze/alerting/watcher/how-watcher-works.md'
+ 'explore-analyze/alerts-cases/watcher/enable-watcher.md': 'explore-analyze/alerting/watcher/enable-watcher.md'
+ 'explore-analyze/alerts-cases/watcher/encrypting-data.md': 'explore-analyze/alerting/watcher/encrypting-data.md'
+ 'explore-analyze/alerts-cases/watcher/managing-watches.md': 'explore-analyze/alerting/watcher/managing-watches.md'
+ 'explore-analyze/alerts-cases/watcher/watcher-ui.md': 'explore-analyze/alerting/watcher/watcher-ui.md'
+ 'explore-analyze/alerts-cases/watcher/example-watches.md': 'explore-analyze/alerting/watcher/example-watches.md'
+ 'explore-analyze/alerts-cases/watcher/watch-cluster-status.md': 'explore-analyze/alerting/watcher/watch-cluster-status.md'
+ 'explore-analyze/alerts-cases/watcher/watcher-limitations.md': 'explore-analyze/alerting/watcher/watcher-limitations.md'
+ 'explore-analyze/alerts-cases/watcher/schedule-types.md': 'explore-analyze/alerting/watcher/schedule-types.md'
+ 'explore-analyze/alerts-cases/watcher/trigger.md': 'explore-analyze/alerting/watcher/trigger.md'
+ 'explore-analyze/alerts-cases/watcher/trigger-schedule.md': 'explore-analyze/alerting/watcher/trigger-schedule.md'
+ 'explore-analyze/alerts-cases/watcher/input.md': 'explore-analyze/alerting/watcher/input.md'
+ 'explore-analyze/alerts-cases/watcher/input-simple.md': 'explore-analyze/alerting/watcher/input-simple.md'
+ 'explore-analyze/alerts-cases/watcher/input-search.md': 'explore-analyze/alerting/watcher/input-search.md'
+ 'explore-analyze/alerts-cases/watcher/input-http.md': 'explore-analyze/alerting/watcher/input-http.md'
+ 'explore-analyze/alerts-cases/watcher/input-chain.md': 'explore-analyze/alerting/watcher/input-chain.md'
+ 'explore-analyze/alerts-cases/watcher/condition.md': 'explore-analyze/alerting/watcher/condition.md'
+ 'explore-analyze/alerts-cases/watcher/condition-always.md': 'explore-analyze/alerting/watcher/condition-always.md'
+ 'explore-analyze/alerts-cases/watcher/condition-never.md': 'explore-analyze/alerting/watcher/condition-never.md'
+ 'explore-analyze/alerts-cases/watcher/condition-compare.md': 'explore-analyze/alerting/watcher/condition-compare.md'
+ 'explore-analyze/alerts-cases/watcher/condition-array-compare.md': 'explore-analyze/alerting/watcher/condition-array-compare.md'
+ 'explore-analyze/alerts-cases/watcher/condition-script.md': 'explore-analyze/alerting/watcher/condition-script.md'
+ 'explore-analyze/alerts-cases/watcher/actions.md': 'explore-analyze/alerting/watcher/actions.md'
+ 'explore-analyze/alerts-cases/watcher/action-conditions.md': 'explore-analyze/alerting/watcher/action-conditions.md'
+ 'explore-analyze/alerts-cases/watcher/action-foreach.md': 'explore-analyze/alerting/watcher/action-foreach.md'
+ 'explore-analyze/alerts-cases/watcher/actions-email.md': 'explore-analyze/alerting/watcher/actions-email.md'
+ 'explore-analyze/alerts-cases/watcher/actions-webhook.md': 'explore-analyze/alerting/watcher/actions-webhook.md'
+ 'explore-analyze/alerts-cases/watcher/actions-index.md': 'explore-analyze/alerting/watcher/actions-index.md'
+ 'explore-analyze/alerts-cases/watcher/actions-logging.md': 'explore-analyze/alerting/watcher/actions-logging.md'
+ 'explore-analyze/alerts-cases/watcher/actions-slack.md': 'explore-analyze/alerting/watcher/actions-slack.md'
+ 'explore-analyze/alerts-cases/watcher/actions-pagerduty.md': 'explore-analyze/alerting/watcher/actions-pagerduty.md'
+ 'explore-analyze/alerts-cases/watcher/actions-jira.md': 'explore-analyze/alerting/watcher/actions-jira.md'
+ 'explore-analyze/alerts-cases/watcher/transform.md': 'explore-analyze/alerting/watcher/transform.md'
+ 'explore-analyze/alerts-cases/watcher/transform-search.md': 'explore-analyze/alerting/watcher/transform-search.md'
+ 'explore-analyze/alerts-cases/watcher/transform-script.md': 'explore-analyze/alerting/watcher/transform-script.md'
+ 'explore-analyze/alerts-cases/watcher/transform-chain.md': 'explore-analyze/alerting/watcher/transform-chain.md'
+ 'explore-analyze/alerts-cases/watcher/throttling.md': 'explore-analyze/alerting/watcher/throttling.md'
+ 'explore-analyze/alerts-cases/watcher/execute-watch.md': 'explore-analyze/alerting/watcher/execute-watch.md'
+ 'solutions/security/investigate/security-cases-features.md': 'solutions/security/investigate/security-cases.md'
+ 'solutions/security/investigate/cases.md': 'solutions/security/investigate/security-cases.md'
+ 'solutions/observability/incident-management/cases.md': 'solutions/observability/incident-management/observability-cases.md'
diff --git a/reference/fleet/alerting-rule-templates.md b/reference/fleet/alerting-rule-templates.md
index 236fff66d7..f9a492a510 100644
--- a/reference/fleet/alerting-rule-templates.md
+++ b/reference/fleet/alerting-rule-templates.md
@@ -64,6 +64,6 @@ The preconfigured defaults include:
- **Alert delay (alert suppression)**
: The number of consecutive runs for which conditions must be met before an alert is created.
-For details about fields in the Create rule form and how the rule evaluates data, refer to the [{{es}} query rule type](/explore-analyze/alerts-cases/alerts/rule-type-es-query.md).
+For details about fields in the Create rule form and how the rule evaluates data, refer to the [{{es}} query rule type](/explore-analyze/alerting/alerts/rule-type-es-query.md).
diff --git a/reference/fleet/monitor-elastic-agent.md b/reference/fleet/monitor-elastic-agent.md
index a5c726178b..a4c1ebd7a6 100644
--- a/reference/fleet/monitor-elastic-agent.md
+++ b/reference/fleet/monitor-elastic-agent.md
@@ -241,7 +241,7 @@ To do so, follow the steps in [Remote {{es}} output](/reference/fleet/remote-ela
## Enable alerts and ML jobs based on {{fleet}} and {{agent}} status [fleet-alerting]
-You can access the health status of {{fleet}}-managed {{agents}} and other {{fleet}} settings through internal {{fleet}} indices. This enables you to leverage various applications within the {{stack}} that can be triggered by the provided information. For instance, you can now create alerts and machine learning (ML) jobs based on these specific fields. Refer to the [Alerting documentation](/explore-analyze/alerts-cases.md) or see the [example](#fleet-alerting-example) on this page to learn how to define rules that can trigger actions when certain conditions are met.
+You can access the health status of {{fleet}}-managed {{agents}} and other {{fleet}} settings through internal {{fleet}} indices. This enables you to leverage various applications within the {{stack}} that can be triggered by the provided information. For instance, you can now create alerts and machine learning (ML) jobs based on these specific fields. Refer to the [Alerting documentation](/explore-analyze/alerting.md) or see the [example](#fleet-alerting-example) on this page to learn how to define rules that can trigger actions when certain conditions are met.
This functionality allows you to effectively track an agent’s status, and identify scenarios where it has gone offline, is experiencing health issues, or is facing challenges related to input or output.
diff --git a/reference/glossary/index.md b/reference/glossary/index.md
index 438e54ac3e..481aef5c2e 100644
--- a/reference/glossary/index.md
+++ b/reference/glossary/index.md
@@ -658,7 +658,7 @@ $$$glossary-rule$$$ rule
: A set of [conditions](/reference/glossary/index.md#glossary-condition), schedules, and [actions](/reference/glossary/index.md#glossary-action) that enable notifications. See [{{rules-ui}}](/reference/glossary/index.md#glossary-rules).
$$$glossary-rules$$$ Rules
-: A comprehensive view of all your alerting rules. Enables you to access and manage rules for all {{kib}} apps from one place. See [{{rules-ui}}](/explore-analyze/alerts-cases.md).
+: A comprehensive view of all your alerting rules. Enables you to access and manage rules for all {{kib}} apps from one place. See [{{rules-ui}}](/explore-analyze/alerting.md).
$$$glossary-runner$$$ runner
: A local control agent that runs on all hosts, used to deploy local containers based on role definitions. Ensures that containers assigned to it exist and are able to run, and creates or recreates the containers if necessary.
@@ -733,7 +733,7 @@ $$$glossary-split$$$ split
: Adds more [primary shards](/reference/glossary/index.md#glossary-primary-shard) to an [index](/reference/glossary/index.md#glossary-index).
$$$glossary-stack-alert$$$ stack rule
-: The general purpose rule types {{kib}} provides out of the box. Refer to [Stack rules](/explore-analyze/alerts-cases/alerts/rule-types.md#stack-rules).
+: The general purpose rule types {{kib}} provides out of the box. Refer to [Stack rules](/explore-analyze/alerting/alerts/rule-types.md#stack-rules).
$$$glossary-standalone$$$ standalone
: This mode allows manual configuration and management of {{agent}}s locally on the systems where they are installed. See [Install standalone {{agent}}s](/reference/fleet/install-standalone-elastic-agent.md).
@@ -826,7 +826,7 @@ $$$glossary-warm-tier$$$ warm tier
: [Data tier](/reference/glossary/index.md#glossary-data-tier) that contains [nodes](/reference/glossary/index.md#glossary-node) that hold time series data that is accessed less frequently and rarely needs to be updated. See [Data tiers](/manage-data/lifecycle/data-tiers.md).
$$$glossary-watcher$$$ Watcher
-: The original suite of alerting features. See [Watcher](/explore-analyze/alerts-cases/watcher.md).
+: The original suite of alerting features. See [Watcher](/explore-analyze/alerting/watcher.md).
$$$glossary-wms$$$ Web Map Service (WMS)
: A layer type in the **Maps** application. Add a WMS source to provide authoritative geographic context to your map. See the [OpenGIS Web Map Service](https://www.ogc.org/standards/wms).
diff --git a/solutions/_snippets/add-case-alerts.md b/solutions/_snippets/add-case-alerts.md
deleted file mode 100644
index 06dfbcde28..0000000000
--- a/solutions/_snippets/add-case-alerts.md
+++ /dev/null
@@ -1,10 +0,0 @@
-Escalate alerts and track them in a single place by attaching them to cases. To examine the alerts, click the **Alerts** tab in the case. In the table, alerts are organized from oldest to newest. To view alert details, click the **View details** button.
-
-You can find the **Alerts** tab in the following places:
-
-- {applies_to}`serverless:` {applies_to}`stack: ga 9.3+`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.0-9.2`: Go to the case's details page.
-
-::::{important}
-Each case can have a maximum of 1,000 alerts.
-::::
\ No newline at end of file
diff --git a/solutions/_snippets/add-case-files.md b/solutions/_snippets/add-case-files.md
deleted file mode 100644
index e16c5cecb6..0000000000
--- a/solutions/_snippets/add-case-files.md
+++ /dev/null
@@ -1,8 +0,0 @@
-After you create a case, you can upload and manage files on the **Files** tab. To find the tab:
-
-- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.0`: Go to the case's details page.
-
-To download or delete the file or copy the file hash to your clipboard, open the action menu {icon}`boxes_horizontal`. The available hash functions are MD5, SHA-1, and SHA-256.
-
-When you upload a file, a comment is added to the case activity log. To view an image, click its name in the activity or file list.
diff --git a/solutions/_snippets/add-case-observables.md b/solutions/_snippets/add-case-observables.md
deleted file mode 100644
index 9fe0ccb8ca..0000000000
--- a/solutions/_snippets/add-case-observables.md
+++ /dev/null
@@ -1,27 +0,0 @@
-An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case.
-
-View and manage observables from the **Observables** tab. You can find the tab in the following places:
-
-- {applies_to}`stack: ga 9.3`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga 9.0`: Go to the case's details page.
-
-::::{important}
-Each case can have a maximum of 50 observables.
-::::
-
-To create an observable:
-
-1. Click **Add observable** from the **Observables** tab.
-2. Provide the necessary details:
-
- * **Type**: Select a type for the observable. You can choose a preset type or a [custom one](/solutions/security/investigate/configure-case-settings.md#cases-observable-types).
- * **Value**: Enter a value for the observable. The value must align with the type you select.
- * **Description** (Optional): Provide additional information about the observable.
-
-3. Click **Add observable**.
-
-After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**).
-
-::::{tip}
-Go to the **Similar cases** tab to access other cases with the same observables.
-::::
\ No newline at end of file
diff --git a/solutions/_snippets/search-cases.md b/solutions/_snippets/search-cases.md
deleted file mode 100644
index 50877ff82d..0000000000
--- a/solutions/_snippets/search-cases.md
+++ /dev/null
@@ -1,8 +0,0 @@
-
-The **Cases** page has a search bar for quickly finding cases and case data. You can search for case titles, descriptions, and IDs using keywords and text. Note the following rules for search:
-
-* **Keywords**: Searches for keywords (like case and alert IDs) must be exact.
