[Serverless bug bash] Updates cases API link (#6160)

* Updates cases API link

* replaces link

(cherry picked from commit 115cbe6)

# Conflicts:
#	docs/serverless/alerts/signals-to-cases.asciidoc
#	docs/serverless/investigate/cases-open-manage.asciidoc
#	docs/serverless/investigate/cases-overview.asciidoc

Author: natasha-moore-elastic

docs/cases/cases-manage.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
-You can create and manage cases using the UI or the <<cases-api-overview>>.
+You can create and manage cases using the UI or the {api-kibana}/group/endpoint-cases[cases API].
 
 [float]
 [[cases-ui-open]]

docs/cases/cases-overview.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [overview] 
 :frontmatter-tags-user-goals: [analyze]
 
-Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the <<cases-api-overview,cases API>> to perform the same tasks.
+Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the {api-kibana}/group/endpoint-cases[cases API] to perform the same tasks.
 
 You can also send cases to these external systems by <<cases-ui-integrations, configuring external connectors>>:
 

docs/detections/alerts-add-to-cases.asciidoc

@@ -9,7 +9,7 @@ From the Alerts table, you can attach one or more alerts to a <<signals-to-new-c
 
 [NOTE]
 ===============================
-* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the <<cases-api-overview,Elastic Security Cases API>>.
+* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {api-kibana}/group/endpoint-cases[cases API].
 * Each case can have a maximum of 1,000 alerts.
 ===============================
 

docs/serverless/alerts/signals-to-cases.asciidoc

@@ -0,0 +1,69 @@
+[[security-signals-to-cases]]
+= Add detection alerts to cases
+
+// :description: Add alerts to new or existing cases in {elastic-sec}.
+// :keywords: serverless, security, how-to, analyze
+
+++++
+<titleabbrev>Add alerts to cases</titleabbrev>
+++++
+
+
+From the Alerts table, you can attach one or more alerts to a <<signals-to-new-cases,new case>> or <<signals-to-existing-cases,an existing one>>. Alerts from any rule type can be added to a case.
+
+[NOTE]
+====
+* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {api-kibana}/group/endpoint-cases[cases API].
+* Each case can have a maximum of 1,000 alerts.
+
+// Link to classic docs until serverless API docs are available.
+====
+
+[role="screenshot"]
+image::images/signals-to-cases/-detections-add-alert-to-case.gif[Animation of adding an alert to a case]
+
+[discrete]
+[[signals-to-new-cases]]
+== Add alerts to a new case
+
+To add alerts to a new case:
+
+. Do one of the following:
++
+** To add a single alert to a case, select the **More actions** menu (_..._) in the Alerts table or **Take action** in the alert details flyout, then select **Add to a new case**.
+** To add multiple alerts, select the alerts, then select **Add to a new case** from the **Bulk actions** menu.
+. Give the case a name, assign a severity level, and provide a description. You can use
+https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax[Markdown] syntax in the case description.
++
+[NOTE]
+====
+If you do not assign your case a severity level, it will be assigned **Low** by default.
+====
+. Optionally, add a category, assignees and relevant tags. You can add users only if they
+meet the necessary <<security-cases-requirements,prerequisites>>.
+. Specify whether you want to sync the status of associated alerts. It is enabled by default; however, you can toggle this setting on or off at any time. If it remains enabled, the alert's status updates whenever the case's status is modified.
+. Select a connector. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
+. Click **Create case** after you've completed all of the required fields. A confirmation message is displayed with an option to view the new case. Click the link in the notification or go to the Cases page to view the case.
++
+[role="screenshot"]
+image:images/signals-to-cases/-detections-add-alert-to-new-case.png[Create case flyout with sample data filled in]
+
+[discrete]
+[[signals-to-existing-cases]]
+== Add alerts to an existing case
+
+To add alerts to an existing case:
+
+. Do one of the following:
++
+** To add a single alert to a case, select the **More actions** menu (_..._) in the Alerts table or **Take action** in the alert details flyout, then select **Add to existing case**.
+** To add multiple alerts, select the alerts, then select **Add to an existing case** from the **Bulk actions** menu.
+. From the **Select case** dialog box, select the case to which you want to attach the alert. A confirmation message is displayed with an option to view the updated case. Click the link in the notification or go to the Cases page to view the case's details.
++
+[NOTE]
+====
+If you attach the alert to a case that has been configured to sync its status with associated alerts, the alert's status updates any time the case's status is modified.
+====
++
+[role="screenshot"]
+image::images/signals-to-cases/-detections-add-alert-to-existing-case.png[Select case dialog listing existing cases]

