elastic · nastasha-solomon · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025 · Jul 22, 2025
@@ -26,3 +26,13 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v
 * [Configure access to cases](cases/setup-cases.md)
 * [Open and manage cases](cases/manage-cases.md)
 * [Configure case settings](cases/manage-cases-settings.md)
+
+
+::::{note} 
+{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space.
+::::
+
+## Limitations [kibana-case-limitations]
+
+* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}}, they are not visible in {{stack-manage-app}} or {{elastic-sec}}. 
+* You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}.
@@ -0,0 +1,58 @@
+---
+applies_to:
+  stack: ga
+  serverless: ga
+products:
+  - id: kibana
+---
+
+# Visualize case data [visualize-case-data]
+
+Case data is stored in case analytics indices, which include data from case comments, attachments, and activity. You can query this information to build dashboards and metrics that improve your visibility into case patterns and trends.
+
+## About case analytics indices [about-case-analytics-indices]
+
+Case analytics indices and their aliases are automatically generated when Kibana starts up. Every five minutes, the indices are updated with new data from cases in your space. Historical data about cases is not stored; it gets overwritten whenever new case data is written to the indices. 
+
+You can begin querying case analytics indices as soon as you have cases in your space. To learn more about fields in the indices, refer to 
+% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) 
+
+| Index    | Alias | Description | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases`            | `.cases`               | Stores general data related to cases.    | 
+| `.internal.cases-comments`   | `.cases-comments`      | Stores data related to case comments.    | 
+| `.internal.cases-activity`   | `.cases-activity`      | Stores data related to case activity.    | 
+| `.internal.cases-attachments`| `.cases-attachments`   | Stores data related to case attachments (only alerts and files added to the case). | 
+
+## Explore case data [explore-case-analytics-indices]
+
+::::{admonition} Requirements
+To query the case analytics indices, your role must have at least `Read` and `view_index_metadata` access to the indices.
+::::
+
+Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover.
+
+* Find the total number of cases that are currently open:
+  ```console
+  FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status  == "open"
+  ```
+
+* Find the total number of cases that are currently in progress:
+  ```console
+  FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status  == "in-progress"
+  ```
+
+* Find the total number of cases that are closed:
+  ```console
+  FROM .internal.cases | STATS count = COUNT(*) BY status | WHERE status  == "closed"
+  ```
+
+* Find cases that are open and sort them by time, with the most recent is at the top:
+  ```console
+  FROM .internal.cases | WHERE status  == "open" | SORT created_at DESC
+  ```
+
+* Find the average time that it takes to close a case:
+  ```console
+  FROM .internal.cases | STATS average_time_to_close = AVG(time_to_resolve)
+  ```
@@ -410,4 +410,5 @@ toc:
           - file: alerts-cases/cases/setup-cases.md
           - file: alerts-cases/cases/manage-cases.md
           - file: alerts-cases/cases/manage-cases-settings.md
+          - file: alerts-cases/cases/visualize-case-data.md   
   - file: numeral-formatting.md
@@ -14,4 +14,13 @@ Collect and share information about observability issues by creating a case. Cas
 :::{image} /solutions/images/observability-cases.png
 :alt: Cases page
 :screenshot:
-:::
+:::
+
+::::{note} 
+{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space.
+::::
+
+## Limitations [observability-case-limitations]
+
+* If you create cases in {{observability}}, they are not visible from the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. 
+* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}.
@@ -29,10 +29,16 @@ You can also send cases to these external systems by [configuring external conne
 :screenshot:
 :::
 
-::::{note}
-From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management.
+::::{note} 
+{applies_to}`stack: ga 9.1` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space.
 ::::
 
+## Limitations [security-case-limitations]
+
+* If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}.
+* You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}.
+
+