From 7b91b320a108d05d01a3c677ffaf9907c1b8642b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 9 Sep 2025 20:35:55 -0400 Subject: [PATCH 1/7] First draft --- docs/en/observability/create-alerts.asciidoc | 12 +++++++ .../view-observability-alerts.asciidoc | 36 +++++++++++++++---- 2 files changed, 42 insertions(+), 6 deletions(-) diff --git a/docs/en/observability/create-alerts.asciidoc b/docs/en/observability/create-alerts.asciidoc index c34efd6f5c..b16fe7cf6e 100644 --- a/docs/en/observability/create-alerts.asciidoc +++ b/docs/en/observability/create-alerts.asciidoc @@ -106,6 +106,18 @@ image::images/create-alerts-rules-details.png[Elastic {observability} detail pag NOTE: You can also view rule details by clicking on individual rules in the {kibana-ref}/create-and-manage-rules.html[{kib} Management UI]. +[discrete] +[[investigation-resources-observability-alerts]] +== Provide additional incident management and response resources + +Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the <>. Here are some resources you can add to a rule: + +* *Investigation guide*: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. +* *Related and suggested dashboards*: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: ++ +** Query the same data view +** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. + [discrete] [[create-alerts-alert]] == View and manage alerts diff --git a/docs/en/observability/view-observability-alerts.asciidoc b/docs/en/observability/view-observability-alerts.asciidoc index 51bcb9a196..cd0e4c0b71 100644 --- a/docs/en/observability/view-observability-alerts.asciidoc +++ b/docs/en/observability/view-observability-alerts.asciidoc @@ -58,6 +58,14 @@ To view the alert in the app that triggered it: * From the alert detail flyout, click *View in app*. * From the Alerts table, click the image:images/icons/eye.svg[View in app] icon. +[discrete] +[[find-related-alerts]] +== Find related alerts + +Related alerts can help you to identify patterns and recurring events that might warrant investigation. When examining an alert's details, you can find related alerts by selecting the **Related alerts** tab. + +Relevance to the current alert is based on how closely other alerts match it. Certain attributes are evaluated for matching, such as groups, tags, associated rules, and the time of which an alert was created. Alerts with more matching attributes are determined as more relevant and placed higher on the list of related alerts. To find related alerts that were created around the same time, apply the **Triggered around the same time** filter. + [discrete] [[understand-alert-statuses]] == Understand alert statuses @@ -119,12 +127,13 @@ NOTE: Each case can have a maximum of 1,000 alerts. To add an alert to a new case: -. Select **Add to new case**. +. From the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions]) in the Alerts table or the alert detail flyout, click *Alert details*, then select **Add to new case**. . Enter a case name, add relevant tags, and include a case description. . Under *External incident management system*, select a connector. If you’ve previously added one, that connector displays as the default selection. Otherwise, the default setting is No connector selected. -. After you’ve completed all of the required fields, click *Create case*. A notification message confirms you successfully -created the case. To view the case details, click the notification link or go to the <> page. +. After you’ve completed all of the required fields, click *Create case*. + +After creating the case, a confirmation message with an option to view the newly-created case displays. Click the notification link or go to the <> page to view the case details. [discrete] [[existing-case-observability-alerts]] @@ -132,9 +141,24 @@ created the case. To view the case details, click the notification link or go to To add an alert to an existing case: -. Select **Add to existing case**. -. From the Select case pane, select the case for which to attach an alert. A confirmation message displays -with an option to view the updated case. To view the case details, click the notification link or go to the <> page. +. From the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions]) in the Alerts table or the alert detail flyout, click *Alert details*, select **Add to existing case**. +. Select the case for which to attach an alert. + +After choosing a case, a confirmation message with an option to view the updated case displays. Click the notification link or go to the <> page to view the case details. + +[discrete] +[[investigation-resources-observability-alerts]] +== Access additional incident management and response resources + +Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are <>. When an alert is generated from that rule, you can access the resources from the alert's details page. Below are the types of resources you can add to a rule and access from an alert's details page. + +* *Investigation guide*: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. +* *Related and suggested dashboards*: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: ++ +** Query the same data view +** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. + + [discrete] [[clean-up-alerts-obs]] From b10063930b427cffc8db79a3e640df955fb46f56 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 9 Sep 2025 20:43:31 -0400 Subject: [PATCH 2/7] Re-arrange --- docs/en/observability/create-alerts.asciidoc | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/en/observability/create-alerts.asciidoc b/docs/en/observability/create-alerts.asciidoc index b16fe7cf6e..50d779461f 100644 --- a/docs/en/observability/create-alerts.asciidoc +++ b/docs/en/observability/create-alerts.asciidoc @@ -93,6 +93,18 @@ a| * <> |=== +[discrete] +[[investigation-resources-observability-alerts]] +=== Provide additional incident management and response resources + +Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the <>. Here are some resources you can add to a rule: + +* *Investigation guide*: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. +* *Related and suggested dashboards*: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: ++ +** Query the same data view +** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. + [discrete] [[create-alerts-rules-details]] == View rule details @@ -106,18 +118,6 @@ image::images/create-alerts-rules-details.png[Elastic {observability} detail pag NOTE: You can also view rule details by clicking on individual rules in the {kibana-ref}/create-and-manage-rules.html[{kib} Management UI]. -[discrete] -[[investigation-resources-observability-alerts]] -== Provide additional incident management and response resources - -Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the <>. Here are some resources you can add to a rule: - -* *Investigation guide*: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. -* *Related and suggested dashboards*: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: -+ -** Query the same data view -** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. - [discrete] [[create-alerts-alert]] == View and manage alerts From 16bf3d49c27fe26cfbe8c5f020cda878e64aeffa Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Wed, 10 Sep 2025 10:28:12 -0400 Subject: [PATCH 3/7] revisions --- docs/en/observability/create-alerts.asciidoc | 16 ++++++++++-- .../view-observability-alerts.asciidoc | 26 ++++++------------- 2 files changed, 22 insertions(+), 20 deletions(-) diff --git a/docs/en/observability/create-alerts.asciidoc b/docs/en/observability/create-alerts.asciidoc index 50d779461f..7328aab296 100644 --- a/docs/en/observability/create-alerts.asciidoc +++ b/docs/en/observability/create-alerts.asciidoc @@ -94,8 +94,8 @@ a| * <> |=== [discrete] -[[investigation-resources-observability-alerts]] -=== Provide additional incident management and response resources +[[incident-management-resources-observability-alerts]] +=== Add incident management and response resources to rules Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the <>. Here are some resources you can add to a rule: @@ -105,6 +105,18 @@ Incident management resources can help you respond to alerts more efficiently an ** Query the same data view ** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. +[discrete] +[[add-investigation-resources-to-rules]] +=== Add resources for investigating alerts + +When creating or editing a rule, add the following resources to help you get started with investigating alerts: + +* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <> ++ +TIP: Use Markdown to format and structure text in your investigation guide. ++ +* **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards. + [discrete] [[create-alerts-rules-details]] == View rule details diff --git a/docs/en/observability/view-observability-alerts.asciidoc b/docs/en/observability/view-observability-alerts.asciidoc index cd0e4c0b71..ba4c03c0ef 100644 --- a/docs/en/observability/view-observability-alerts.asciidoc +++ b/docs/en/observability/view-observability-alerts.asciidoc @@ -59,12 +59,16 @@ To view the alert in the app that triggered it: * From the Alerts table, click the image:images/icons/eye.svg[View in app] icon. [discrete] -[[find-related-alerts]] -== Find related alerts +[[view-related-alerts]] +== Review related alerts -Related alerts can help you to identify patterns and recurring events that might warrant investigation. When examining an alert's details, you can find related alerts by selecting the **Related alerts** tab. +Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. -Relevance to the current alert is based on how closely other alerts match it. Certain attributes are evaluated for matching, such as groups, tags, associated rules, and the time of which an alert was created. Alerts with more matching attributes are determined as more relevant and placed higher on the list of related alerts. To find related alerts that were created around the same time, apply the **Triggered around the same time** filter. +The relevancy of other alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: + +. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. +. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time of which alerts were generated or recovered, tags added to the alerts, alert IDs, and more are evaluated. +. Alerts are scored based on how closely they match the current alert. Alerts with a score above a certain threshold are considered relevant and are included in the list of related alerts. [discrete] [[understand-alert-statuses]] @@ -146,20 +150,6 @@ To add an alert to an existing case: After choosing a case, a confirmation message with an option to view the updated case displays. Click the notification link or go to the <> page to view the case details. -[discrete] -[[investigation-resources-observability-alerts]] -== Access additional incident management and response resources - -Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are <>. When an alert is generated from that rule, you can access the resources from the alert's details page. Below are the types of resources you can add to a rule and access from an alert's details page. - -* *Investigation guide*: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. -* *Related and suggested dashboards*: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: -+ -** Query the same data view -** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. - - - [discrete] [[clean-up-alerts-obs]] === Clean up alerts From 900eb0cde81cd47896bbcf5de365e8480ae08f9d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Wed, 10 Sep 2025 10:36:55 -0400 Subject: [PATCH 4/7] Removed duplicate section --- docs/en/observability/create-alerts.asciidoc | 36 +++++++------------- 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/docs/en/observability/create-alerts.asciidoc b/docs/en/observability/create-alerts.asciidoc index 7328aab296..1f45cc5296 100644 --- a/docs/en/observability/create-alerts.asciidoc +++ b/docs/en/observability/create-alerts.asciidoc @@ -93,30 +93,6 @@ a| * <> |=== -[discrete] -[[incident-management-resources-observability-alerts]] -=== Add incident management and response resources to rules - -Incident management resources can help you respond to alerts more efficiently and consistently. You can add these resources to a rule that you are creating or managing. When an alert is generated from that rule, the resources that you added can be accessed from the <>. Here are some resources you can add to a rule: - -* *Investigation guide*: An investigation guide provides step-by-step instructions and links to external resources for investigating and responding to alerts. On the alert's details page, you can access the guide from the **Investigation guide** tab. -* *Related and