-* **Text**: Text searches (such as case titles and descriptions) are case-insensitive.
-* **Syntax**: No special syntax is required when entering your search criteria.
-
-{applies_to}`stack: ga 9.3` You can also search for alert and event IDs, observable values, case comments, and custom fields (text type only). For example, you can search for a specific IP address that's been specified as an observable, a colleague's comment, or the ID of an alert that's attached to the case.
\ No newline at end of file
diff --git a/solutions/observability/apm/create-apm-rules-alerts.md b/solutions/observability/apm/create-apm-rules-alerts.md
index d11c38dece..72f371a1b4 100644
--- a/solutions/observability/apm/create-apm-rules-alerts.md
+++ b/solutions/observability/apm/create-apm-rules-alerts.md
@@ -28,7 +28,7 @@ The following APM rules are supported:
| **Latency threshold** | Alert when the latency or failed transaction rate is abnormal.Threshold rules can be as broad or as granular as you’d like, enabling you to define exactly when you want to be alerted—whether that’s at the environment level, service name level, transaction type level, and/or transaction name level. Read more in [Latency threshold rule →](/solutions/observability/incident-management/create-latency-threshold-rule.md) |
::::{tip}
-For a complete walkthrough of the **Create rule** flyout panel, including detailed information on each configurable property, see Kibana’s [Create and manage rules](/explore-analyze/alerts-cases/alerts/create-manage-rules.md).
+For a complete walkthrough of the **Create rule** flyout panel, including detailed information on each configurable property, see Kibana’s [Create and manage rules](/explore-analyze/alerting/alerts/create-manage-rules.md).
::::
@@ -67,8 +67,8 @@ From the Applications UI, select **Alerts and rules** → **Manage rules** to be
### More information [apm-alert-more-info]
-See [Alerting](/explore-analyze/alerts-cases.md) for more information.
+See [Alerting](/explore-analyze/alerting.md) for more information.
::::{note}
-If you are using an **on-premise** Elastic Stack deployment with security, communication between Elasticsearch and Kibana must have TLS configured. More information is in the alerting [prerequisites](/explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-prerequisites).
+If you are using an **on-premise** Elastic Stack deployment with security, communication between Elasticsearch and Kibana must have TLS configured. More information is in the alerting [prerequisites](/explore-analyze/alerting/alerts/alerting-setup.md#alerting-prerequisites).
::::
\ No newline at end of file
diff --git a/solutions/observability/incident-management.md b/solutions/observability/incident-management.md
index cf28ef3898..56b326d03b 100644
--- a/solutions/observability/incident-management.md
+++ b/solutions/observability/incident-management.md
@@ -17,5 +17,5 @@ Explore the topics in this section to learn how to respond to incidents detected
| | |
| --- | --- |
| [Alerting](/solutions/observability/incident-management/alerting.md) | Trigger alerts when incidents occur, and use built-in connectors to send the alerts to email, slack, or other third-party systems, such as your external incident management application. |
-| [Cases](/solutions/observability/incident-management/cases.md) | Collect and share information about {{observability}} issues by opening cases and optionally sending them to your external incident management application. |
+| [Cases](/solutions/observability/incident-management/observability-cases.md) | Collect and share information about {{observability}} issues by opening cases and optionally sending them to your external incident management application. |
| [Service-level objectives (SLOs)](/solutions/observability/incident-management/service-level-objectives-slos.md) | Set clear, measurable targets for your service performance, based on factors like availability, response times, error rates, and other key metrics. |
\ No newline at end of file
diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md
deleted file mode 100644
index 4da5f62eb0..0000000000
--- a/solutions/observability/incident-management/cases.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/observability/current/create-cases.html
- - https://www.elastic.co/guide/en/serverless/current/observability-cases.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: observability
- - id: cloud-serverless
-navigation_title: Cases
----
-
-# Cases for Elastic {{observability}} [observability-cases]
-
-Collect and share information about observability issues by creating a case. Cases allow you to track key investigation details, add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to third-party systems by [configuring external connectors](/solutions/observability/incident-management/configure-case-settings.md).
-
-{applies_to}`stack: ga 9.2` Cases are automatically assigned human-readable numeric IDs, which you can use for easier referencing. Each time you create a new case in your [space](docs-content://deploy-manage/manage-spaces.md), the case ID increments by one. IDs are assigned to cases by a background task that runs every 10 minutes, which can cause a delay in ID assignment, especially in spaces with many cases. You can find the case ID after the case's name and can use it while searching the Cases table.
-
-:::{image} /solutions/images/observability-cases.png
-:alt: Cases page
-:screenshot:
-:::
-
-::::{tip}
-:applies_to: {stack: preview 9.2, serverless: unavailable}
-After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
-::::
-
-## Limitations [observability-case-limitations]
-
-* If you create cases in {{observability}}, they are not visible from the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}.
-* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}.
\ No newline at end of file
diff --git a/solutions/observability/incident-management/configure-access-to-cases.md b/solutions/observability/incident-management/configure-access-to-cases.md
deleted file mode 100644
index bcb85558e9..0000000000
--- a/solutions/observability/incident-management/configure-access-to-cases.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/observability/current/grant-cases-access.html
-products:
- - id: observability
-navigation_title: Configure access to cases
----
-
-# Configure access to cases in Elastic {{observability}} [grant-cases-access]
-
-To access and send cases to external systems, you need the [appropriate license](https://www.elastic.co/subscriptions), and your role must have the **Cases** {{kib}} privilege as a user for the **{{observability}}** feature.
-
-::::{note}
-If you are using an on-premises {{kib}} deployment and want your email notifications and external incident management systems to contain links back to {{kib}}, configure the [server.publicBaseUrl](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) setting.
-::::
-
-
-For more details, refer to [feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access).
-
-:::{image} /solutions/images/observability-cases-privileges.png
-:alt: cases privileges
-:screenshot:
-:::
-
-Below are the minimum required privileges for some common use cases.
-
-
-## Give full access to manage cases and settings [_give_full_access_to_manage_cases_and_settings]
-
-* `All` for the **Cases** feature under **{{observability}}**.
-* `All` for the **{{connectors-feature}}** feature under **Management**.
-
- ::::{note}
- Roles without `All` **{{connectors-feature}}** feature privileges cannot create, add, delete, or modify case connectors.
-
- By default, `All` for the **Cases** feature allows you to have full control over cases, including deleting them, editing case settings, and more. You can customize the sub-feature privileges to limit feature access.
-
- ::::
-
-
-
-## Give assignee access to cases [_give_assignee_access_to_cases]
-
-* `All` for the **Cases** feature under **{{observability}}**.
-
- ::::{note}
- Before a user can be assigned to a case, they must log into {{kib}} at least once, which creates a user profile.
- ::::
-
-
-
-## Give view-only access for cases [_give_view_only_access_for_cases]
-
-* `Read` for the **Cases** feature under **{{observability}}**.
-
- ::::{note}
- You can customize sub-feature privileges for deleting cases, deleting alerts and comments from cases, editing case settings, adding case comments and attachements, and re-opening cases.
- ::::
-
-
-
-## Give access to add alerts to cases [_give_access_to_add_alerts_to_cases]
-
-* `All` for the **Cases** feature under **{{observability}}**.
-* `Read` for an **{{observability}}** feature that has alerts.
-
-
-## Revoke all access to cases [_revoke_all_access_to_cases]
-
-* `None` for the **Cases** feature under **{{observability}}**.
-
diff --git a/solutions/observability/incident-management/configure-case-settings.md b/solutions/observability/incident-management/configure-case-settings.md
deleted file mode 100644
index d3f12034b8..0000000000
--- a/solutions/observability/incident-management/configure-case-settings.md
+++ /dev/null
@@ -1,141 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/observability/current/manage-cases-settings.html
- - https://www.elastic.co/guide/en/serverless/current/observability-case-settings.html
-applies_to:
- stack: ga
- serverless: ga
-products:
- - id: observability
- - id: cloud-serverless
-navigation_title: Configure case settings
----
-
-# Configure case settings for Elastic {{observability}} [manage-cases-settings]
-
-% Serverless only for the following role, does stateful require a special role?
-
-::::{note}
-
-For Observability serverless projects, the **Editor** role or higher is required to create and edit connectors. To learn more, refer to [Assign user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
-
-::::
-
-To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to **Cases** → **Settings**.
-
-:::{image} /solutions/images/observability-cases-settings.png
-:alt: View case settings
-:screenshot:
-:::
-
-
-## Case closures [close-connector-observability]
-
-If you close cases in your external incident management system, the cases will remain open in Elastic Observability until you close them manually (the information is only sent in one direction).
-
-To close cases when they are sent to an external system, select **Automatically close cases when pushing new incident to external system**.
-
-
-## External incident management systems [cases-external-connectors]
-
-If you are using an external incident management system, you can integrate Elastic Observability cases with that system using *connectors*. These third-party systems are supported:
-
-* {{ibm-r}}
-* {{jira}} (including {{jira}} Service Desk)
-* {{sn-itsm}}
-* {{sn-sir}}
-* {{swimlane}}
-* TheHive
-* {{webhook-cm}}
-
-You need to create a connector to send cases, which stores the information required to interact with an external system. For each case, you can send the title, description, and comment when you choose to push the case — for the **Webhook - Case Management** connector, you can also send the status and severity fields.
-
-::::{important}
-To send cases to external systems, you need the appropriate license, and your role must have the **Cases** {{kib}} privilege as a user. For more details, refer to [Configure access to cases](/solutions/observability/incident-management/configure-access-to-cases.md).
-::::
-
-After creating a connector, you can set your cases to [automatically close](/solutions/observability/incident-management/configure-case-settings.md#close-connector-observability) when they are sent to an external system.
-
-
-### Create a connector [new-connector-observability]
-
-1. From the **Incident management system** list, select **Add new connector**.
-2. Select the system to send cases to: **{{sn}}**, **{{jira}}**, **{{ibm-r}}**, **{{swimlane}}**, **TheHive**, or **{{webhook-cm}}**.
-
- :::{image} /solutions/images/serverless-observability-cases-add-connector.png
- :alt: Add a connector to send cases to an external source
- :screenshot:
- :::
-
-3. Enter your required settings. For connector configuration details, refer to:
-
- * [{{ibm-r}} connector](kibana://reference/connectors-kibana/resilient-action-type.md)
- * [{{jira}} connector](kibana://reference/connectors-kibana/jira-action-type.md)
- * [{{sn-itsm}} connector](kibana://reference/connectors-kibana/servicenow-action-type.md)
- * [{{sn-sir}} connector](kibana://reference/connectors-kibana/servicenow-sir-action-type.md)
- * [{{swimlane}} connector](kibana://reference/connectors-kibana/swimlane-action-type.md)
- * [TheHive connector](kibana://reference/connectors-kibana/thehive-action-type.md)
- * [{{webhook-cm}} connector](kibana://reference/connectors-kibana/cases-webhook-action-type.md)
-
-4. Click **Save**.
-
-### Edit a connector [Edit-connector-observability]
-
-You can create additional connectors, update existing connectors, and change the connector used to send cases to external systems.
-
-::::{tip}
-You can also configure which connector is used for each case individually. Refer to [Create and manage cases](/solutions/observability/incident-management/create-manage-cases.md).
-
-::::
-
-To change the default connector used to send cases to external systems:
-
-1. Select the required connector from the **Incident management system** list.
-
-To update an existing connector:
-
-1. Click **Update **.
-2. Update the connector fields as required.
-
-
-## Custom fields [case-custom-fields]
-
-You can add optional and required fields for customized case collaboration.
-
-To create a custom field:
-
-1. In the **Custom fields** section, click **Add field**.
-
- :::{image} /solutions/images/observability-cases-add-custom-field.png
- :alt: Add a custom field in case settings
- :screenshot:
- :::
-
-2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value.
-
-When you create a custom field, it’s added to all new and existing cases. In existing cases, new custom text fields initially have null values.
-
-You can subsequently remove or edit custom fields on the **Settings** page.
-
-
-## Templates [observability-case-templates]
-
-You can make the case creation process faster and more consistent by adding templates. A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
-
-To create a template:
-
-1. In the **Templates** section, click **Add template**.
-
- :::{image} /solutions/images/serverless-observability-cases-templates.png
- :alt: Add a case template
- :screenshot:
- :::
-
-2. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector.
-
-When users create cases, they can optionally select a template and use its field values or override them.
-
-::::{note}
-If you update or delete templates, existing cases are unaffected.
