elastic · nastasha-solomon · Oct 23, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
@@ -27,3 +27,9 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v
 * [Configure access to cases](cases/setup-cases.md)
 * [Open and manage cases](cases/manage-cases.md)
 * [Configure case settings](cases/manage-cases-settings.md)
+* {applies_to}`stack: preview 9.2`[Use cases as data](cases/cases-as-data.md)
+
+## Limitations [kibana-case-limitations]
+
+* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}}, they are not visible in {{stack-manage-app}} or {{elastic-sec}}. 
+* You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}.
@@ -0,0 +1,123 @@
+---
+applies_to:
+  deployment:
+    ess: preview 9.2
+    ece: preview 9.2
+---
+
+# Use cases as data [use-cases-as-data]
+
+The cases as data feature lets you visualize data about cases in your [space](/deploy-manage/manage-spaces.md). After turning it on, you can query case data from dedicated case analytics indices and build dashboards and visualizations to track case trends and operational metrics. This information is particularly useful when reporting on key performance indicators (KPIs) such as Mean Time To Respond (MTTR), case severity trends, and analyst workload.
+
+## Turn on cases as data [turn-on-cases-as-data]
+
+To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file.
+
+::::{warning} 
+3 tasks will be created that each execute in 5 minute interval. If you have lots of spaces with cases (for example, dozens), we do not reccomend enabling this feature as it will clog up task manager.
+::::
+
+## Create and manage indices for case data [create-manage-case-analytics-indices]
+
+After turning on cases as data, you do not need to manually create the analytics indices. {{es}} automatically creates the indices in any space with cases and for each solution ({{stack-manage-app}}, {{observability}}, and Security cases). To form the analytics indices, it indexes general data about cases and data related to case comments, attachments, and activity.
+
+You also do not need to manually manage the analytics indices' index lifecycle management (ILM) policies. The indices are updated by a background task that runs every five minutes and applies a snapshot of the most current cases data. Note that historical case data is not retained; it gets overwritten whenever the indices are refreshed.
+
+::::{note} 
+After you create cases, {{es}} may take up to 10 minutes to index the new case data. If you create a new space, it can take up to an hour for new case analytics indices to form.  
+::::
+
+## Explore case data [explore-case-data]
+
+::::{admonition} Requirements
+
+* Your role has at least `read` and `view_index_metadata` access to the appropriate [case anlaytics indices](/explore-analyze/alerts-cases.md/cases/cases-as-data.md#case-analytics-indices).
+* You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers.
+
+::::
+
+To explore case data:
+
+1. Create a [data view](../../../explore-analyze/find-and-organize/data-views.md) that uses any of the case analytics indices.
+2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). 
+
+To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover.
+
+* Find the total number of open cases in the default {{kib}} space:
+
+  ```console
+  FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status  == "open"
+  ```
+
+* Find the total number of in progress Stack Management cases in the default {{kib}} space:
+
+  ```console
+  FROM .internal.cases.default-cases | STATS count = COUNT(*) BY status | WHERE status  == "in-progress"
+  ```
+
+* Find the total number of closed {{observability}} cases in the default {{kib}} space:
+
+  ```console
+  FROM .internal.cases.default-observability | STATS count = COUNT(*) BY status | WHERE status  == "closed"
+  ```
+
+* Find Security cases that are open in the default {{kib}} space, and sort them by time, with the most recent at the top:
+
+  ```console
+  FROM .internal.cases.default-securitysolution | WHERE status  == "open" | SORT created_at DESC
+  ```
+
+* Find the average time that it takes to close Security cases in the default {{kib}} space:
+
+  ```console
+  FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve)
+  ```
+
+## Case analytics indices names and aliases [case-analytics-indices-names]
+
+This section provides the names and aliases of the case analytics indices that {{es}} creates per space and solution. Note that `<space-name>` is a placeholder for the name of a space.  
+
+::::{note} 
+Go to
+% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. 
+::::
+
+### Indices for general case data 
+
+These indices store general data about cases. 
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases.<space-name>-cases` |  `.cases.<space-name>-cases` | Stack Management cases  | 
+| `.internal.cases.<space-name>-observability` |  `.cases.<space-name>-observability` | {{observability}} cases   | 
+| `.internal.cases.<space-name>-securitysolution` |  `.cases.<space-name>-securitysolution` | Security cases  | 
+
+### Indices for case comments
+
+These indices store data related to comments in Stack Management, {{observability}}, and Security cases.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-comments.<space-name>-cases` |  `.cases-comments.<space-name>-cases` | Stack Management cases    | 
+| `.internal.cases-comments.<space-name>-observability` |  `.cases-comments.<space-name>-observability` | {{observability}} cases    | 
+| `.internal.cases-comments.<space-name>-securitysolution` |  `.cases-comments.<space-name>-securitysolution` | Security cases   | 
+
+### Indices for case attachments 
+
+These indices store data related to attachments in Stack Management, {{observability}}, and Security cases.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-attachments.<space-name>-cases` |  `.cases-attachments.<space-name>-cases` | Stack Management cases    | 
+| `.internal.cases-attachments.<space-name>-observability` |  `.cases-attachments.<space-name>-observability` | {{observability}} cases    | 
+| `.internal.cases-attachments.<space-name>-securitysolution` |  `.cases-attachments.<space-name>-securitysolution` | Security cases    | 
+
+### Indices for case activity 
+
+These indices store data related to activity in Stack Management, {{observability}}, and Security cases.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-activity.<space-name>-cases` |  `.cases-activity.<space-name>-cases` | Stack Management cases    | 
+| `.internal.cases-activity.<space-name>-observability` |  `.cases-activity.<space-name>-observability` | {{observability}} cases    | 
+| `.internal.cases-activity.<space-name>-securitysolution` |  `.cases-activity.<space-name>-securitysolution` | Security cases    | 
@@ -365,4 +365,5 @@ toc:
           - file: alerts-cases/cases/setup-cases.md
           - file: alerts-cases/cases/manage-cases.md
           - file: alerts-cases/cases/manage-cases-settings.md
+          - file: alerts-cases/cases/cases-as-data.md   
   - file: numeral-formatting.md
@@ -15,4 +15,14 @@ Collect and share information about observability issues by creating a case. Cas
 :::{image} /solutions/images/observability-cases.png
 :alt: Cases page
 :screenshot:
-:::
+:::
+
+::::{tip}
+:applies_to: stack: preview 9.2
+After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
+::::
+
+## Limitations [observability-case-limitations]
+
+* If you create cases in {{observability}}, they are not visible from the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. 
+* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}.
@@ -30,11 +30,19 @@ You can also send cases to these external systems by [configuring external conne
 :screenshot:
 :::
 
-::::{note}
-From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management.
+::::{tip}
+:applies_to: stack: preview 9.2
+After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
 ::::
 
 
+## Limitations [security-case-limitations]
+
+* If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}.
+* You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}.
+
+
+