[Cases][9.2] Cases as data feature docs (elastic#2220)

nastasha-solomon · mdbirnstiehl · web-flow · commit eaa3c5d3064f · 2025-10-23T17:59:39.000-04:00
Contributes to elastic#1716 by documenting how to visualize case data using the new case analytics indices. Preview: - [Cases as data](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2220/explore-analyze/alerts-cases/cases/cases-as-data): New page for the cases as data feature. - [Stack cases](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2220/explore-analyze/alerts-cases/cases): Added link to docs for the cases as data feature. Also added a limitations section to better highlight feature limits that users need to be aware of. - [Observability cases](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2220/solutions/observability/incident-management/cases) : Added note letting users know about the cases as data feature. Also added a limitations section to better highlight feature limits that users need to be aware of. - [Security cases](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2220/solutions/security/investigate/cases): Same changes as above. **Related PR:** elastic/kibana#229036 --------- Co-authored-by: Mike Birnstiehl <114418652+mdbirnstiehl@users.noreply.github.com>
diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md
@@ -27,3 +27,9 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v
 * [Configure access to cases](cases/setup-cases.md)
 * [Open and manage cases](cases/manage-cases.md)
 * [Configure case settings](cases/manage-cases-settings.md)
+* {applies_to}`stack: preview 9.2` {applies_to}`serverless: unavailable`[Use cases as data](cases/cases-as-data.md)
+
+## Limitations [kibana-case-limitations]
+
+* If you create cases in {{stack-manage-app}}, they are not visible from {{observability}} or the {{security-app}}. Likewise, the cases you create in {{observability}} are not visible in {{stack-manage-app}} or {{elastic-sec}}. 
+* You cannot attach alerts from {{observability}} or {{elastic-sec}} to cases in {{stack-manage-app}}.
diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md
@@ -0,0 +1,126 @@
+---
+applies_to:
+  stack: preview 9.2
+  serverless: unavailable
+---
+
+# Use cases as data [use-cases-as-data]
+
+The cases as data feature lets you visualize data about cases in your [space](/deploy-manage/manage-spaces.md). After turning it on, you can query case data from dedicated case analytics indices and build dashboards and visualizations to track case trends and operational metrics. This information is particularly useful when reporting on key performance indicators (KPIs) such as Mean Time To Respond (MTTR), case severity trends, and analyst workload.
+
+::::{admonition} Requirements
+To use cases as data, you must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers.
+::::
+
+## Turn on cases as data [turn-on-cases-as-data]
+
+To turn on cases as data, add `xpack.cases.analytics.index.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file.
+
+::::{warning} 
+We only recommend turning this feature on if your deployment has 10 or fewer spaces with cases. The background tasks that refresh the case analytics indices in each space are run every five minutes and may overload Task Manager.  
+::::
+
+## Create and manage indices for case data [create-manage-case-analytics-indices]
+
+After turning on cases as data, you do not need to manually create the analytics indices. {{es}} will automatically create them for you in any space with cases and for each solution ({{stack-manage-app}}, {{observability}}, and Security). The indices are populated with general case data as well as data related to case comments, attachments, and activity.
+
+You also do not need to manually manage the lifecycle policies of the analytics indices. Every five minutes, a background task runs to refresh the indices with a snapshot of the most current cases data. During the refresh, historical case data is overwritten. 
+
+::::{note} 
+- After making new cases, it may take up to 10 minutes to index the new case data. 
+- After making a new space, it can take up to an hour for the case analytics indices for that space to form.  
+::::
+
+## Grant access to case analytics indices [case-analytics-indices-privs]
+
+Ensure your role has at least `read` and `view_index_metadata` access to the appropriate [case analytics indices](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names).
+
+## Explore case data with Discover and Lens [explore-case-data]
+
+Use [Discover](../../discover.md) and [Lens](../../visualize/lens.md) to search and filter your case data and display your findings in visualizations. 
+
+To get started, create a [{{data-source}}](../../find-and-organize/data-views.md) that points to one or more [case analytics indices or their aliases](../../../explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices-names). To point to all case analytics indices in your space, use the `.internal.cases*` index pattern.
+
+::::{note} 
+Case data is stored in hidden indices. You can display hidden indices by selecting **Show advanced settings**, then turning on **Allow hidden and system indices**. 
+::::
+