-
-::::
\ No newline at end of file
diff --git a/solutions/observability/incident-management/create-a-degraded-docs-rule.md b/solutions/observability/incident-management/create-a-degraded-docs-rule.md
index 136e9d3d73..6550b88530 100644
--- a/solutions/observability/incident-management/create-a-degraded-docs-rule.md
+++ b/solutions/observability/incident-management/create-a-degraded-docs-rule.md
@@ -125,7 +125,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-a-failed-docs-rule.md b/solutions/observability/incident-management/create-a-failed-docs-rule.md
index 3872c751c2..c097e655a1 100644
--- a/solutions/observability/incident-management/create-a-failed-docs-rule.md
+++ b/solutions/observability/incident-management/create-a-failed-docs-rule.md
@@ -133,7 +133,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-an-anomaly-detection-rule.md b/solutions/observability/incident-management/create-an-anomaly-detection-rule.md
index fa378e934c..57464ab832 100644
--- a/solutions/observability/incident-management/create-an-anomaly-detection-rule.md
+++ b/solutions/observability/incident-management/create-an-anomaly-detection-rule.md
@@ -149,7 +149,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.anomalyExplorerUrl`
: URL to open in the Anomaly Explorer.
diff --git a/solutions/observability/incident-management/create-an-apm-anomaly-rule.md b/solutions/observability/incident-management/create-an-apm-anomaly-rule.md
index 922be1f183..09be558ea7 100644
--- a/solutions/observability/incident-management/create-an-apm-anomaly-rule.md
+++ b/solutions/observability/incident-management/create-an-apm-anomaly-rule.md
@@ -116,7 +116,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md b/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md
index eadbe5364a..e206480658 100644
--- a/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md
+++ b/solutions/observability/incident-management/create-an-elasticsearch-query-rule.md
@@ -187,7 +187,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.conditions`
: A string that describes the threshold condition. Example: `count greater than 4`.
diff --git a/solutions/observability/incident-management/create-an-error-count-threshold-rule.md b/solutions/observability/incident-management/create-an-error-count-threshold-rule.md
index 9ff4984778..510c90df6e 100644
--- a/solutions/observability/incident-management/create-an-error-count-threshold-rule.md
+++ b/solutions/observability/incident-management/create-an-error-count-threshold-rule.md
@@ -117,7 +117,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-an-inventory-rule.md b/solutions/observability/incident-management/create-an-inventory-rule.md
index 7ecad0d5dd..6eee6c3af6 100644
--- a/solutions/observability/incident-management/create-an-inventory-rule.md
+++ b/solutions/observability/incident-management/create-an-inventory-rule.md
@@ -135,7 +135,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-an-slo-burn-rate-rule.md b/solutions/observability/incident-management/create-an-slo-burn-rate-rule.md
index 556d2fe9e1..736baac24d 100644
--- a/solutions/observability/incident-management/create-an-slo-burn-rate-rule.md
+++ b/solutions/observability/incident-management/create-an-slo-burn-rate-rule.md
@@ -127,7 +127,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-custom-threshold-rule.md b/solutions/observability/incident-management/create-custom-threshold-rule.md
index 9130f66339..16b36df140 100644
--- a/solutions/observability/incident-management/create-custom-threshold-rule.md
+++ b/solutions/observability/incident-management/create-custom-threshold-rule.md
@@ -225,7 +225,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-failed-transaction-rate-threshold-rule.md b/solutions/observability/incident-management/create-failed-transaction-rate-threshold-rule.md
index aa88185bdd..7ed3389c28 100644
--- a/solutions/observability/incident-management/create-failed-transaction-rate-threshold-rule.md
+++ b/solutions/observability/incident-management/create-failed-transaction-rate-threshold-rule.md
@@ -117,7 +117,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-latency-threshold-rule.md b/solutions/observability/incident-management/create-latency-threshold-rule.md
index bc908ddec4..befe2f368e 100644
--- a/solutions/observability/incident-management/create-latency-threshold-rule.md
+++ b/solutions/observability/incident-management/create-latency-threshold-rule.md
@@ -121,7 +121,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You can also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-log-threshold-rule.md b/solutions/observability/incident-management/create-log-threshold-rule.md
index 078d560c96..c71792e17e 100644
--- a/solutions/observability/incident-management/create-log-threshold-rule.md
+++ b/solutions/observability/incident-management/create-log-threshold-rule.md
@@ -157,7 +157,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-manage-cases.md b/solutions/observability/incident-management/create-manage-cases.md
deleted file mode 100644
index 72a433541e..0000000000
--- a/solutions/observability/incident-management/create-manage-cases.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/observability/current/manage-cases.html
- - https://www.elastic.co/guide/en/serverless/current/observability-create-a-new-case.html
-products:
- - id: observability
- - id: cloud-serverless
-applies_to:
- stack: all
- serverless:
- observability: all
----
-
-# Create and manage cases [observability-create-a-new-case]
-
-Open a new {{observability}} case to keep track of issues and share the details with colleagues. You can create and manage cases using the cases UI.
-
-::::{applies-switch}
-
-:::{applies-item} serverless:
-**Requirements**
-
-For {{observability}} projects, you need the appropriate [feature tier](https://www.elastic.co/pricing), and your role must have the **Editor** role or higher to create and manage cases. To learn more, refer to [Assign user roles and privileges](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles).
-:::
-
-:::{applies-item} stack:
-**Requirements**
-
-To access and send cases to external systems, you need the appropriate [subscription](https://www.elastic.co/pricing), and your role must have the required {{kib}} feature privileges. Refer to [](../incident-management/configure-access-to-cases.md) for more information.
-:::
-
-::::
-
-## Create a case [create-observability-case]
-
-To create a case:
-
-1. Find **Cases** in the main menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
-2. Click **Create case**.
-3. {applies_to}`stack: preview` {applies_to}`serverless: preview` (Optional) If you defined [templates](/solutions/observability/incident-management/configure-case-settings.md#observability-case-templates), select one to use its default field values.
-4. Give the case a name, severity, and description.
-
- ::::{tip}
- In the **Description**, you can use [Markdown](https://www.markdownguide.org/cheat-sheet) syntax to format text.
-
- ::::
-
-5. (Optional) Add a category, assignees, and tags.
-
- ::::{applies-switch}
-
- :::{applies-item} serverless:
- You can add users who are assigned the **Editor** user role (or a more permissive role) for the project.
- :::
-
- :::{applies-item} stack:
- You can add users only if they meet the necessary [prerequisites](/solutions/observability/incident-management/configure-access-to-cases.md).
- :::
-
- ::::
-
-6. If you defined [custom fields](/solutions/observability/incident-management/configure-case-settings.md#case-custom-fields), they appear in the **Additional fields** section.
-7. (Optional) Under **External Connector Fields**, you can select a connector to send cases to an external system. If you’ve created any connectors previously, they will be listed here. If there are no connectors listed, you can create one. For more information, refer to [External incident management systems](/solutions/observability/incident-management/configure-case-settings.md#cases-external-connectors).
-
- ::::{note}
- :applies_to:{stack: ga 9.3}
- When specifying **Additional fields** for an {{ibm-r}} connector, fields that are set when an incident is created or changed (for example, an incident is closed) won't display as an option.
- ::::
-
-8. After you’ve completed all of the required fields, click **Create case**.
-
-::::{tip}
-You can also create a case from an alert or add an alert to an existing case. From the **Alerts** page, click the **More options**  icon and choose either **Add to existing case** or **Create new case**, and select or complete the details as required.
-
-::::
-
-## Send cases to external incident management systems [observability-create-a-new-case-send-cases-to-external-incident-management-systems]
-
-To send a case to an external system, click the  button in the **External incident management system** section of the individual case page. This information is not sent automatically. If you make further changes to the shared case fields, you should push the case again.
-
-For more information about configuring connections to external incident management systems, refer to [](/solutions/observability/incident-management/configure-case-settings.md).
-
-
-## Manage existing cases [observability-create-a-new-case-manage-existing-cases]
-
-You can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes.
-
-{applies_to}`stack: ga 9.3` To find cases that were created during a specific time range, use the date time picker above the Cases table. The default time selection is the last 30 days. Clicking **Show all cases** displays every {{observability}} case in your space. The action also adjusts the starting time range to the date of when the first case was created.
-
-To view a case, click on its name. You can then:
-
-* Add and edit the case's description, comments, assignees, tags, status, severity, and category.
-
- {applies_to}`stack: ga 9.2+` Copy and paste images into case comments using `Ctrl/Cmd` + `C` and `Ctrl/Cmd` + `V` shortcuts. Pasted images are preformatted in Markdown.
-
-* Add a connector (if you did not select one while creating the case).
-* Send updates to external systems (if external connections are configured).
-* Refresh the case to retrieve the latest updates.
-
-## Add context and supporting materials [observability-create-a-new-case-add-context]
-
-Provide additional context and resources by adding the following to the case:
-* [Alerts](#observability-create-a-new-case-examine-alerts)
-* [Files](#observability-create-a-new-case-add-files)
-
-::::{tip}
-:applies_to: {stack: ga 9.3}
-From the **Attachments** tab, you can search for specific alert IDs and file names.
-::::
-
-### Add alerts [observability-create-a-new-case-examine-alerts]
-
-:::{include} /solutions/_snippets/add-case-alerts.md
-:::
-
-::::{note}
-[Add alerts](../../observability/incident-management/view-alerts.md#observability-view-alerts-add-alerts-to-cases) to new and existing cases from the **Alerts** page.
-::::
-
-### Add files [observability-create-a-new-case-add-files]
-
-:::{include} /solutions/_snippets/add-case-files.md
-:::
-
-::::{important}
-When you export cases as [saved objects](../../../explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported.
-::::
-
-::::{note}
-Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
-::::
-
-## Search cases [search-stack-management-cases]
-
-:::{include} /solutions/_snippets/search-cases.md
-:::
\ No newline at end of file
diff --git a/solutions/observability/incident-management/create-manage-rules.md b/solutions/observability/incident-management/create-manage-rules.md
index 22e144856e..5a1871becf 100644
--- a/solutions/observability/incident-management/create-manage-rules.md
+++ b/solutions/observability/incident-management/create-manage-rules.md
@@ -96,7 +96,7 @@ When you snooze a rule, the rule checks continue to run on a schedule but the al
When a rule is in a snoozed state, you can cancel or change the duration of this state.
-To temporarily suppress notifications for *all* rules, create a [maintenance window](/explore-analyze/alerts-cases/alerts/maintenance-windows.md).
+To temporarily suppress notifications for *all* rules, create a [maintenance window](/explore-analyze/alerting/alerts/maintenance-windows.md).
## Import and export rules [observability-create-manage-rules-import-and-export-rules]
diff --git a/solutions/observability/incident-management/create-metric-threshold-rule.md b/solutions/observability/incident-management/create-metric-threshold-rule.md
index 96259e5d43..874837132d 100644
--- a/solutions/observability/incident-management/create-metric-threshold-rule.md
+++ b/solutions/observability/incident-management/create-metric-threshold-rule.md
@@ -154,7 +154,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.alertDetailsUrl`
: Link to the alert troubleshooting view for further context and details. This will be an empty string if the `server.publicBaseUrl` is not configured.
diff --git a/solutions/observability/incident-management/create-monitor-status-rule.md b/solutions/observability/incident-management/create-monitor-status-rule.md
index 700d296f45..fe1aad59e1 100644
--- a/solutions/observability/incident-management/create-monitor-status-rule.md
+++ b/solutions/observability/incident-management/create-monitor-status-rule.md
@@ -113,7 +113,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.checkedAt`
: Timestamp of the monitor run.
diff --git a/solutions/observability/incident-management/create-tls-certificate-rule.md b/solutions/observability/incident-management/create-tls-certificate-rule.md
index 8ed1c3cf75..ddedbefb36 100644
--- a/solutions/observability/incident-management/create-tls-certificate-rule.md
+++ b/solutions/observability/incident-management/create-tls-certificate-rule.md
@@ -113,7 +113,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.checkedAt`
: Timestamp of the monitor run.
@@ -265,7 +265,7 @@ Use the default notification message or customize it. You can add more context t
:screenshot:
:::
-The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerts-cases/alerts/rule-action-variables.md).
+The following variables are specific to this rule type. You an also specify [variables common to all rules](/explore-analyze/alerting/alerts/rule-action-variables.md).
`context.agingCommonNameAndDate`
: The common names and expiration date/time of the detected certs.
diff --git a/solutions/observability/incident-management/observability-cases.md b/solutions/observability/incident-management/observability-cases.md
new file mode 100644
index 0000000000..226ce9ec55
--- /dev/null
+++ b/solutions/observability/incident-management/observability-cases.md
@@ -0,0 +1,17 @@
+---
+navigation_title: Cases
+mapped_pages:
+ - https://www.elastic.co/guide/en/observability/current/create-cases.html
+ - https://www.elastic.co/guide/en/serverless/current/observability-cases.html
+applies_to:
+ stack: ga
+ serverless: ga
+products:
+ - id: observability
+ - id: cloud-serverless
+description: Track and manage operational incidents from detection to resolution with Elastic Observability cases.
+---
+
+# Cases for Elastic {{observability}} [observability-cases]
+
+Use cases to track and manage operational incidents from detection to resolution. You can attach related alerts, document root cause analysis, and collaborate with your team, all in one place. Cases also integrate with external incident management systems like Jira, ServiceNow, and PagerDuty, so you can coordinate response efforts across your organization. Refer to [](/explore-analyze/cases.md) for help creating, managing, and configuring cases.
\ No newline at end of file
diff --git a/solutions/observability/incident-management/triage-slo-burn-rate-breaches.md b/solutions/observability/incident-management/triage-slo-burn-rate-breaches.md
index 60fe1ad35d..13b4fdafb5 100644
--- a/solutions/observability/incident-management/triage-slo-burn-rate-breaches.md
+++ b/solutions/observability/incident-management/triage-slo-burn-rate-breaches.md
@@ -52,5 +52,5 @@ The contents of the alert details page may vary depending on the type of SLI tha
After investigating the alert, you may want to:
* Click **Snooze the rule** to snooze notifications for a specific time period or indefinitely.
-* Click the  icon and select **Add to case** to add the alert to a new or existing case. To learn more, refer to [Cases](/solutions/observability/incident-management/cases.md).
