adds some content from toi

nastasha-solomon · nastasha-solomon · commit 17656145db1b · 2025-10-11T23:11:09.000-04:00
diff --git a/explore-analyze/alerts-cases/cases.md b/explore-analyze/alerts-cases/cases.md
@@ -27,11 +27,7 @@ If you create cases in the {{observability}} or {{security-app}}, they are not v
 * [Configure access to cases](cases/setup-cases.md)
 * [Open and manage cases](cases/manage-cases.md)
 * [Configure case settings](cases/manage-cases-settings.md)
-
-
-::::{note} 
-{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space.
-::::
+* {applies_to}`stack: preview 9.2`[Use cases as data](cases/cases-as-data.md)
 
 ## Limitations [kibana-case-limitations]
 
diff --git a/explore-analyze/alerts-cases/cases/cases-as-data.md b/explore-analyze/alerts-cases/cases/cases-as-data.md
@@ -1,80 +1,47 @@
 ---
 applies_to:
-  stack: ga 9.2
-  serverless: ga
-products:
-  - id: kibana
+  deployment:
+    ess: preview 9.2
+    ece: preview 9.2
 ---
 
-# Visualize case data [visualize-case-data]
+# Use cases as data [use-cases-as-data]
 
-Case data, such as details about comments, activities, and attachments, is collected in case analytics indices. You can query these indices to build dashboards and metrics that improve your visibility into case patterns and trends. 
+The cases as data feature lets you visualize data about cases in your [space](/deploy-manage/manage-spaces.md). After turning it on, you can query case data from dedicated case analytics indices and build dashboards and visualizations to track case trends and operational metrics. This information is particularly useful when reporting on key performance indicators (KPIs) such as Mean Time To Respond (MTTR), case severity trends, and analyst workload.
 
-::::{admonition} Requirements
-
-To visualize case data, you must do the following:
+## Turn on cases as data [turn-on-cases-as-data]
 
-* {applies_to}`stack: ga` Turn on the case analytics indices feature by adding `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file.
-* Ensure your role has at least `read` and `view_index_metadata` access to the appropriate case anlaytics indices.
-* (Optional) If you don't have cases, create a new one in a {{kib}} space to automatically generate the case analytics indices. 
+To turn on cases as data, add `xpack.cases.incrementalId.enabled: true` to your [`kibana.yml`](/deploy-manage/stack-settings.md) file.
 
+::::{warning} 
+3 tasks will be created that each execute in 5 minute interval. If you have lots of spaces with cases (for example, dozens), we do not reccomend enabling this feature as it will clog up task manager.
 ::::
 
-## About case analytics indices [about-case-analytics-indices]
+## Create and manage indices for case data [create-manage-case-analytics-indices]
 
-After turning on the case analytics indices feature, your {{kib}} spaces are checked for case data. {{es}} automatically creates case analytics indices for Stack Management, {{observability}}, and Security in each {{kib}} space that has cases. {{es}} automatically creates aliases for the case analytics indices as well.
+After turning on cases as data, you do not need to manually create the analytics indices. {{es}} automatically creates the indices in any space with cases and for each solution ({{stack-manage-app}}, {{observability}}, and Security cases). To form the analytics indices, it indexes general data about cases and data related to case comments, attachments, and activity.
 
-The case analytics indices are updated very five minutes with a snapshot of most current cases data in your spaces. Historical data for cases is not stored; it gets overwritten whenever the indices are refreshed.
+You also do not need to manually manage the analytics indices' index lifecycle management (ILM) policies. The indices are updated by a background task that runs every five minutes and applies a snapshot of the most current cases data. Note that historical case data is not retained; it gets overwritten whenever the indices are refreshed.
 