suggested dashboards*: (Only available for custom threshold rules) Dashboards can provide additional context and information about the alert. You can access them from the **Dashboards** tab on the alert's details page. Related dashboards are linked to the rule that generated the alert. Suggested dashboards are comprised of other dashboards that use lens visualizations that: -+ -** Query the same data view -** Use some of the same fields that are specified in the rule's configuration or are present in alert's genereated by the rule. - -[discrete] -[[add-investigation-resources-to-rules]] -=== Add resources for investigating alerts - -When creating or editing a rule, add the following resources to help you get started with investigating alerts: - -* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <> -+ -TIP: Use Markdown to format and structure text in your investigation guide. -+ -* **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards. - [discrete] [[create-alerts-rules-details]] == View rule details @@ -148,6 +124,18 @@ list an alert on the {observability} Alerts page. Only alerts generated by rules relating to Applications, Logs, Infrastructure, Synthetics, and Uptime can be viewed on the Alerts page. +[discrete] +[[add-investigation-resources-to-rules]] +=== Add resources for investigating alerts + +When creating or editing a rule, add the following resources to help you get started with investigating alerts: + +* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <> ++ +TIP: Use Markdown to format and structure text in your investigation guide. ++ +* **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards. + [discrete] [[create-alerts-configure]] == Configure alerts From d9cf91d86fe465cdd4f31398983ebe0f50fab8c7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 10 Sep 2025 11:15:38 -0400 Subject: [PATCH 5/7] Update docs/en/observability/create-alerts.asciidoc --- docs/en/observability/create-alerts.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/observability/create-alerts.asciidoc b/docs/en/observability/create-alerts.asciidoc index 1f45cc5296..12c1ba1b71 100644 --- a/docs/en/observability/create-alerts.asciidoc +++ b/docs/en/observability/create-alerts.asciidoc @@ -130,7 +130,7 @@ can be viewed on the Alerts page. When creating or editing a rule, add the following resources to help you get started with investigating alerts: -* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <> +* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <> + TIP: Use Markdown to format and structure text in your investigation guide. + From 0a3bd7d9affd74855337dfb4abac209d00e3ea8b Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 23 Sep 2025 14:23:47 -0400 Subject: [PATCH 6/7] Technical and editorial feedback --- docs/en/observability/create-alerts.asciidoc | 4 ++-- docs/en/observability/view-observability-alerts.asciidoc | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/en/observability/create-alerts.asciidoc b/docs/en/observability/create-alerts.asciidoc index 12c1ba1b71..260424966d 100644 --- a/docs/en/observability/create-alerts.asciidoc +++ b/docs/en/observability/create-alerts.asciidoc @@ -130,11 +130,11 @@ can be viewed on the Alerts page. When creating or editing a rule, add the following resources to help you get started with investigating alerts: -* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <> +* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the alert details page. + TIP: Use Markdown to format and structure text in your investigation guide. + -* **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards. +* **Related and suggested dashboards**: Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards (available for custom threshold rules only). [discrete] [[create-alerts-configure]] diff --git a/docs/en/observability/view-observability-alerts.asciidoc b/docs/en/observability/view-observability-alerts.asciidoc index ba4c03c0ef..d8d19038a5 100644 --- a/docs/en/observability/view-observability-alerts.asciidoc +++ b/docs/en/observability/view-observability-alerts.asciidoc @@ -62,12 +62,14 @@ To view the alert in the app that triggered it: [[view-related-alerts]] == Review related alerts -Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. +Check related alerts to find other alerts that might be related to the same incident. You can add these alerts to a case and investigate them as a group instead of analyzing them individually. -The relevancy of other alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below: +From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. + +The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share. . Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. -. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time of which alerts were generated or recovered, tags added to the alerts, alert IDs, and more are evaluated. +. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time at which alerts were generated or recovered, tags added to the alerts, group values, and more are evaluated. . Alerts are scored based on how closely they match the current alert. Alerts with a score above a certain threshold are considered relevant and are included in the list of related alerts. [discrete] From c6cf4b6f94970e3372e5a2c74d0d184c32edb3fe Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 26 Sep 2025 10:59:12 -0400 Subject: [PATCH 7/7] Update docs/en/observability/view-observability-alerts.asciidoc --- docs/en/observability/view-observability-alerts.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/observability/view-observability-alerts.asciidoc b/docs/en/observability/view-observability-alerts.asciidoc index d8d19038a5..c689a81c1b 100644 --- a/docs/en/observability/view-observability-alerts.asciidoc +++ b/docs/en/observability/view-observability-alerts.asciidoc @@ -66,7 +66,7 @@ Check related alerts to find other alerts that might be related to the same inci From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter. -The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share. +The relevancy of alerts is determined by how closely they match the current alert and other similiarites that they might share: . Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. . Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time at which alerts were generated or recovered, tags added to the alerts, group values, and more are evaluated.