+* Click the  icon and select **Add to case** to add the alert to a new or existing case. To learn more, refer to [Cases](/solutions/observability/incident-management/observability-cases.md).
* Click the  icon and select **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules.
\ No newline at end of file
diff --git a/solutions/observability/incident-management/triage-threshold-breaches.md b/solutions/observability/incident-management/triage-threshold-breaches.md
index f8825813d3..a3d6727799 100644
--- a/solutions/observability/incident-management/triage-threshold-breaches.md
+++ b/solutions/observability/incident-management/triage-threshold-breaches.md
@@ -54,5 +54,5 @@ Analyze these charts to better understand when the breach started, it’s curren
After investigating the alert, you may want to:
* Click **Snooze the rule** to snooze notifications for a specific time period or indefinitely.
-* Click the  icon and select **Add to case** to add the alert to a new or existing case. To learn more, refer to [Cases](/solutions/observability/incident-management/cases.md).
+* Click the  icon and select **Add to case** to add the alert to a new or existing case. To learn more, refer to [Cases](/solutions/observability/incident-management/observability-cases.md).
* Click the  icon and select **Mark as untracked**. When an alert is marked as untracked, actions are no longer generated. You can choose to move active alerts to this state when you disable or delete rules.
\ No newline at end of file
diff --git a/solutions/observability/incident-management/view-alerts.md b/solutions/observability/incident-management/view-alerts.md
index 2862506570..a175249969 100644
--- a/solutions/observability/incident-management/view-alerts.md
+++ b/solutions/observability/incident-management/view-alerts.md
@@ -26,7 +26,7 @@ You can track and manage alerts for your applications and SLOs from the **Alerts
% Stateful only for the following note
::::{note}
-You can centrally manage rules from the [{{kib}} Management UI](/explore-analyze/alerts-cases/alerts/create-manage-rules.md) that provides a set of built-in [rule types](/explore-analyze/alerts-cases/alerts/rule-types.md) and [connectors](/deploy-manage/manage-connectors.md) for you to use. Click **Manage Rules**.
+You can centrally manage rules from the [{{kib}} Management UI](/explore-analyze/alerting/alerts/create-manage-rules.md) that provides a set of built-in [rule types](/explore-analyze/alerting/alerts/rule-types.md) and [connectors](/deploy-manage/manage-connectors.md) for you to use. Click **Manage Rules**.
::::
:::{image} /solutions/images/serverless-observability-alerts-view.png
@@ -86,14 +86,14 @@ The relevancy of alerts is determined by how closely they match the current aler
There are four common alert statuses:
`active`
-: The conditions for the rule are met. If the rule has [actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings.
+: The conditions for the rule are met. If the rule has [actions](../../../explore-analyze/alerting/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings.
`flapping`
-: The alert switched repeatedly between active and recovered states. If actions are configured to run when its status changes, they are suppressed. Refer to [Configure alert flapping](/explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-flapping-details) to learn more about configuring alert flapping for rules.
+: The alert switched repeatedly between active and recovered states. If actions are configured to run when its status changes, they are suppressed. Refer to [Configure alert flapping](/explore-analyze/alerting/alerts/create-manage-rules.md#defining-rules-flapping-details) to learn more about configuring alert flapping for rules.
`recovered`
-: The conditions for the rule are no longer met. If the rule has [recovery actions](../../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one.
+: The conditions for the rule are no longer met. If the rule has [recovery actions](../../../explore-analyze/alerting/alerts/create-manage-rules.md#defining-rules-actions-details), {{kib}} generates notifications based on the actions' notification settings. Recovery actions only run if the rule's conditions aren't met during the current rule execution, but were in the previous one.
An active alert changes to recovered if the conditions for the rule that generated it are no longer met.
@@ -169,37 +169,14 @@ Use the toolbar buttons in the upper-left of the alerts table to customize the c
* **x fields sorted**: Sort the table by one or more columns.
* **Fields**: Select the fields to display in the table.
-For example, click **Fields** and choose the `Maintenance Windows` field. If an alert was affected by a maintenance window, its identifier appears in the new column. For more information about their impact on alert notifications, refer to [{{maint-windows-cap}}](/explore-analyze/alerts-cases/alerts/maintenance-windows.md).
+For example, click **Fields** and choose the `Maintenance Windows` field. If an alert was affected by a maintenance window, its identifier appears in the new column. For more information about their impact on alert notifications, refer to [{{maint-windows-cap}}](/explore-analyze/alerting/alerts/maintenance-windows.md).
You can also use the toolbar buttons in the upper-right to customize the display options or view the table in full-screen mode.
## Add alerts to cases [observability-view-alerts-add-alerts-to-cases]
-From the Alerts table, you can add one or more alerts to a case. Click the {icon}`boxes_horizontal` icon to add the alert to a new or existing case. You can add an unlimited amount of alerts from any rule type.
-
-::::{note}
-Each case can have a maximum of 1,000 alerts.
-
-::::
-
-
-### Add an alert to a new case [observability-view-alerts-add-an-alert-to-a-new-case]
-
-To add an alert to a new case:
-
-1. Select **Add to new case**.
-2. Enter a case name, add relevant tags, and include a case description.
-3. Under **External incident management system**, select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
-4. After you’ve completed all of the required fields, click **Create case**. A notification message confirms you successfully created the case. To view the case details, click the notification link or go to the [Cases](/solutions/observability/incident-management/cases.md) page.
-
-
-### Add an alert to an existing case [observability-view-alerts-add-an-alert-to-an-existing-case]
-
-To add an alert to an existing case:
-
-1. Select **Add to existing case**.
-2. Select the case where you will attach the alert. A confirmation message displays.
+From the Alerts table, you can add one or more alerts to a case. For detailed instructions, refer to [Attach objects to cases](/explore-analyze/cases/attach-objects-to-cases.md#add-case-alerts).
## Clean up alerts [clean-up-alerts-obs]
@@ -208,4 +185,4 @@ stack: ga 9.4+, preview 9.1-9.3
serverless: ga
```
-Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](../../../explore-analyze/alerts-cases/alerts/view-alerts.md#clean-up-alerts), which deletes alerts according to the criteria that you define.
\ No newline at end of file
+Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](../../../explore-analyze/alerting/alerts/view-alerts.md#clean-up-alerts), which deletes alerts according to the criteria that you define.
\ No newline at end of file
diff --git a/solutions/observability/infra-and-hosts/discover-metrics.md b/solutions/observability/infra-and-hosts/discover-metrics.md
index 6439123843..9fdf8163c0 100644
--- a/solutions/observability/infra-and-hosts/discover-metrics.md
+++ b/solutions/observability/infra-and-hosts/discover-metrics.md
@@ -97,4 +97,4 @@ For each metric chart, you can perform the following actions:
* **Inspect** ({icon}`inspect`): Show details about the query request and response.
* **View details** ({icon}`eye`): Get additional information about the metric like metric type, dimensions, and ES|QL query.
* **Copy to dashboard** ({icon}`app_dashboard`): Save the metric chart to an existing or new [dashboard](/explore-analyze/dashboards.md).
-* **Add to case** ({icon}`app_cases`): Add the metric chart to a [case](/solutions/observability/incident-management/cases.md).
\ No newline at end of file
+* **Add to case** ({icon}`app_cases`): Add the metric chart to a [case](/solutions/observability/incident-management/observability-cases.md).
\ No newline at end of file
diff --git a/solutions/observability/synthetics/cli.md b/solutions/observability/synthetics/cli.md
index 4abc358010..a6a68757c3 100644
--- a/solutions/observability/synthetics/cli.md
+++ b/solutions/observability/synthetics/cli.md
@@ -181,7 +181,7 @@ If the journey contains external NPM packages other than the `@elastic/synthetic
This can also be set in the configuration file using [the `monitor.fields` option](/solutions/observability/synthetics/configure-projects.md#synthetics-configuration-monitor). The value defined via the CLI will take precedence.
`--maintenance-windows Array`
-: A list of maintenance window IDs used to associate every monitor with one or more [maintenance windows](/explore-analyze/alerts-cases/alerts/maintenance-windows.md). This argument accepts a variable number of values as shown in the example.
+: A list of maintenance window IDs used to associate every monitor with one or more [maintenance windows](/explore-analyze/alerting/alerts/maintenance-windows.md). This argument accepts a variable number of values as shown in the example.
Example: `--maintenance-windows "maintenance-window-ID-1" "maintenance-window-ID-2`
diff --git a/solutions/observability/synthetics/configure-lightweight-monitors.md b/solutions/observability/synthetics/configure-lightweight-monitors.md
index 42e2508b6e..3503fb4477 100644
--- a/solutions/observability/synthetics/configure-lightweight-monitors.md
+++ b/solutions/observability/synthetics/configure-lightweight-monitors.md
@@ -382,7 +382,7 @@ $$$monitor-maintenanceWindows$$$
**`maintenance_windows`**
: Type: [string](/solutions/observability/synthetics/configure-lightweight-monitors.md#synthetics-lightweight-data-string)
- A list of maintenance window IDs used to associate this monitor with one or more [maintenance windows](/explore-analyze/alerts-cases/alerts/maintenance-windows.md).
+ A list of maintenance window IDs used to associate this monitor with one or more [maintenance windows](/explore-analyze/alerting/alerts/maintenance-windows.md).
**Examples**:
diff --git a/solutions/observability/synthetics/configure-projects.md b/solutions/observability/synthetics/configure-projects.md
index 3bafc8417c..ccc05f8bc0 100644
--- a/solutions/observability/synthetics/configure-projects.md
+++ b/solutions/observability/synthetics/configure-projects.md
@@ -299,7 +299,7 @@ For information on configuring monitors individually, refer to:
* [Configure lightweight monitors](/solutions/observability/synthetics/configure-lightweight-monitors.md) for lightweight monitors
`maintenanceWindows` (`Array`)
-: A list of maintenance window IDs used to associate this monitor with one or more [maintenance windows](/explore-analyze/alerts-cases/alerts/maintenance-windows.md).
+: A list of maintenance window IDs used to associate this monitor with one or more [maintenance windows](/explore-analyze/alerting/alerts/maintenance-windows.md).
## `proxy` [synthetics-configuration-proxy]
diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md
index bde524e0d9..0e86017fa7 100644
--- a/solutions/security/ai/attack-discovery.md
+++ b/solutions/security/ai/attack-discovery.md
@@ -147,7 +147,7 @@ There are several ways you can incorporate discoveries into your {{elastic-sec}}
* Click an entity’s name to open the entity details flyout and view more details that may be relevant to your investigation.
* Hover over an entity’s name to either add the entity to Timeline () or copy its field name and value to the clipboard ().
-* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a [case](/solutions/security/investigate/cases.md). This makes it easy to share the information with your team and other stakeholders.
+* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a [case](/solutions/security/investigate/security-cases.md). This makes it easy to share the information with your team and other stakeholders.
* Click **Investigate in timeline** to explore the discovery in [Timeline](/solutions/security/investigate/timeline.md).
* Click **View in AI Assistant** or **Add to chat** to attach the discovery to a conversation. You can then ask follow-up questions about the discovery or associated alerts.
diff --git a/solutions/security/ai/ease/ease-intro.md b/solutions/security/ai/ease/ease-intro.md
index f2f73852d9..5159a3ce9c 100644
--- a/solutions/security/ai/ease/ease-intro.md
+++ b/solutions/security/ai/ease/ease-intro.md
@@ -36,7 +36,7 @@ EASE provides a set of capabilities designed to help make the most of each secur
You can add custom information to AI Assistant's [Knowledge Base](/solutions/security/ai/ai-assistant-knowledge-base.md), either in the form of individual documents or entire indices containing numerous documents. This information informs the AI Assistant's responses and can include everything from threat intelligence, to information about your team's on-call rotation, to information about your infrastructure, and more.
-- **[Cases](/solutions/security/investigate/cases.md)**: Helps you track and share related information about security issues. Track key investigation details and collect alerts in a central location.
+- **[Cases](/solutions/security/investigate/security-cases.md)**: Helps you track and share related information about security issues. Track key investigation details and collect alerts in a central location.
:::{image} /solutions/images/security-ease-cases.png
:alt: The Cases page in an EASE project showing the default state
diff --git a/solutions/security/ai/identify-investigate-document-threats.md b/solutions/security/ai/identify-investigate-document-threats.md
index a478cf99d6..488e10b982 100644
--- a/solutions/security/ai/identify-investigate-document-threats.md
+++ b/solutions/security/ai/identify-investigate-document-threats.md
@@ -62,7 +62,7 @@ At any point in a conversation with AI Assistant, you can add data, narrative su
## Generate reports [use-case-incident-reporting-create-a-case-using-ai-assistant]
-From the AI Assistant dialog window, click **Add to case** () next to a message to add the information in that message to a [case](/solutions/security/investigate/cases.md). Cases help centralize relevant details in one place for easy sharing with stakeholders.
+From the AI Assistant dialog window, click **Add to case** () next to a message to add the information in that message to a [case](/solutions/security/investigate/security-cases.md). Cases help centralize relevant details in one place for easy sharing with stakeholders.
If you add a message that contains a discovery to a case, AI Assistant automatically adds the attack summary and all associated alerts to the case. You can also add AI Assistant messages that contain remediation steps and relevant data to the case.
diff --git a/solutions/security/dashboards/data-quality-dashboard.md b/solutions/security/dashboards/data-quality-dashboard.md
index 77149cc404..265bd48298 100644
--- a/solutions/security/dashboards/data-quality-dashboard.md
+++ b/solutions/security/dashboards/data-quality-dashboard.md
@@ -116,13 +116,13 @@ You can share data quality results to help track your team’s remediation effor
* Export results for all indices in the current data view:
1. At the top of the dashboard, under the **Check all** button, are two buttons that allow you to share results. Exported results include all the data which appears in the dashboard.
