elastic · nastasha-solomon · Sep 26, 2025 · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
@@ -124,6 +124,18 @@ list an alert on the {observability} Alerts page.
 Only alerts generated by rules relating to Applications, Logs, Infrastructure, Synthetics, and Uptime
 can be viewed on the Alerts page.
 
+[discrete]
+[[add-investigation-resources-to-rules]]
+=== Add resources for investigating alerts
+
+When creating or editing a rule, add the following resources to help you get started with investigating alerts:
+
+* **Investigation guide**: Investigation guides can help you respond to alerts more efficiently and consistently. When creating them, you can include instructions for responding to alerts, links to external supporting materials, and more. When the rule generates an alert, the investigation guide can be accessed from the **Investigation guide** tab on the <<view--alert-detail, alert details page>>
++
+TIP: Use Markdown to format and structure text in your investigation guide.
++
+* **Related and suggested dashboards**: (Only available for custom threshold rules) Link to dashboards that provide useful insights about your environment, active events, and any other information that might be relevant during your investigations. When the rule generates an alert, linked dashboards can be accessed from the **Related dashboards** tab on the alert's details page. From the tab, you can also review and add suggested dashboards.
+
 [discrete]
 [[create-alerts-configure]]
 == Configure alerts

@@ -58,6 +58,18 @@ To view the alert in the app that triggered it:
 * From the alert detail flyout, click *View in app*.
 * From the Alerts table, click the image:images/icons/eye.svg[View in app] icon.
 
+[discrete]
+[[view-related-alerts]]
+== Review related alerts 
+
+Check related alerts for patterns and recurring events that might need further investigation. From an alert's details page, go to the **Related alerts** tab to view related alerts. Within the table, alerts are ordered from most to least relevant. To only view alerts that were created around the same time as the current alert (+/- 30 minutes), apply the **Triggered around the same time** filter.
+
+The relevancy of other alerts is determined by how closely they match the current alert and other similiarites that they might share. The relevancy scoring proccess is briefly outlined below:
+
+. Alerts in the space are filtered down to only include alerts that were created about one day before or after the current alert. 
+. Data from the new subset of alerts is compared against the current alert to identify matching values and similarities. Data such as the time of which alerts were generated or recovered, tags added to the alerts, alert IDs, and more are evaluated.
+. Alerts are scored based on how closely they match the current alert. Alerts with a score above a certain threshold are considered relevant and are included in the list of related alerts.
+
 [discrete]
 [[understand-alert-statuses]]
 == Understand alert statuses
@@ -119,22 +131,24 @@ NOTE: Each case can have a maximum of 1,000 alerts.
 
 To add an alert to a new case:
 
-. Select **Add to new case**.
+. From the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions]) in the Alerts table or the alert detail flyout, click *Alert details*, then select **Add to new case**.
 . Enter a case name, add relevant tags, and include a case description.
 . Under *External incident management system*, select a connector. If you’ve previously added one, that connector
 displays as the default selection. Otherwise, the default setting is No connector selected.
-. After you’ve completed all of the required fields, click *Create case*. A notification message confirms you successfully
-created the case. To view the case details, click the notification link or go to the <<create-cases,Cases>> page.
+. After you’ve completed all of the required fields, click *Create case*. 
+
+After creating the case, a confirmation message with an option to view the newly-created case displays. Click the notification link or go to the <<create-cases,Cases>> page to view the case details.
 
 [discrete]
 [[existing-case-observability-alerts]]
 === Add an alert to an existing case
 
 To add an alert to an existing case:
 
-. Select **Add to existing case**.
-. From the Select case pane, select the case for which to attach an alert. A confirmation message displays
-with an option to view the updated case. To view the case details, click the notification link or go to the <<create-cases,Cases>> page.
+. From the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions]) in the Alerts table or the alert detail flyout, click *Alert details*, select **Add to existing case**.
+. Select the case for which to attach an alert. 
+
+After choosing a case, a confirmation message with an option to view the updated case displays. Click the notification link or go to the <<create-cases,Cases>> page to view the case details.
 
 [discrete]
 [[clean-up-alerts-obs]]