docs/serverless/investigate/cases-open-manage.asciidoc

@@ -0,0 +1,288 @@
+[[security-cases-open-manage]]
+= Create and manage cases
+
+// :description: Create a case in {elastic-sec}, and add files and visualizations.
+// :keywords: serverless, security, how-to, analyze, manage
+
+
+You can create and manage cases using the UI or the {api-kibana}/group/endpoint-cases[cases API].
+
+// Link to classic docs until serverless API docs are available.
+
+[discrete]
+[[cases-ui-open]]
+== Open a new case
+
+Open a new case to keep track of security issues and share their details with
+colleagues.
+
+. Go to **Cases**, then click **Create case**. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the **Create case** button inside the table.
+. (Optional) If you defined <<security-cases-settings-templates,templates>>, select one to use its default field values. . Give the case a name, assign a severity level, and provide a description. You can use
+https://www.markdownguide.org/cheat-sheet[Markdown] syntax in the case description.
++
+[NOTE]
+====
+If you do not assign your case a severity level, it will be assigned **Low** by default.
+====
++
+[TIP]
+====
+You can insert a Timeline link in the case description by clicking the Timeline icon (image:images/icons/timeline.svg[Timeline]).
+====
+. Optionally, add a category, assignees and relevant tags. You can add users only if they meet the necessary <<security-cases-requirements,prerequisites>>.
+. If you defined <<security-cases-settings-custom-fields,custom fields>>, they appear in the **Additional fields** section.
+. Choose if you want alert statuses to sync with the case's status after they are added to the case. This option is enabled by default, but you can turn it off after creating the case.
+. From **External incident management**, select a <<security-cases-settings,connector>>. If you've previously added one, that connector displays as the default selection. Otherwise, the default setting is `No connector selected`.
+. Click **Create case**.
++
+[NOTE]
+====
+If you've selected a connector for the case, the case is automatically pushed to the third-party system it's connected to.
+====
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-ui-open.png[Shows an open case]
+
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+////
+/*
+This functionality does not exist yet in serverless.
+To be updated: references to Kibana, ESS. Once this section is added back in, edit the frontmatter description back to: Create a case in {elastic-sec}, configure email notifications, and add files and visualizations.
+
+## Add email notifications
+
+You can configure email notifications that occur when users are assigned to cases.
+
+For hosted {kib} on {ess}:
+
+1. Add the email addresses to the monitoring email allowlist. Follow the steps in
+  [Send alerts by email]({cloud}/ec-watcher.html#ec-watcher-allowlist).
+
+  You do not need to take any more steps to configure an email connector or update
+  {kib} user settings, since the preconfigured Elastic-Cloud-SMTP connector is
+  used by default.
+
+For self-managed {kib}:
+
+1. Create a preconfigured email connector.
+
+  <DocCallOut title="Note">
+  At this time, email notifications support only [preconfigured email connectors]({kibana-ref}/pre-configured-connectors.html),
+  which are defined in the `kibana.yml` file.
+  </DocCallOut>
+
+1. Set the `notifications.connectors.default.email` {kib} setting to the name of
+  your email connector.
+
+1. If you want the email notifications to contain links back to the case, you
+  must configure the [server.publicBaseUrl]({kibana-ref}/settings.html#server-publicBaseUrl) setting.
+
+When you subsequently add assignees to cases, they receive an email.
+
+<div id="cases-ui-manage"></div> */
+////
+
+[discrete]
+[[security-cases-open-manage-manage-existing-cases]]
+== Manage existing cases
+
+From the Cases page, you can search existing cases and filter them by attributes such as assignees, categories, severity, status, and tags. You can also select multiple cases and use bulk actions to delete cases or change their attributes. General case metrics, including how long it takes to close cases, are provided above the table.
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-home-page.png[Case UI Home]
+
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+To explore a case, click on its name. You can then:
+
+* <<cases-summary,Review the case summary>>
+* <<cases-manage-comments,Add and manage comments>>
++
+[TIP]
+====
+Comments can contain Markdown. For syntax help, click the Markdown icon (image:images/cases-open-manage/-detections-markdown-icon.png[Click markdown icon,17,17]) in the bottom right of the comment.
+====
+* Examine <<cases-examine-alerts,alerts>> and <<review-indicator-in-case,indicators>> attached to the case