- 2. Click **Add to new case** to open a new [case](/solutions/security/investigate/cases.md).
+ 2. Click **Add to new case** to open a new [case](/solutions/security/investigate/security-cases.md).
3. Click **Copy to clipboard** to copy a Markdown report to your clipboard.
* Export results for one index:
1. View details for a checked index by clicking the **Check now** button under **Actions**.
- 2. From the **Incompatible fields** tab, select **Add to new case** to open a new [case](/solutions/security/investigate/cases.md).
+ 2. From the **Incompatible fields** tab, select **Add to new case** to open a new [case](/solutions/security/investigate/security-cases.md).
::::{note}
diff --git a/solutions/security/detect-and-alert.md b/solutions/security/detect-and-alert.md
index 45c3ef5363..30be467efa 100644
--- a/solutions/security/detect-and-alert.md
+++ b/solutions/security/detect-and-alert.md
@@ -27,7 +27,7 @@ There are several special prebuilt rules you need to know about:
* [**Endpoint protection rules**](/solutions/security/manage-elastic-defend/endpoint-protection-rules.md): Automatically create alerts based on {{elastic-defend}}'s threat monitoring and prevention.
* [**External Alerts**](detection-rules://rules/promotions/external_alerts.md): Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts).
-If you want to receive notifications via external systems, such as Slack or email, when alerts are created, use the {{kib}} [Alerting and Actions](/explore-analyze/alerts-cases.md) framework.
+If you want to receive notifications via external systems, such as Slack or email, when alerts are created, use the {{kib}} [Alerting and Actions](/explore-analyze/alerting.md) framework.
::::{note}
To use {{kib}} Alerting for detection alert notifications in the {{stack}}, you need the [appropriate license](https://www.elastic.co/subscriptions).
diff --git a/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md b/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md
index 548196d18a..b852a94231 100644
--- a/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md
+++ b/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md
@@ -43,7 +43,7 @@ To add alerts to a new case:
If you do not assign your case a severity level, it will be assigned **Low** by default.
::::
-3. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary [prerequisites](/solutions/security/investigate/cases-requirements.md).
+3. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary [prerequisites](/explore-analyze/cases/control-case-access.md).
4. Specify whether you want to sync the status of associated alerts. It is enabled by default; however, you can toggle this setting on or off at any time. If it remains enabled, the alert’s status updates whenever the case’s status is modified.
5. Select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
6. Click **Create case** after you’ve completed all of the required fields. A confirmation message is displayed with an option to view the new case. Click the link in the notification or go to the Cases page to view the case.
diff --git a/solutions/security/detect-and-alert/create-detection-rule.md b/solutions/security/detect-and-alert/create-detection-rule.md
index 58da53009b..d44b96d83e 100644
--- a/solutions/security/detect-and-alert/create-detection-rule.md
+++ b/solutions/security/detect-and-alert/create-detection-rule.md
@@ -661,7 +661,7 @@ When configuring an {{esql}} rule’s **[Custom highlighted fields](/solutions/s
Use actions to set up notifications sent via other systems when alerts are generated.
::::{note}
-To use actions for alert notifications, you need the [appropriate license](https://www.elastic.co/subscriptions). For more information, see [Cases requirements](/solutions/security/investigate/cases-requirements.md).
+To use actions for alert notifications, you need the [appropriate license](https://www.elastic.co/subscriptions). For more information, see [Control access to cases](/explore-analyze/cases/control-case-access.md).
::::
::::{tip}
@@ -724,7 +724,7 @@ You can use [mustache syntax](http://mustache.github.io/) to add variables to no
The following variables can be passed for all rules:
::::{note}
-Refer to [Action frequency: Summary of alerts](/explore-analyze/alerts-cases/alerts/rule-action-variables.md#alert-summary-action-variables) to learn about additional variables that can be passed if the rule’s action frequency is **Summary of alerts**.
+Refer to [Action frequency: Summary of alerts](/explore-analyze/alerting/alerts/rule-action-variables.md#alert-summary-action-variables) to learn about additional variables that can be passed if the rule’s action frequency is **Summary of alerts**.
::::
diff --git a/solutions/security/detect-and-alert/cross-cluster-search-detection-rules.md b/solutions/security/detect-and-alert/cross-cluster-search-detection-rules.md
index c2ad88396f..6cb85767ea 100644
--- a/solutions/security/detect-and-alert/cross-cluster-search-detection-rules.md
+++ b/solutions/security/detect-and-alert/cross-cluster-search-detection-rules.md
@@ -77,7 +77,7 @@ This section explains the general process for setting up cross-cluster search in
## Update a rule’s API key [update-api-key]
-Each detection rule has its own [API key](../../../explore-analyze/alerts-cases/alerts/alerting-setup.md#alerting-authorization), which determines the data and actions the rule is allowed to access. When a user creates a new rule or changes an existing rule, their current privileges are saved to the rule’s API key. If that user’s privileges change in the future, the rule **does not** automatically update with the user’s latest privileges — you must update the rule’s API key if you want to update its privileges.
+Each detection rule has its own [API key](../../../explore-analyze/alerting/alerts/alerting-setup.md#alerting-authorization), which determines the data and actions the rule is allowed to access. When a user creates a new rule or changes an existing rule, their current privileges are saved to the rule’s API key. If that user’s privileges change in the future, the rule **does not** automatically update with the user’s latest privileges — you must update the rule’s API key if you want to update its privileges.
::::{important}
A rule’s API key is different from the API key you might have created for [authentication between local and remote clusters](#set-up-ccs-rules).
diff --git a/solutions/security/detect-and-alert/manage-detection-alerts.md b/solutions/security/detect-and-alert/manage-detection-alerts.md
index 379009cc0c..e1b1fc02aa 100644
--- a/solutions/security/detect-and-alert/manage-detection-alerts.md
+++ b/solutions/security/detect-and-alert/manage-detection-alerts.md
@@ -323,4 +323,4 @@ stack: ga 9.4+, preview 9.1-9.3
serverless: ga
```
-Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](../../../explore-analyze/alerts-cases/alerts/view-alerts.md#clean-up-alerts), which deletes alerts according to the criteria that you define.
\ No newline at end of file
+Manage the size of alert indices in your space by clearing out alerts that are older or infrequently accessed. You can do this by [running an alert cleanup task](../../../explore-analyze/alerting/alerts/view-alerts.md#clean-up-alerts), which deletes alerts according to the criteria that you define.
\ No newline at end of file
diff --git a/solutions/security/detect-and-alert/manage-detection-rules.md b/solutions/security/detect-and-alert/manage-detection-rules.md
index 46c6d04fc1..ea6d6192d8 100644
--- a/solutions/security/detect-and-alert/manage-detection-rules.md
+++ b/solutions/security/detect-and-alert/manage-detection-rules.md
@@ -100,7 +100,7 @@ Use bulk editing to update settings on multiple rules simultaneously. Rules that
* **Index patterns**: Add or delete the index patterns used by all selected rules.
* **Tags**: Add or delete tags on all selected rules.
* **Custom highlighted fields**: Add custom highlighted fields on all selected rules. You can choose any fields that are available in the [default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices), or enter field names from other indices. To overwrite a rule's current set of custom highlighted fields, select the **Overwrite all selected rules' custom highlighted fields** option, then click **Save**.
- * **Add rule actions**: Add [rule actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions, select the option to **Overwrite all selected rules actions**. Keep in mind that rule actions won't run during a [maintenance window](/explore-analyze/alerts-cases/alerts/maintenance-windows.md); they'll resume after the maintenance window ends.
+ * **Add rule actions**: Add [rule actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) on all selected rules. If you add multiple actions, you can specify an action frequency for each of them. To overwrite the frequency of existing actions, select the option to **Overwrite all selected rules actions**. Keep in mind that rule actions won't run during a [maintenance window](/explore-analyze/alerting/alerts/maintenance-windows.md); they'll resume after the maintenance window ends.
* **Update rule schedules**: Update the [schedules](/solutions/security/detect-and-alert/create-detection-rule.md#rule-schedule) and look-back times on all selected rules.
* **Apply Timeline template**: Apply a specified [Timeline template](/solutions/security/investigate/timeline-templates.md) to the selected rules. You can also choose **None** to remove Timeline templates from the selected rules.
diff --git a/solutions/security/detect-and-alert/reduce-notifications-alerts.md b/solutions/security/detect-and-alert/reduce-notifications-alerts.md
index bd1adcdb24..26f9954a3a 100644
--- a/solutions/security/detect-and-alert/reduce-notifications-alerts.md
+++ b/solutions/security/detect-and-alert/reduce-notifications-alerts.md
@@ -18,6 +18,6 @@ products:
| | |
| --- | --- |
| [Rule action snoozing](/solutions/security/detect-and-alert/manage-detection-rules.md#snooze-rule-actions) | **Stops a specific rule’s notification actions from running**.
Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its [notification actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-response-action) don’t run.
|
-| [Maintenance window](/explore-analyze/alerts-cases/alerts/maintenance-windows.md) | **Prevents all rules' notification actions from running**.
Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their [notification actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) don’t run.
**Note**: Maintenance windows are a {{kib}} feature, configured outside of the {{security-app}} in **Stack Management**.
|
+| [Maintenance window](/explore-analyze/alerting/alerts/maintenance-windows.md) | **Prevents all rules' notification actions from running**.
Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their [notification actions](/solutions/security/detect-and-alert/create-detection-rule.md#rule-notifications) don’t run.
**Note**: Maintenance windows are a {{kib}} feature, configured outside of the {{security-app}} in **Stack Management**.
|
| [Alert suppression](/solutions/security/detect-and-alert/suppress-detection-alerts.md) | **Reduces repeated or duplicate alerts**.
Use to reduce the number of alerts created when a rule meets its criteria repeatedly. Duplicate qualifying events are grouped, and only one alert is created for each group.
|
| [Rule exception](/solutions/security/detect-and-alert/rule-exceptions.md) | **Prevents a rule from creating alerts under specific conditions**.
Use to reduce false positive alerts by preventing trusted processes and network activity from generating unnecessary alerts. You can configure an exception to be used by a single rule or shared among multiple rules, but they typically don’t affect *all* rules.
|
diff --git a/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md b/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md
index c12b62f6ed..56d2729bf7 100644
--- a/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md
+++ b/solutions/security/detect-and-alert/using-logsdb-index-mode-with-elastic-security.md
@@ -62,7 +62,7 @@ Alerts that are generated by threshold, {{ml}}, and event correlation sequence r
While we do not recommend using `_source` for actions, in cases where the action relies on the `_source`, the same limitations and changes apply.
-If you send alert notifications by enabling [actions](/explore-analyze/alerts-cases/alerts.md#rules-actions) to the external systems that have workflows or automations based on fields formatted from the original source, they may be affected. In particular, this can happen when the fields used are arrays of objects.
+If you send alert notifications by enabling [actions](/explore-analyze/alerting/alerts.md#rules-actions) to the external systems that have workflows or automations based on fields formatted from the original source, they may be affected. In particular, this can happen when the fields used are arrays of objects.
We recommend checking and adjusting the rule actions using `_source` before switching to logsdb index mode.
diff --git a/solutions/security/get-started/elastic-security-requirements.md b/solutions/security/get-started/elastic-security-requirements.md
index 009908658a..6ddff0862e 100644
--- a/solutions/security/get-started/elastic-security-requirements.md
+++ b/solutions/security/get-started/elastic-security-requirements.md
@@ -43,7 +43,7 @@ Changes might be required if your nodes have customized roles. When updating nod
To use {{elastic-sec}}, your role must have at least:
-* `Read` privilege for the `Security` feature in the [space](/deploy-manage/manage-spaces.md). This grants you `Read` access to all features in {{elastic-sec}} except cases. You need additional [minimum privileges](/solutions/security/investigate/cases-requirements.md) to use cases.
+* `Read` privilege for the `Security` feature in the [space](/deploy-manage/manage-spaces.md). This grants you `Read` access to all features in {{elastic-sec}} except cases. You need additional [minimum privileges](/explore-analyze/cases/control-case-access.md) to use cases.
* `Read` and `view_index_metadata` privileges for all {{elastic-sec}} indices, such as `filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.
::::{note}
@@ -59,7 +59,7 @@ For more information about index privileges, refer to [{{es}} security privilege
There are some additional requirements for specific features:
* [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md)
-* [Cases requirements](/solutions/security/investigate/cases-requirements.md)
+* [Control access to cases](/explore-analyze/cases/control-case-access.md)
* [Entity risk scoring requirements](/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md)
* [Machine learning job and rule requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md)
* [{{elastic-defend}} requirements](/solutions/security/configure-elastic-defend/elastic-defend-requirements.md)
diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index 6218164e88..9ca861d08a 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -155,7 +155,7 @@ The Assets section allows you to manage the following features:
### Cases [_cases]
-Open and track security issues. Refer to [Cases](/solutions/security/investigate/cases.md) to learn more.
+Open and track security issues. Refer to [Cases](/solutions/security/investigate/security-cases.md) to learn more.
