elastic · nastasha-solomon · Oct 23, 2025 · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -15,6 +15,8 @@ Cases are used to open and track issues directly in {{kib}}. You can add assigne
 
 {applies_to}`stack: preview` {applies_to}`serverless: preview` You can also optionally add custom fields and case templates.
 
+{applies_to}`stack: ga 9.2` Cases are automatically assigned human-readable numeric IDs, which you can use for easier referencing. Each time you create a new case in your [space](docs-content://deploy-manage/manage-spaces.md), the case ID increments by one. You can find the ID after the case's name and can use it while searching the Cases table. 
+
 :::{image} /explore-analyze/images/kibana-cases-list.png
 :alt: Cases page
 :screenshot:

diff --git a/explore-analyze/alerts-cases/cases/manage-cases.md b/explore-analyze/alerts-cases/cases/manage-cases.md
@@ -137,4 +137,4 @@ To view a case, click on its name. You can then:
 * Change the status.
 * Change the severity.
 * Close or delete the case.
-* Reopen a closed case.
+* Reopen a closed case. 
@@ -12,6 +12,8 @@ navigation_title: Cases
 
 Collect and share information about observability issues by creating a case. Cases allow you to track key investigation details, add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to third-party systems by [configuring external connectors](/solutions/observability/incident-management/configure-case-settings.md).
 
+{applies_to}`stack: ga 9.2` Cases are automatically assigned human-readable numeric IDs, which you can use for easier referencing. Each time you create a new case in your [space](docs-content://deploy-manage/manage-spaces.md), the case ID increments by one. You can find the ID after the case's name and can use it while searching the Cases table. 
+
 :::{image} /solutions/images/observability-cases.png
 :alt: Cases page
 :screenshot:

@@ -16,6 +16,8 @@ navigation_title: Cases
 
 Collect and share information about security issues by opening a case in {{elastic-sec}}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {{elastic-sec}} UI provides several ways to create and manage cases. Alternatively, you can use the [cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases) to perform the same tasks.
 
+{applies_to}`stack: ga 9.2` Cases are automatically assigned human-readable numeric IDs, which you can use for easier referencing. Each time you create a new case in your [space](docs-content://deploy-manage/manage-spaces.md), the case ID increments by one. You can find the ID after the case's name and can use it while searching the Cases table. 
+
 You can also send cases to these external systems by [configuring external connectors](/solutions/security/investigate/configure-case-settings.md#cases-ui-integrations):
 
 * {{sn-itsm}}

@@ -45,12 +45,6 @@ Open a new case to keep track of security issues and share their details with co
     If you’ve selected a connector for the case, the case is automatically pushed to the third-party system it’s connected to.
     ::::
 
-
-:::{image} /solutions/images/security-cases-ui-open.png
-:alt: Shows an open case
-:screenshot:
-:::
-
 % Check with Lisa if email notifications is an ESS-only feature. Not in Serverless docs: https://www.elastic.co/guide/en/serverless/current/security-cases-open-manage.html
 
 ## Add email notifications [cases-ui-notifications]
@@ -82,11 +76,6 @@ When you subsequently add assignees to cases, they receive an email.
 
 From the Cases page, you can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes. General case metrics, including how long it takes to close cases, are provided above the table.
 
-:::{image} /solutions/images/security-cases-home-page.png
-:alt: Case UI Home
-:screenshot:
-:::
-
 To explore a case, click on its name. You can then:
 
 * [Review the case summary](/solutions/security/investigate/open-manage-cases.md#cases-summary)
@@ -119,12 +108,6 @@ Click on an existing case to access its summary. The case summary, located under
 * **In progress duration**: How long the case has been in the `In progress` state
 * **Duration from creation to close**: Time elapsed from when the case was created to when it was closed
 
-:::{image} /solutions/images/security-cases-summary.png
-:alt: Shows you a summary of the case
-:screenshot:
-:::
-
-
 ### Manage case comments [cases-manage-comments]
 
 To edit, delete, or quote a comment, select the appropriate option from the **More actions** menu (**…**).
@@ -157,14 +140,7 @@ After adding events to cases from the Events table (which you can access from th
 
 ### Add files [cases-add-files]
 
-To upload files to a case, click the **Files** tab:
-
-:::{image} /solutions/images/security-cases-files.png
-:alt: A list of files attached to a case
-:screenshot:
-:::
-
-You can set file types and sizes by configuring your [{{kib}} case settings](kibana://reference/configuration-reference/cases-settings.md).
+To upload files to a case, select the **Files** tab, then click **Add files**. You can set file types and sizes by configuring your [{{kib}} case settings](kibana://reference/configuration-reference/cases-settings.md).
 
 % Check with Lisa whether following note is only applicable to Serverless or if it's for ESS too.
 
@@ -326,4 +302,4 @@ To import a case:
     * If the imported case had connectors attached to it, you’ll be prompted to re-authenticate the connectors. To do so, click **Go to connectors** on the **Import saved objects** flyout and complete the necessary steps. You can also access connectors from the **{{connectors-ui}}** page (find **{{connectors-ui}}** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md)).
     * If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function.
 
-    ::::
+    ::::