+You can also interact with your case data using [{{esql}} in Discover](../../../explore-analyze/discover/try-esql.md). Here are some sample queries to get you started: 
+
+* Find the total number of open {{observability}} cases in the default space:
+
+  ```console
+  FROM .internal.cases.observability-default | STATS count = COUNT(*) BY status | WHERE status  == "open"
+  ```
+
+* Find the total number of in progress Stack Management cases in the default space:
+
+  ```console
+  FROM .internal.cases.cases-default | STATS count = COUNT(*) BY status | WHERE status  == "in-progress"
+  ```
+
+* Find the total number of closed {{observability}} cases in the default space:
+
+  ```console
+  FROM .internal.cases.observability-default | STATS count = COUNT(*) BY status | WHERE status  == "closed"
+  ```
+
+* Find Security cases that are open in the default space, and sort them by time, with the most recent at the top:
+
+  ```console
+  FROM .internal.cases.securitysolution-default | WHERE status  == "open" | SORT created_at DESC
+  ```
+
+* Find the average time that it takes to close Security cases in the default space:
+
+  ```console
+  FROM .internal.cases.securitysolution-default | STATS average_time_to_close = AVG(time_to_resolve)
+  ```
+
+## Case analytics indices names and aliases [case-analytics-indices-names]
+
+{{es}} automatically creates the following case analytics indices and their aliases in spaces with case data. 
+
+% ::::{note} 
+% Go to [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. 
+% ::::
+
+### General case data 
+
+These indices store general data about cases. 
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases.cases-<space-name>` |  `.cases.cases-<space-name>` | Stack Management cases  | 
+| `.internal.cases.observability-<space-name>` |  `.cases.observability-<space-name>` | {{observability}} cases   | 
+| `.internal.cases.securitysolution-<space-name>` |  `.cases.securitysolution-<space-name>` | Security cases  | 
+
+### Case comments
+
+These indices store data related to comments.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-comments.cases-<space-name>` |  `.cases-comments.cases-<space-name>` | Stack Management cases    | 
+| `.internal.cases-comments.observability-<space-name>` |  `.cases-comments.observability-<space-name>` | {{observability}} cases    | 
+| `.internal.cases-comments.securitysolution-<space-name>` |  `.cases-comments.securitysolution-<space-name>` | Security cases   | 
+
+### Case attachments 
+
+These indices store data related to attachments.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-attachments.cases-<space-name>` |  `.cases-attachments.cases-<space-name>` | Stack Management cases    | 
+| `.internal.cases-attachments.observability-<space-name>` |  `.cases-attachments.observability-<space-name>` | {{observability}} cases    | 
+| `.internal.cases-attachments.securitysolution-<space-name>` |  `.cases-attachments.securitysolution-<space-name>` | Security cases    | 
+
+### Case activity 
+
+These indices store data related to activity.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-activity.cases-<space-name>` |  `.cases-activity.cases-<space-name>` | Stack Management cases    | 
+| `.internal.cases-activity.observability-<space-name>` |  `.cases-activity.observability-<space-name>` | {{observability}} cases    | 
+| `.internal.cases-activity.securitysolution-<space-name>` |  `.cases-activity.securitysolution-<space-name>` | Security cases    | 
diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml
@@ -329,4 +329,5 @@ toc:
           - file: alerts-cases/cases/setup-cases.md
           - file: alerts-cases/cases/manage-cases.md
           - file: alerts-cases/cases/manage-cases-settings.md
+          - file: alerts-cases/cases/cases-as-data.md   
   - file: numeral-formatting.md
diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md
@@ -15,4 +15,14 @@ Collect and share information about observability issues by creating a case. Cas
 :::{image} /solutions/images/observability-cases.png
 :alt: Cases page
 :screenshot:
-:::
+:::
+
+::::{tip}
+:applies_to: {stack: preview 9.2, serverless: unavailable}
+After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
+::::
+
+## Limitations [observability-case-limitations]
+
+* If you create cases in {{observability}}, they are not visible from the {{security-app}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in the {{observability}} or {{elastic-sec}}. 
+* You cannot attach alerts from {{elastic-sec}} or {{stack-manage-app}} to cases in {{observability}}.
diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md
@@ -30,11 +30,19 @@ You can also send cases to these external systems by [configuring external conne
 :screenshot:
 :::
 
-::::{note}
-From {{elastic-sec}} in the {{stack}}, you cannot access cases created in {{observability}} or Stack Management.
+::::{tip}
+:applies_to: {stack: preview 9.2, serverless: unavailable}
+After creating cases, use case data to build dashboards and visualizations that provide insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
 ::::
 
 
+## Limitations [security-case-limitations]
+
+* If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}.
+* You cannot attach alerts from the {{observability}} or {{stack-manage-app}} to cases in {{elastic-sec}}.
+
+
+
 
 
 