### Entity analytics
diff --git a/solutions/security/get-started/get-started-detect-with-siem.md b/solutions/security/get-started/get-started-detect-with-siem.md
index b9722ee086..8677767768 100644
--- a/solutions/security/get-started/get-started-detect-with-siem.md
+++ b/solutions/security/get-started/get-started-detect-with-siem.md
@@ -179,7 +179,7 @@ Once you've had a chance to install detection rules and check out alerts, we rec
* View and analyze data with out-of-the-box [dashboards](/solutions/security/dashboards.md).
* Learn how to reduce your mean time to respond with [Attack Discovery](/solutions/security/ai/attack-discovery.md), an AI threat hunting feature that leverages large language models (LLMs) to analyze alerts in your environment, identify threats, and show how they correspond to the MITRE ATT&CK matrix.
-* Learn how to use [Cases](/solutions/security/investigate/cases.md) to track investigation details.
+* Learn how to use [Cases](/solutions/security/investigate/security-cases.md) to track investigation details.
* Download the "Guide to high-volume data sources for SIEM" [white paper](https://www.elastic.co/campaigns/guide-to-high-volume-data-sources-for-siem?elektra=organic&storm=CLP&rogue=siem-gic).
* Check out [Elastic Security Labs](https://www.elastic.co/security-labs) for the latest on threat research.
* Learn how to manage your [data lifecycle](/manage-data/lifecycle.md), including how long data is retained, and how to transition indices through data tiers according to your performance needs and retention policies.
\ No newline at end of file
diff --git a/solutions/security/investigate.md b/solutions/security/investigate.md
index cd268251ec..a61f6ade0e 100644
--- a/solutions/security/investigate.md
+++ b/solutions/security/investigate.md
@@ -15,7 +15,7 @@ products:
The following are tools for investigating security events and tracking security issues directly in the {{security-app}}.
-* [**Cases**](investigate/cases.md): Track investigation details about security issues.
+* [**Cases**](investigate/security-cases.md): Track investigation details about security issues.
* [**Timelines**](investigate/timeline.md): Workspace for investigations and threat hunting.
* [**Osquery**](investigate/osquery.md): Run live and scheduled queries on operating systems.
* [**Intelligence**](../../troubleshoot/security/indicators-of-compromise.md): Indicators of compromise used for threat intelligence.
diff --git a/solutions/security/investigate/cases-requirements.md b/solutions/security/investigate/cases-requirements.md
deleted file mode 100644
index 5986cffb3c..0000000000
--- a/solutions/security/investigate/cases-requirements.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/security/current/case-permissions.html
- - https://www.elastic.co/guide/en/serverless/current/security-cases-requirements.html
-applies_to:
- stack: all
- serverless:
- security: all
-products:
- - id: security
- - id: cloud-serverless
----
-
-# Cases requirements [security-cases-requirements]
-
-::::{note}
-- To send cases to external systems, ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-
-- You need particular subscriptions and privileges to manage case attachments. For example in {{stack}}, to add alerts to cases, you must have privileges for [managing alerts](/solutions/security/detect-and-alert/detections-privileges.md). In {{serverless-short}}, you need the Security Analytics Complete [project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-
-- If you have an on-premises deployment and want email notifications and external incident management systems to contain links back to {{kib}}, you must configure the [server.publicBaseUrl](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) setting.
-::::
-
-
-To grant access to cases in a custom role, set the privileges for the **Cases** and **{{connectors-feature}}** features as follows:
-
-% Management might be called Stack Management in Serverless.
-
-| Action | {{kib}} Privileges |
-| --- | --- |
-| Give full access to manage cases and settings | - **All** for the **Cases** feature under **Security**
- **All** for the **{{connectors-feature}}** feature under **Management**
**Note:** Roles without **All** privileges for the **{{connectors-feature}}** feature cannot create, add, delete, or modify case connectors.
By default, **All** for the **Cases** feature allows you to have full control over cases, including deleting them, editing case settings, and more.
|
-| Give assignee access to cases | **All** for the **Cases** feature under **Security**
**Note:** Before a user can be assigned to a case, they must log into {{kib}} at least once, which creates a user profile.
|
-| Give view-only access for cases | **Read** for the **Security** feature and **All** for the **Cases** feature
**Note:** You can customize the sub-feature privileges to allow access to deleting cases, deleting alerts and comments from cases, viewing or editing case settings, adding case comments and attachments, and re-opening cases.
|
-| Revoke all access to cases | **None** for the **Cases** feature under **Security** |
diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md
deleted file mode 100644
index fb00137593..0000000000
--- a/solutions/security/investigate/cases.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/security/current/cases-overview.html
- - https://www.elastic.co/guide/en/serverless/current/security-cases-overview.html
-applies_to:
- stack: all
- serverless:
- security: all
-products:
- - id: security
- - id: cloud-serverless
-navigation_title: Cases
----
-
-# Cases for {{elastic-sec}} [security-cases-overview]
-
-Collect and share information about security issues by opening a case in {{elastic-sec}}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {{elastic-sec}} UI provides several ways to create and manage cases. Alternatively, you can use the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases) to perform the same tasks.
-
-{applies_to}`stack: ga 9.2` Cases are automatically assigned human-readable numeric IDs, which you can use for easier referencing. Each time you create a new case in your [space](docs-content://deploy-manage/manage-spaces.md), the case ID increments by one. IDs are assigned to cases by a background task that runs every 10 minutes, which can cause a delay in ID assignment, especially in spaces with many cases. You can find the case ID after the case's name and can use it while searching the Cases table.
-
-You can also send cases to these external systems by [configuring external connectors](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations):
-
-* {{sn-itsm}}
-* {{sn-sir}}
-* {{jira}} (including Jira Service Desk)
-* {{ibm-r}}
-* {{swimlane}}
-* {{webhook-cm}}
-
-:::{image} /solutions/images/security-cases-home-page.png
-:alt: Case UI Home
-:screenshot:
-:::
-
-::::{tip}
-:applies_to: {stack: preview 9.2, serverless: unavailable}
-After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
-::::
-
-
-## Limitations [security-case-limitations]
-
-* If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}.
-* You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}.
-
-
-
-
-
-
diff --git a/solutions/security/investigate/configure-case-settings.md b/solutions/security/investigate/configure-case-settings.md
deleted file mode 100644
index e156498f76..0000000000
--- a/solutions/security/investigate/configure-case-settings.md
+++ /dev/null
@@ -1,161 +0,0 @@
----
-mapped_pages:
- - https://www.elastic.co/guide/en/security/current/cases-manage-settings.html
- - https://www.elastic.co/guide/en/serverless/current/security-cases-settings.html
-applies_to:
- stack: all
- serverless:
- security: all
-products:
- - id: security
- - id: cloud-serverless
-navigation_title: Configure case settings
----
-
-# Configure case settings for {{elastic-sec}} [security-cases-settings]
-
-This page explains how to change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types.
-First, find **Cases** in the navigation menu or search for `Security/Cases` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Settings**. In {{serverless-short}}, you can access case settings in an {{elastic-sec}} project, go to **Cases** → **Settings**.
-
-:::{image} /solutions/images/security-cases-settings.png
-:alt: Shows the case settings page
-:screenshot:
-:::
-
-::::{note}
-On {{stack}}, view and change case settings, you must have the appropriate {{kib}} feature privileges. Refer to [Cases requirements](/solutions/security/investigate/cases-requirements.md).
-::::
-
-
-
-## Case closures [close-sent-cases]
-
-If you close cases in your external incident management system, the cases will remain open in {{elastic-sec}} until you close them manually.
-
-To close cases when they are sent to an external system, select the option to automatically close cases when pushing new incident to external system.
-
-
-## External incident management systems [cases-ui-integrations]
-
-You can push {{elastic-sec}} cases to these third-party systems:
-
-* {{sn-itsm}}
-* {{sn-sir}}
-* {{jira}} (including Jira Service Desk)
-* {{ibm-r}}
-* {{swimlane}}
-* {{hive}}
-* {{webhook-cm}}
-
-To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set {{elastic-sec}} cases to automatically close when they are sent to external systems.
-
-::::{important}
-To create connectors and send cases to external systems, ensure you have the appropriate role privileges and [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). For more information, refer to [Cases requirements](/solutions/security/investigate/cases-requirements.md).
-::::
-
-
-To create a new connector:
-
-1. From the **Incident management system** list, select **Add new connector**.
-2. Select the system to send cases to: **{{sn}}**, **{{jira}}**, **{{ibm-r}}**, **{{swimlane}}**, **{{hive}}**, or **{{webhook-cm}}**.
-3. Enter your required settings. For connector configuration details, refer to:
-
- * [{{sn-itsm}} connector](kibana://reference/connectors-kibana/servicenow-action-type.md)
- * [{{sn-sir}} connector](kibana://reference/connectors-kibana/servicenow-sir-action-type.md)
- * [{{jira}} connector](kibana://reference/connectors-kibana/jira-action-type.md)
- * [{{ibm-r}} connector](kibana://reference/connectors-kibana/resilient-action-type.md)
- * [{{swimlane}} connector](kibana://reference/connectors-kibana/swimlane-action-type.md)
- * [{{hive}} connector](kibana://reference/connectors-kibana/thehive-action-type.md)
- * [{{webhook-cm}} connector](kibana://reference/connectors-kibana/cases-webhook-action-type.md)
-
-
-To change the settings of an existing connector:
-
-1. Select the required connector from the incident management system list.
-2. Click **Update **.
-3. In the **Edit connector** flyout, modify the connector fields as required, then click **Save & close** to save your changes.
-
-To change the default connector used to send cases to external systems, select the required connector from the incident management system list.
-
-
-### Mapped case fields [mapped-case-fields]
-
-When you export an {{elastic-sec}} case to an external system, case fields are mapped to existing fields in the external system. For example, the case title is mapped to the short description in {{sn}} and the summary in {{jira}} incidents. Case tags are mapped to labels in {{jira}}. Case comments are mapped to work notes in {{sn}}.
-
-When you use a {{webhook-cm}} connector, case fields can be mapped to custom or existing fields.
-
-When you push updates to external systems, mapped fields are either overwritten or appended, depending on the field and the connector.
-
-Retrieving data from external systems is not supported.
-
-
-## Custom fields [cases-ui-custom-fields]
-
-You can add optional and required fields for customized case collaboration.
-
-1. In the **Custom fields** section, click **Add field**.
-
- :::{image} /solutions/images/security-cases-add-custom-field.png
- :alt: Add a custom field in case settings
- :screenshot:
- :::
-
-2. You must provide a field label and type (text or toggle). You can optionally designate it as a required field and provide a default value.
-
-When you create a custom field, it’s added to all new and existing cases. In existing cases, new custom text fields initially have null values.
-
-You can subsequently remove or edit custom fields on the **Settings** page.
-
-
-## Templates [cases-templates]
-
-You can make the case creation process faster and more consistent by adding templates. A template defines values for one or all of the case fields (such as severity, tags, description, and title) as well as any custom fields.
-
-To create a template:
-
-1. In the **Templates** section, click **Add template**.
-
- :::{image} /solutions/images/security-cases-add-template.png
- :alt: Add a template in case settings
- :screenshot:
- :::
-
-2. You must provide a template name and case severity. You can optionally add template tags and a description, values for each case field, and a case connector.
-
-When users create cases, they can optionally select a template and use its values or override them.
-
-::::{note}
-If you update or delete templates, existing cases are unaffected.
-::::
-
-
-
-## Observable types [cases-observable-types]
-
-::::{admonition} Requirements
-Ensure you have the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
-
-::::
-
-
-Create custom observable types for enhanced case collaboration.
-
-1. In the **Observable types** section, click **Add observable type**.
-2. Enter a descriptive label for the observable type, then click **Save**.
-
-After creating a new observable type, you can remove or edit it from the **Settings** page.
-
-::::{note}
-You can create up to 10 custom observable types.
-::::
-
-
-::::{important}
-Deleting a custom observable type deletes all instances of it.
-::::
-
-
-:::{image} /solutions/images/security-cases-observable-types.png
-:alt: Add an observable type in case settings
-:screenshot:
-:::
diff --git a/solutions/security/investigate/indicators-of-compromise.md b/solutions/security/investigate/indicators-of-compromise.md
index cb66f71878..6ffbd7ef07 100644
--- a/solutions/security/investigate/indicators-of-compromise.md
+++ b/solutions/security/investigate/indicators-of-compromise.md
@@ -125,7 +125,7 @@ To add indicators to cases:
2. Select one of the following:
* **Add to existing case**: From the **Select case** dialog box, select the case to which you want to attach the indicator.
- * **Add to new case**: Configure the case details. Refer to [Open a new case](/solutions/security/investigate/open-manage-cases.md#cases-ui-open) to learn more about opening a new case.
+ * **Add to new case**: Configure the case details. Refer to [Open a new case](/explore-analyze/cases/create-cases.md) to learn more about opening a new case.
The indicator is added to the case as a new comment.
diff --git a/solutions/security/investigate/open-manage-cases.md b/solutions/security/investigate/open-manage-cases.md
deleted file mode 100644
index 87f9b2c627..0000000000
--- a/solutions/security/investigate/open-manage-cases.md
+++ /dev/null
@@ -1,313 +0,0 @@
----
-navigation_title: Open and manage cases
-mapped_pages:
- - https://www.elastic.co/guide/en/security/current/cases-open-manage.html
- - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
-applies_to:
- stack: all
- serverless:
- security: all
-products:
- - id: security
- - id: cloud-serverless
----
-
-# Open and manage cases in Elastic Security [security-cases-open-manage]
-
-You can create and manage cases using the UI or the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases).