 ::::{note} 
-It may take up to an hour for case analytics indices to form in a new {{kib}} space. 
+After you create cases, {{es}} may take up to 10 minutes to index the new case data. If you create a new space, it can take up to an hour for new case analytics indices to form.  
 ::::
 
-### General case data
-
-These indices store general data related to cases created in Stack Management, {{observability}}, and Security.
-
-| Index    | Alias | Created for | 
-| ---------------------------- | ---------------------- |----------------------------------------- | 
-| `.internal.cases.<space-name>-cases` |  `.cases.<space-name>-cases` | Stack Management cases  | 
-| `.internal.cases.<space-name>-observability` |  `.cases.<space-name>-observability` | {{observability}} cases   | 
-| `.internal.cases.<space-name>-securitysolution` |  `.cases.<space-name>-securitysolution` | Security cases  | 
-
-### Case comments
-
-These indices store data related to comments in Stack Management, {{observability}}, and Security cases.
-
-| Index    | Alias | Created for | 
-| ---------------------------- | ---------------------- |----------------------------------------- | 
-| `.internal.cases-comments.<space-name>-cases` |  `.cases-comments.<space-name>-cases` | Stack Management cases    | 
-| `.internal.cases-comments.<space-name>-observability` |  `.cases-comments.<space-name>-observability` | {{observability}} cases    | 
-| `.internal.cases-comments.<space-name>-securitysolution` |  `.cases-comments.<space-name>-securitysolution` | Security cases   | 
-
+## Explore case data [understand-case-analytics-indices]
 
-### Case attachments
-
-These indices store data related to attachments in Stack Management, {{observability}}, and Security cases.
-
-| Index    | Alias | Created for | 
-| ---------------------------- | ---------------------- |----------------------------------------- | 
-| `.internal.cases-attachments.<space-name>-cases` |  `.cases-attachments.<space-name>-cases` | Stack Management cases    | 
-| `.internal.cases-attachments.<space-name>-observability` |  `.cases-attachments.<space-name>-observability` | {{observability}} cases    | 
-| `.internal.cases-attachments.<space-name>-securitysolution` |  `.cases-attachments.<space-name>-securitysolution` | Security cases    | 
-
-### Case activity
+::::{admonition} Requirements
 
-These indices store data related to activity in Stack Management, {{observability}}, and Security cases.
+* Your role has at least `read` and `view_index_metadata` access to the appropriate [case anlaytics indices](/explore-analyze/alerts-cases.md/cases/cases-as-data.md#case-analytics-indices).
+* You must have the appropriate subscription. Refer to the subscription page for [Elastic Cloud](https://www.elastic.co/subscriptions/cloud) and [Elastic Stack/self-managed](https://www.elastic.co/subscriptions) for the breakdown of available features and their associated subscription tiers.
 
-| Index    | Alias | Created for | 
-| ---------------------------- | ---------------------- |----------------------------------------- | 
-| `.internal.cases-activity.<space-name>-cases` |  `.cases-activity.<space-name>-cases` | Stack Management cases    | 
-| `.internal.cases-activity.<space-name>-observability` |  `.cases-activity.<space-name>-observability` | {{observability}} cases    | 
-| `.internal.cases-activity.<space-name>-securitysolution` |  `.cases-activity.<space-name>-securitysolution` | Security cases    | 
+::::
 
+To explore case data:
 
-## Explore case data [explore-case-analytics-indices]
+1. Create a [data view](/explore-analyze/find-and-organize/data-views.md) that uses any of the [case analytics indices](/explore-analyze/alerts-cases/cases/cases-as-data.md#case-analytics-indices).
+2. Search and filter the case data in [Discover](../../discover.md) or build visualizations for dashboards in [Lens](../../visualize/lens.md). 
 
-Search and filter case data in [Discover](../../discover.md) and [Lens](../../visualize/lens.md), and build visualizations for [dashboards](../../dashboards.md). To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover.
+To help you start visualizing your case data, here are some sample {{esql}} queries that you can run from the [{{esql}} editor](../../../explore-analyze/query-filter/languages/esql-kibana.md#esql-kibana-get-started) in Discover.
 
