First draft

Author: nastasha-solomon

docs/detections/alerts-view-details.asciidoc

@@ -41,10 +41,10 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo
 * Find basic details about the alert, such as the:
 
 ** Associated rule
-** Alert status
-** Date and time the alert was created
+** Alert status and when the alert was created
 ** Alert severity and risk score (these are inherited from rule that generated the alert)
 ** Users assigned to the alert (click the **Assign alert** image:images/assign-alert.png[Assign alert,15,15] icon to assign more users)
+** Notes attached to the alert (click the **Add note** image:images/add-note.png[Add note,15,15] icon to create a new note)
 
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. 
 

docs/detections/images/add-note.png

@@ -0,0 +1,33 @@
+[[add-manage-notes]]
+= Create and manage notes
+
+Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to individual alerts and events, and leave notes on saved Timelines. You can then manage notes from the **Notes** page, or from individual alerts, events, or Timelines.
+
+== Add notes 
+
+To add a note to an alert: 
+
+. Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Scroll down to the Alerts table, go to the alert you want to add a note to, then click the notes icon. The **Notes** tab in the alert details flyout opens.
+. Enter a note into the text box, then click **Add note**.
+
+To add a note to an event: 
+
+. Find **Explore** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **Hosts**, **Users**, **Network**.
+. Scroll down to the **Events** tab, go to the event you want to add a note to, then click the notes icon. The **Notes** tab in the events details flyout opens.
+. Enter a note into the text box, then click **Add note**.
+
+To add a note to a saved Timeline:
+
+. Do one of the following:
+** Find **Timeline** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click a Timeline's title. 
+** Go to the Timeline bar, click the image:images/add-new-timeline-button.png[Click the add new button,20,20] button, then click **Open Timeline**. Click a Timeline's title to open it.
+. Go to the **Notes** tab.
+. Enter a note into the text box, then click **Add note**.
+
+== Manage notes 
+
+To manage notes....
+
+
+

docs/events/add-manage-notes.asciidoc

@@ -9,3 +9,4 @@ include::timeline-templates.asciidoc[leveloffset=+2]
 include::../detections/visual-event-analyzer.asciidoc[leveloffset=+1]
 include::../cloud-native-security/session-view.asciidoc[leveloffset=+1]
 include::../osquery/osquery-index.asciidoc[leveloffset=+1]
+include::add-manage-notes.asciidoc[leveloffset=+1]

docs/events/investigations-index.asciidoc

@@ -72,8 +72,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard 
 * Change how the name, value, and description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete notes on alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 [discrete]

docs/events/timeline-ui-overview.asciidoc

@@ -176,6 +176,12 @@ By default, Elastic prebuilt rules in the *Rules* and *Rule Monitoring* tables i
 
 The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <<apply-alert-tags>>.
 
+[discrete]
+[[max-notes-alerts-events]]
+== Specify the maximum number of notes for alerts or events 
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of notes that you can attach to an alert or event. The maximum limit and default value is 1000. 
+
 [discrete]
 [[exclude-cold-frozen-data-rule-executions]]
 == Exclude cold and frozen data from rule executions 

docs/getting-started/advanced-setting.asciidoc

@@ -47,10 +47,10 @@ From the right panel, you can also:
 * Find basic details about the alert, such as the:
 
     * Associated rule
-    * Alert status
-    * Date and time the alert was created
+    * Alert status and when the alert was created
     * Alert severity and risk score (these are inherited from rule that generated the alert)
     * Users assigned to the alert (click the <DocIcon type="plusInCircle" title="Assign alert" /> icon to assign more users)
+    * Notes attached to the alert (click the <DocIcon type="plusInCircle" title="Add note" /> icon to create a new note)
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. 
 
 <div id="preview-panel"></div>

docs/serverless/alerts/view-alert-details.mdx

@@ -78,8 +78,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard 
 * Change how the name, value, or description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete notes on alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 <div id="add-remove-timeline-fields"></div>

docs/serverless/investigate/timelines-ui.mdx

@@ -130,6 +130,12 @@ You can change these settings, which affect the news feed displayed on the
 
 The `securitySolution:enableAssetCriticality` setting determines whether asset criticality is included as a risk input to entity risk scoring. This setting is turned off by default. Turn it on to enable asset criticality workflows and to use asset criticality as part of entity risk scoring.
 
+<div id="max-notes-alerts-events"></div>
+
+## Specify the maximum number of notes for alerts or events 
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of notes that you can attach to an alert or event. The maximum limit and default value is 1000. 
+
 ## Exclude cold and frozen tier data from analyzer queries
 
 Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in <DocLink slug="/serverless/security/visual-event-analyzer">visual event analyzer</DocLink> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.