-
-:::{note}
-**Requirements**
-
-To access and send cases to external systems, you need the appropriate [subscription or feature tier](https://www.elastic.co/pricing), and your role must have the required {{kib}} feature privileges. Refer to [](/solutions/security/investigate/cases-requirements.md) for more information.
-:::
-
-## Open a new case [cases-ui-open]
-
-Open a new case to keep track of security issues and share their details with colleagues.
-
-1. Find **Cases** in the navigation menu or search for `Security/Cases` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then click **Create case**. If no cases exist, the Cases table will be empty and you’ll be prompted to create one by clicking the **Create case** button inside the table.
-2. {applies_to}`stack: preview` {applies_to}`serverless: preview` If you defined [templates](/solutions/security/investigate/configure-case-settings.md#cases-templates), you can optionally select one to use its default field values.
-3. Give the case a name, assign a severity level, and provide a description. You can use [Markdown](https://www.markdownguide.org/cheat-sheet) syntax in the case description.
-
- ::::{note}
- If you do not assign your case a severity level, it will be assigned **Low** by default.
- ::::
-
-
- ::::{tip}
- You can insert a Timeline link in the case description by clicking the Timeline icon ().
- ::::
-
-4. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary [prerequisites](/solutions/security/investigate/cases-requirements.md).
-5. {applies_to}`stack: preview` {applies_to}`serverless: preview` If you defined [custom fields](/solutions/security/investigate/configure-case-settings.md#cases-ui-custom-fields), they appear in the **Additional fields** section.
-6. Choose if you want alert statuses to sync with the case’s status after they are added to the case. This option is turned on by default, but you can turn it off after creating the case.
-7. {applies_to}`stack: ga 9.2+` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can choose to automatically extract observables from alerts that you're adding to the case. This option is turned on by default. You can turn it off after creating the case by toggling **Auto-extract observables** on the case's **Observables** tab.
-8. (Optional) Under **External Connector Fields**, you can select a connector to send cases to an external system. If you’ve created any connectors previously, they will be listed here. If there are no connectors listed, you can create one. For more information, refer to [External incident management systems](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations)
-
- ::::{note}
- :applies_to: stack: ga 9.3+
- When specifying **Additional fields** for an {{ibm-r}} connector, fields that are set when an incident is created or changed (for example, an incident is closed) won't display as an option.
- ::::
-
-9. Click **Create case**.
-
- ::::{note}
- If you’ve selected a connector for the case, the case is automatically pushed to the third-party system it’s connected to.
- ::::
-
-% Check with Lisa if email notifications is an ESS-only feature. Not in Serverless docs: https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
-
-## Add email notifications [cases-ui-notifications]
-
-You can configure email notifications that occur when users are assigned to cases.
-
-For {{kib}} on {{ecloud}}:
-
-1. Add the email domains to the [notifications domain allowlist](/explore-analyze/alerts-cases/alerts.md).
-
- You do not need to take any more steps to configure an email connector or update {{kib}} user settings, since the preconfigured Elastic-Cloud-SMTP connector is used by default.
-
-
-For self-managed {{kib}}:
-
-1. Create a preconfigured email connector.
-
- ::::{note}
- At this time, email notifications support only [preconfigured email connectors](kibana://reference/connectors-kibana/pre-configured-connectors.md), which are defined in the [`kibana.yml`](/deploy-manage/stack-settings.md) file.
- ::::
-
-2. Set the `notifications.connectors.default.email` {{kib}} setting to the name of your email connector.
-3. If you want the email notifications to contain links back to the case, you must configure the [server.publicBaseUrl](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) setting.
-
-When you subsequently add assignees to cases, they receive an email.
-
-
-## Manage existing cases [cases-ui-manage]
-
-From the Cases page, you can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes. General case metrics, including how long it takes to close cases, are provided above the table.
-
-{applies_to}`stack: ga 9.3+` To find cases that were created during a specific time range, use the date time picker above the Cases table. The default time selection is the last 30 days. Clicking **Show all cases** displays every {{elastic-sec}} case in your space. The action also adjusts the starting time range to the date of when the first case was created.
-
-To explore a case, click on its name. You can then:
-
-* [Review the case summary](/solutions/security/investigate/open-manage-cases.md#cases-summary).
-* Modify the case’s description, assignees, category, severity, status, and tags.
-* Add and manage [comments](/solutions/security/investigate/open-manage-cases.md#cases-manage-comments) and [lens visualization](/solutions/security/investigate/open-manage-cases.md#cases-lens-visualization).
-
- {applies_to}`stack: ga 9.2+` Copy and paste images into case comments using `Ctrl/Cmd` + `C` and `Ctrl/Cmd` + `V` shortcuts. Pasted images are preformatted in Markdown.
-
- ::::{tip}
- Comments can contain Markdown. For syntax help, click the Markdown icon () in the bottom right of the comment.
- ::::
-
-* Add and manage the following items:
- * [Alerts](/solutions/security/investigate/open-manage-cases.md#cases-examine-alerts)
- * [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case)
- * {applies_to}`stack: ga 9.2+` [Events](/solutions/security/investigate/open-manage-cases.md#cases-examine-events)
- * [Files](/solutions/security/investigate/open-manage-cases.md#cases-add-files)
- * [Observables](/solutions/security/investigate/open-manage-cases.md#cases-add-observables)
-* [Manage connectors](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations) and send updates to external systems (if you’ve added a connector to the case).
-* [Copy the case UUID](/solutions/security/investigate/open-manage-cases.md#cases-copy-case-uuid)
-* Refresh the case to retrieve the latest updates.
-
-
-### Review the case summary [cases-summary]
-
-Click on an existing case to access its summary. The case summary, located under the case title, contains metrics that summarize alert information and response times. These metrics update when you attach additional unique alerts to the case, add connectors, or modify the case’s status:
-
-* **Total alerts**: Total number of unique alerts attached to the case
-* **Associated users**: Total number of unique users that are represented in the attached alerts
-* **Associated hosts**: Total number of unique hosts that are represented in the attached alerts
-* **Total connectors**: Total number of connectors that have been added to the case
-* **Case created**: Date and time that the case was created
-* **Open duration**: Time elapsed since the case was created
-* **In progress duration**: How long the case has been in the `In progress` state
-* **Duration from creation to close**: Time elapsed from when the case was created to when it was closed
-
-### Manage case comments [cases-manage-comments]
-
-To edit, delete, or quote a comment, select the appropriate option from the **More actions** menu (**…**).
-
-:::{image} /solutions/images/security-cases-manage-comments.png
-:alt: Shows you a summary of the case
-:screenshot:
-:::
-
-## Add context and supporting materials [cases-add-context]
-
-Provide additional context and resources by adding the following to the case:
-* [Alerts](#cases-examine-alerts)
-* [Indicators](/solutions/security/investigate/indicators-of-compromise.md#review-indicator-in-case)
-* {applies_to}`stack: ga 9.2.0` [Events](#cases-examine-events)
-* [Files](#cases-add-files)
-* [Observables](#cases-add-observables)
-
-::::{tip}
-:applies_to: {stack: ga 9.3}
-From the **Attachments** tab, you can search for specific observable values, alert and event IDs, and file names.
-::::
-
-### Add alerts [cases-examine-alerts]
-
-:::{include} /solutions/_snippets/add-case-alerts.md
-:::
-
-::::{note}
-Add alerts to new and existing cases from [Timeline](/solutions/security/investigate/timeline.md) or the [**Alerts** page](/solutions/security/detect-and-alert/add-detection-alerts-to-cases.md).
-::::
-
-### Add events [cases-examine-events]
-```{applies_to}
-stack: ga 9.2
-```
-
-Escalate events and track them in a single place by attaching them to cases. You can add events from an investigation that you've opened in Timeline, or from the **Events** tab on the **Hosts**, **Network**, or **Users** pages.
-
-After adding events to a case, go to the **Events** tab to examine them. Within the tab, events are organized from newest to oldest. Click the **View details** button to find out more about the event.
-
-You can find the **Events** tab in the following places:
-
-- {applies_to}`serverless:` {applies_to}`stack: ga 9.3+`: Go to the case's details page, then select the **Attachments** tab.
-- {applies_to}`stack: ga =9.2`: Go to the case's details page.
-
-### Add files [cases-add-files]
-
-:::{include} /solutions/_snippets/add-case-files.md
-:::
-
-::::{important}
-When you export cases as [saved objects](../../../explore-analyze/find-and-organize/saved-objects.md), the attached case files are not exported.
-::::
-
-::::{note}
-Uploaded files are also accessible from the **Files** management page, which you can find using the navigation menu or entering `Files` into the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
-::::
-
-### Add observables [cases-add-observables]
-
-:::{include} /solutions/_snippets/add-case-observables.md
-:::
-
-{applies_to}`stack: ga 9.2` With the appropriate [{{stack}} subscription](https://www.elastic.co/pricing) or [{{serverless-short}} project feature tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md), you can use **Auto-extract observables** to instantly extract observables from alerts that you're adding to the case. After creating a new case, you have the option to turn it off by toggling **Auto-extract observables** on the case's **Observables** tab.
-
-## Copy the case UUID [cases-copy-case-uuid]
-
-Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case’s UUID to a clipboard, go to the **Cases** page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case’s details page, then from the **More actions** menu (…), select **Copy Case ID**.
-
-:::{image} /solutions/images/security-cases-copy-case-id.png
-:alt: Copy Case ID option in More actions menu
-:width: 250px
-:screenshot:
-:::
-
-## Add a Lens visualization [cases-lens-visualization]
-
-::::{warning}
-This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
-::::
-
-
-Add a Lens visualization to your case to portray event and alert data through charts and graphs.
-
-:::{image} /solutions/images/security-add-vis-to-case.gif
-:alt: Shows how to add a visualization to a case
-:screenshot:
-:::
-
-To add a Lens visualization to a comment within your case:
-
-1. Click the **Visualization** button. The **Add visualization** dialog appears.
-2. Select an existing visualization from your Visualize Library or create a new visualization.
-
- ::::{important}
- Set an absolute time range for your visualization. This ensures your visualization doesn’t change over time after you save it to your case, and provides important context for others managing the case.
- ::::
-
-3. Save the visualization to your Visualize Library by clicking the **Save to library** button (optional).
-
- 1. Enter a title and description for the visualization.
- 2. Choose if you want to keep the **Update panel on Security** activated. This option is activated by default and automatically adds the visualization to your Visualize Library.
-
-4. After you’ve finished creating your visualization, click **Save and return** to go back to your case.
-5. Click **Preview** to show how the visualization will appear in the case comment.
-6. Click **Add Comment** to add the visualization to your case.
-
-Alternatively, while viewing a [dashboard](/solutions/security/dashboards.md) you can open a panel’s menu then click **More actions (…) → Add to existing case** or **More actions (…) → Add to new case**.
-
-After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case’s comment menu.
-
-:::{image} /solutions/images/security-cases-open-vis.png
-:alt: Shows where the Open Visualization option is
-:screenshot:
-:::
-
-## Export and import cases [cases-export-import]
-
-Cases can be [exported](/solutions/security/investigate/open-manage-cases.md#cases-export) and [imported](/solutions/security/investigate/open-manage-cases.md#cases-import) as saved objects using the {{kib}} [Saved Objects](/explore-analyze/find-and-organize/saved-objects.md) UI.
-
-::::{important}
-Before importing Lens visualizations, Timelines, or alerts into a space, ensure their data is present. Without it, they won’t work after being imported.
-::::
-
-
-
-### Export a case [cases-export]
-
-Use the **Export** option to move cases between different {{elastic-sec}} instances. When you export a case, the following data is exported to a newline-delimited JSON (`.ndjson`) file:
-
-* Case details
-* User actions
-* Text string comments
-* Case alerts
-* Lens visualizations (exported as JSON blobs).
-
-::::{note}
-The following attachments are *not* exported:
-
-* **Case files**: Case files are not exported. However, they are accessible from **Files** (find **Files** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md)) to download and re-add.
-* **Alerts**: Alerts attached to cases are not exported. You must re-add them after importing cases.
-
-::::
-
-
-To export a case:
-
-1. Find **Saved Objects** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
-2. Search for the case by choosing a saved object type or entering the case title in the search bar.
-3. Select one or more cases, then click the **Export** button.
-4. Click **Export**. A confirmation message that your file is downloading displays.
-
- ::::{tip}
- Keep the **Include related objects** option enabled to ensure connectors are exported too.
- ::::
-
-
-:::{image} /solutions/images/security-cases-export-button.png
-:alt: Shows the export saved objects workflow
-:screenshot:
-:::
-
-
-### Import a case [cases-import]
-
-To import a case:
-
-1. Find **Saved Objects** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
-2. Click **Import**.
-3. Select the NDJSON file containing the exported case and configure the import options.
-4. Click **Import**.
-5. Review the import log and click **Done**.
-
- ::::{important}
- Be mindful of the following:
-
- * If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click **Go to connectors** on the **Import saved objects** flyout and complete the necessary steps. You can also access connectors from the **{{connectors-ui}}** page (find **{{connectors-ui}}** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md)).
- * If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function.