 * Find the total number of open cases in the default {{kib}} space:
 
@@ -106,7 +73,51 @@ Search and filter case data in [Discover](../../discover.md) and [Lens](../../vi
   FROM .internal.cases.default-securitysolution | STATS average_time_to_close = AVG(time_to_resolve)
   ```
 
-::::{tip} 
-To learn more about queryable fields in the indices, refer to 
-% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) 
-::::
+## Case analytics indices names and aliases
+
+This section provides the names and aliases of the case analytics indices that {{es}} creates per space and solution. Note that `<space-name>` is a placeholder for the name of a space.  
+
+::::{note} 
+Go to
+% [Case analytics indices schema](kibana://reference/case-analytics-indices-schema.md) for schema details. 
+::::
+
+### Indices for general case data 
+
+These indices store general data about cases. 
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases.<space-name>-cases` |  `.cases.<space-name>-cases` | Stack Management cases  | 
+| `.internal.cases.<space-name>-observability` |  `.cases.<space-name>-observability` | {{observability}} cases   | 
+| `.internal.cases.<space-name>-securitysolution` |  `.cases.<space-name>-securitysolution` | Security cases  | 
+
+### Indices for case comments
+
+These indices store data related to comments in Stack Management, {{observability}}, and Security cases.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-comments.<space-name>-cases` |  `.cases-comments.<space-name>-cases` | Stack Management cases    | 
+| `.internal.cases-comments.<space-name>-observability` |  `.cases-comments.<space-name>-observability` | {{observability}} cases    | 
+| `.internal.cases-comments.<space-name>-securitysolution` |  `.cases-comments.<space-name>-securitysolution` | Security cases   | 
+
+### Indices for case attachments 
+
+These indices store data related to attachments in Stack Management, {{observability}}, and Security cases.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-attachments.<space-name>-cases` |  `.cases-attachments.<space-name>-cases` | Stack Management cases    | 
+| `.internal.cases-attachments.<space-name>-observability` |  `.cases-attachments.<space-name>-observability` | {{observability}} cases    | 
+| `.internal.cases-attachments.<space-name>-securitysolution` |  `.cases-attachments.<space-name>-securitysolution` | Security cases    | 
+
+### Indices for case activity [case-activity-indices]
+
+These indices store data related to activity in Stack Management, {{observability}}, and Security cases.
+
+| Index    | Alias | Created for | 
+| ---------------------------- | ---------------------- |----------------------------------------- | 
+| `.internal.cases-activity.<space-name>-cases` |  `.cases-activity.<space-name>-cases` | Stack Management cases    | 
+| `.internal.cases-activity.<space-name>-observability` |  `.cases-activity.<space-name>-observability` | {{observability}} cases    | 
+| `.internal.cases-activity.<space-name>-securitysolution` |  `.cases-activity.<space-name>-securitysolution` | Security cases    | 
diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml
@@ -365,5 +365,5 @@ toc:
           - file: alerts-cases/cases/setup-cases.md
           - file: alerts-cases/cases/manage-cases.md
           - file: alerts-cases/cases/manage-cases-settings.md
-          - file: alerts-cases/cases/visualize-case-data.md   
+          - file: alerts-cases/cases/cases-as-data.md   
   - file: numeral-formatting.md
diff --git a/solutions/observability/incident-management/cases.md b/solutions/observability/incident-management/cases.md
@@ -17,8 +17,9 @@ Collect and share information about observability issues by creating a case. Cas
 :screenshot:
 :::
 
-::::{note} 
-{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space.
+::::{tip}
+:applies_to: stack: preview 9.2
+After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Use cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
 ::::
 
 ## Limitations [observability-case-limitations]
diff --git a/solutions/security/investigate/cases.md b/solutions/security/investigate/cases.md
@@ -30,10 +30,12 @@ You can also send cases to these external systems by [configuring external conne
 :screenshot:
 :::
 
-::::{note} 
-{applies_to}`stack: ga 9.2` With the appropriate index access, you can [build visualizations and metrics](../../../explore-analyze/alerts-cases/cases/visualize-case-data.md) of data in {{observability}}, {{stack-manage-app}}, and {{elastic-sec}} cases. This can provide improved visibility into patterns and trends of cases within your space.
+::::{tip}
+:applies_to: stack: preview 9.2
+After creating cases, use case data to build dashboards and visualizations that give you insights into case trends and operational metrics. Refer to [Cases as data](/explore-analyze/alerts-cases/cases/cases-as-data.md) to learn more.
 ::::
 
+
 ## Limitations [security-case-limitations]
 
 * If you create cases in the {{security-app}}, they are not visible from {{observability}} or {{stack-manage-app}}. Likewise, the cases you create in {{stack-manage-app}} are not visible in {{elastic-sec}} or {{observability}}.