-
- ::::
-
-## Search cases [search-security-cases]
-
-:::{include} /solutions/_snippets/search-cases.md
-:::
\ No newline at end of file
diff --git a/solutions/security/investigate/security-cases.md b/solutions/security/investigate/security-cases.md
new file mode 100644
index 0000000000..15aa0049b0
--- /dev/null
+++ b/solutions/security/investigate/security-cases.md
@@ -0,0 +1,66 @@
+---
+navigation_title: Cases
+mapped_pages:
+ - https://www.elastic.co/guide/en/security/current/cases-overview.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-overview.html
+ - https://www.elastic.co/guide/en/security/current/cases-open-manage.html
+ - https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
+applies_to:
+ stack: all
+ serverless:
+ security: all
+products:
+ - id: security
+ - id: cloud-serverless
+description: Create and manage security cases to track incidents, attach alerts, and collaborate with your SOC team using Security-specific features.
+---
+
+# Cases for {{elastic-sec}} [security-cases-overview]
+
+Create cases to collect and share information about security incidents and investigations. You can attach alerts, document findings, and collaborate with your SOC team, all in one place. Cases also integrate with external ticketing systems like Jira, ServiceNow, and IBM Resilient, so you can escalate and track incidents across your security workflow.
+
+Refer to [](/explore-analyze/cases.md) for help creating, managing, and configuring cases.
+
+## Security-specific features [security-cases-features]
+
+Beyond the core case functionality, {{elastic-sec}} lets you view case metrics, attach events from Timeline, add threat intelligence indicators, and link Timelines to preserve investigation context.
+
+### View case metrics [cases-view-metrics]
+
+Select an existing case to access its summary. The case summary, located under the case title, contains metrics that summarize alert information and response times:
+
+* **Total alerts**: Total number of unique alerts attached to the case
+* **Associated users**: Total number of unique users represented in the attached alerts
+* **Associated hosts**: Total number of unique hosts represented in the attached alerts
+* **Total connectors**: Total number of connectors added to the case
+* **Case created**: Date and time the case was created
+* **Open duration**: Time elapsed since the case was created
+* **In progress duration**: How long the case has been in the `In progress` state
+* **Duration from creation to close**: Time elapsed from case creation to closure
+
+Use these metrics to assess incident scope, track response efficiency, and identify trends across cases for process improvements.
+
+### Add events [cases-add-events]
+
+```{applies_to}
+stack: ga 9.2
+```
+
+Attach events to cases to document suspicious activity and preserve evidence for your investigation. You can add events from Timeline or from the **Events** tab on the **Hosts**, **Network**, or **Users** pages. This helps you build a chronological record of what happened, share findings with your team, and support post-incident analysis.
+
+View attached events in the case's **Events** tab, where they're organized from newest to oldest. You can find the **Events** tab in the following places:
+
+- {applies_to}`stack: ga 9.3+`: Go to the case's details page, then select the **Attachments** tab.
+- {applies_to}`stack: ga 9.0-9.2`: Go to the case's details page.
+
+### Add indicators [cases-indicators]
+
+Attach [threat intelligence indicators](/solutions/security/investigate/indicators-of-compromise.md) to cases to document evidence of compromise and connect your investigation to known threats. This helps you correlate alerts with threat actor tactics, track IOCs across related incidents, and build a complete picture of an attack.
+
+### Add Timelines [cases-timeline]
+
+Attach [Timelines](/solutions/security/investigate/timeline.md) to cases to preserve your investigation context and share it with your team. When you link a Timeline, other analysts can see the exact queries, filters, and events you examined, making it easier to collaborate, hand off investigations, or document your evidence trail.
+
+::::{tip}
+To insert a Timeline link in the case description, click the Timeline icon ().
+::::
\ No newline at end of file
diff --git a/solutions/security/investigate/timeline.md b/solutions/security/investigate/timeline.md
index 9da1ddfe45..10e72326a7 100644
--- a/solutions/security/investigate/timeline.md
+++ b/solutions/security/investigate/timeline.md
@@ -170,7 +170,7 @@ When you convert a [Timeline template](/solutions/security/investigate/timeline-
To attach a Timeline to a new or existing case, open it, click **Attach to case** in the upper right corner, then select either **Attach to new case** or **Attach to existing case**.
-To learn more about cases, refer to [Cases](/solutions/security/investigate/cases.md).
+To learn more about cases, refer to [Cases](/solutions/security/investigate/security-cases.md).
## Manage existing Timelines [manage-timelines-ui]
diff --git a/solutions/security/security-serverless-feature-tiers.md b/solutions/security/security-serverless-feature-tiers.md
index 35def8b04b..2039fba393 100644
--- a/solutions/security/security-serverless-feature-tiers.md
+++ b/solutions/security/security-serverless-feature-tiers.md
@@ -28,7 +28,7 @@ The following table compares features available in each feature tier:
| **Feature Name** | **Security Analytics Complete** | **Security Analytics Essentials** | **EASE** |
| :--- | :---: | :---: | :---: |
-| **[Cases](/solutions/security/investigate/cases.md) (collect and share information)** | ✅ | ✅ | ✅ |
+| **[Cases](/solutions/security/investigate/security-cases.md) (collect and share information)** | ✅ | ✅ | ✅ |
| **[Native integrations](https://www.elastic.co/docs/reference/integrations) with third-party SIEM and EDR platforms** | ✅ | ✅ | ✅ |
| **Out of the box [dashboards](/solutions/security/dashboards.md)** | ✅ | ✅ | ❌ |
| **Prebuilt and custom [detection rules](/solutions/security/detect-and-alert.md)** | ✅ | ✅ | ❌ |
diff --git a/solutions/toc.yml b/solutions/toc.yml
index 92d6ec159d..9e0cc8505f 100644
--- a/solutions/toc.yml
+++ b/solutions/toc.yml
@@ -504,11 +504,7 @@ toc:
children:
- file: observability/incident-management/triage-slo-burn-rate-breaches.md
- file: observability/incident-management/triage-threshold-breaches.md
- - file: observability/incident-management/cases.md
- children:
- - file: observability/incident-management/configure-access-to-cases.md
- - file: observability/incident-management/create-manage-cases.md
- - file: observability/incident-management/configure-case-settings.md
+ - file: observability/incident-management/observability-cases.md
- file: observability/incident-management/service-level-objectives-slos.md
children:
- file: observability/incident-management/configure-service-level-objective-slo-access.md
@@ -721,11 +717,7 @@ toc:
- file: security/investigate/use-placeholder-fields-in-osquery-queries.md
- file: security/investigate/notes.md
- file: security/investigate/indicators-of-compromise.md
- - file: security/investigate/cases.md
- children:
- - file: security/investigate/cases-requirements.md
- - file: security/investigate/open-manage-cases.md
- - file: security/investigate/configure-case-settings.md
+ - file: security/investigate/security-cases.md
- file: security/dashboards.md
children:
- file: security/dashboards/overview-dashboard.md
diff --git a/troubleshoot/elasticsearch/mapping-explosion.md b/troubleshoot/elasticsearch/mapping-explosion.md
index 0eef15d11f..9dd0e2b2bc 100644
--- a/troubleshoot/elasticsearch/mapping-explosion.md
+++ b/troubleshoot/elasticsearch/mapping-explosion.md
@@ -32,7 +32,7 @@ Mapping explosion may surface as the following performance symptoms:
* [CAT pending tasks](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cat-pending-tasks) reporting a task queue backlog with a lot of `put-mapping [MY_INDEX_NAME/MY_INDEX_UUID]` messages.
* Discover’s **Fields for wildcard** page-loading API command or [Dev Tools](../../explore-analyze/query-filter/tools/console.md) page-refreshing Autocomplete API commands are taking a long time (more than 10 seconds) or timing out in the browser’s Developer Tools Network tab. For more information, refer to our [walkthrough on troubleshooting Discover](https://www.elastic.co/blog/troubleshooting-guide-common-issues-kibana-discover-load).
* Discover’s **Available fields** taking a long time to compile Javascript in the browser’s Developer Tools Performance tab. This may potentially escalate to temporary browser page unresponsiveness.
-* Kibana’s [alerting](../../explore-analyze/alerts-cases/alerts.md) or [security rules](../../solutions/security/detect-and-alert.md) may error `The content length (X) is bigger than the maximum allowed string (Y)` where `X` is attempted payload and `Y` is {{kib}}'s [`server-maxPayload`](kibana://reference/configuration-reference/general-settings.md#server-maxpayload).
+* Kibana’s [alerting](../../explore-analyze/alerting/alerts.md) or [security rules](../../solutions/security/detect-and-alert.md) may error `The content length (X) is bigger than the maximum allowed string (Y)` where `X` is attempted payload and `Y` is {{kib}}'s [`server-maxPayload`](kibana://reference/configuration-reference/general-settings.md#server-maxpayload).
* Long {{es}} start-up durations.
* Kibana Javascript erring within browser while loading a Dashboard or Discover with message `Maximum call stack size exceeded`.
diff --git a/troubleshoot/elasticsearch/task-queue-backlog.md b/troubleshoot/elasticsearch/task-queue-backlog.md
index 265d10888d..5b66aa80e0 100644
--- a/troubleshoot/elasticsearch/task-queue-backlog.md
+++ b/troubleshoot/elasticsearch/task-queue-backlog.md
@@ -141,7 +141,7 @@ If an individual task is causing a [thread pool `queue`](#diagnose-task-queue-th
This problem can surface due to a number of possible causes:
-* Creating new tasks or modifying scheduled tasks which either run frequently or are broad in their effect, such as [{{ilm}}](/manage-data/lifecycle/index-lifecycle-management.md) policies or [rules](/explore-analyze/alerts-cases.md)
+* Creating new tasks or modifying scheduled tasks which either run frequently or are broad in their effect, such as [{{ilm}}](/manage-data/lifecycle/index-lifecycle-management.md) policies or [rules](/explore-analyze/alerting.md)
* Performing traffic load testing
* Doing extended look-backs, especially across [data tiers](/manage-data/lifecycle/data-tiers.md)
* [Searching](https://www.elastic.co/docs/api/doc/elasticsearch/group/endpoint-search) or performing [bulk updates](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-bulk) to a high number of indices in a single request
diff --git a/troubleshoot/kibana/alerts.md b/troubleshoot/kibana/alerts.md
index 8d5e8c7207..83ac222de9 100644
--- a/troubleshoot/kibana/alerts.md
+++ b/troubleshoot/kibana/alerts.md
@@ -29,13 +29,13 @@ Some of the resources, such as saved objects and API keys, may no longer be avai
The following debugging tools are available:
-* {{kib}} versions 7.10 and above have a [Test connector](../../explore-analyze/alerts-cases/alerts/testing-connectors.md) UI.
+* {{kib}} versions 7.10 and above have a [Test connector](../../explore-analyze/alerting/alerts/testing-connectors.md) UI.
* {{kib}} versions 7.11 and above include improved Webhook error messages, better overall debug logging for actions and connectors, and Task Manager [diagnostics endpoints](task-manager.md#task-manager-diagnosing-root-cause).
## Using rules and connectors list for the current state and finding issues [alerting-managment-detail]
-**{{rules-ui}}** in **{{stack-manage-app}}** lists the rules available in the space you’re currently in. When you click a rule name, you are navigated to the [details page](../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#rule-details) for the rule, where you can see currently active alerts. The start date on this page indicates when a rule is triggered, and for what alerts. In addition, the duration of the condition indicates how long the instance is active.
+**{{rules-ui}}** in **{{stack-manage-app}}** lists the rules available in the space you’re currently in. When you click a rule name, you are navigated to the [details page](../../explore-analyze/alerting/alerts/create-manage-rules.md#rule-details) for the rule, where you can see currently active alerts. The start date on this page indicates when a rule is triggered, and for what alerts. In addition, the duration of the condition indicates how long the instance is active.
:::{image} /troubleshoot/images/kibana-rule-details-alerts-inactive.png
:alt: Alerting management details
@@ -182,9 +182,9 @@ Investigating the underlying task can help you gauge whether the problem you’r
In addition to the above methods, refer to the following approaches and common issues:
-* [Alerting common issues](../../explore-analyze/alerts-cases/alerts/alerting-common-issues.md)
-* [Querying event log index](../../explore-analyze/alerts-cases/alerts/event-log-index.md)
-* [Testing connectors using {{connectors-ui}} UI and the `kbn-action` tool](../../explore-analyze/alerts-cases/alerts/testing-connectors.md)
+* [Alerting common issues](../../explore-analyze/alerting/alerts/alerting-common-issues.md)
+* [Querying event log index](../../explore-analyze/alerting/alerts/event-log-index.md)
+* [Testing connectors using {{connectors-ui}} UI and the `kbn-action` tool](../../explore-analyze/alerting/alerts/testing-connectors.md)
### Temporarily throttle all tasks [alerting-kibana-throttle]
@@ -197,7 +197,7 @@ xpack.task_manager.poll_interval: 1h
```
::::{warning}
-This approach should be used only temporarily as a last resort to restore function to {{kib}} when it is unresponsive and attempts to identify and [snooze or disable](../../explore-analyze/alerts-cases/alerts/create-manage-rules.md#controlling-rules) slow-running rules have not fixed the situation. It severely throttles all background tasks, not just those relating to {{alert-features}}. The task manager will run only one task at a time and will look for more work each hour.
+This approach should be used only temporarily as a last resort to restore function to {{kib}} when it is unresponsive and attempts to identify and [snooze or disable](../../explore-analyze/alerting/alerts/create-manage-rules.md#controlling-rules) slow-running rules have not fixed the situation. It severely throttles all background tasks, not just those relating to {{alert-features}}. The task manager will run only one task at a time and will look for more work each hour.
::::