+* <<cases-add-files,Add files>>
+* <<cases-lens-visualization,Add a Lens visualization>>
+* Modify the case's description, assignees, category, severity, status, and tags.
+* Manage connectors and send updates to external systems (if you've added a connector to the case)
+* <<cases-copy-case-uuid,Copy the case UUID>>
+* Refresh the case to retrieve the latest updates
+
+[discrete]
+[[cases-summary]]
+=== Review the case summary
+
+Click on an existing case to access its summary. The case summary, located under the case title, contains metrics that summarize alert information and response times. These metrics update when you attach additional unique alerts to the case, add connectors, or modify the case's status:
+
+* **Total alerts**: Total number of unique alerts attached to the case
+* **Associated users**: Total number of unique users that are represented in the attached alerts
+* **Associated hosts**: Total number of unique hosts that are represented in the attached alerts
+* **Total connectors**: Total number of connectors that have been added to the case
+* **Case created**: Date and time that the case was created
+* **Open duration**: Time elapsed since the case was created
+* **In progress duration**: How long the case has been in the `In progress` state
+* **Duration from creation to close**: Time elapsed from when the case was created to when it was closed
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-summary.png[Shows you a summary of the case]
+
+[discrete]
+[[cases-manage-comments]]
+=== Manage case comments
+
+To edit, delete, or quote a comment, select the appropriate option from the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions]).
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-manage-comments.png[Shows you a summary of the case]
+
+[discrete]
+[[cases-examine-alerts]]
+=== Examine alerts attached to a case
+
+To explore the alerts attached to a case, click the **Alerts** tab. In the table, alerts are organized from oldest to newest. To <<security-view-alert-details,view alert details>>, click the **View details** button.
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-alert-tab.png[Shows you the Alerts tab]
+
+[NOTE]
+====
+Each case can have a maximum of 1,000 alerts.
+====
+
+[discrete]
+[[cases-add-files]]
+=== Add files
+
+To upload files to a case, click the **Files** tab:
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-files.png[A list of files attached to a case]
+
+// NOTE: This is an autogenerated screenshot. Do not edit it directly.
+
+You can add images and text, CSV, JSON, PDF, or ZIP files.
+For the complete list, check https://github.com/elastic/kibana/blob/main/x-pack/plugins/cases/common/constants/mime_types.ts[mime_types.ts].
+
+[NOTE]
+====
+There is a 10 MiB size limit for images. For all other MIME types, the limit is 100 MiB.
+====
+
+To download or delete the file, or copy the file hash to your clipboard, open the **Actions** menu (**…**).
+The available hash functions are MD5, SHA-1, and SHA-256.
+
+When you add a file, a comment is added to the case activity log.
+To view an image, click its name in the activity or file list.
+
+[discrete]
+[[cases-lens-visualization]]
+=== Add a Lens visualization
+
+beta::[]
+
+Add a Lens visualization to your case to portray event and alert data through charts and graphs.
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-add-vis-to-case.gif[Shows how to add a visualization to a case]
+
+To add a Lens visualization to a comment within your case:
+
+. Click the **Visualization** button. The **Add visualization** dialog appears.
+. Select an existing visualization from your Visualize Library or create a new visualization.
++
+[IMPORTANT]
+====
+Set an absolute time range for your visualization. This ensures your visualization doesn't change over time after you save it to your case, and provides important context for others managing the case.
+====
+. Save the visualization to your Visualize Library by clicking the **Save to library** button (optional).
++
+.. Enter a title and description for the visualization.
+.. Choose if you want to keep the **Update panel on Security** activated. This option is activated by default and automatically adds the visualization to your Visualize Library.
+. After you've finished creating your visualization, click **Save and return** to go back to your case.
+. Click **Preview** to show how the visualization will appear in the case comment.
+. Click **Add Comment** to add the visualization to your case.
+
+Alternatively, while viewing a <<security-dashboards-overview,dashboard>> you can open a panel's menu then click **More actions** (image:images/icons/boxesHorizontal.svg[More actions]​) → **Add to existing case** or **More actions** (image:images/icons/boxesHorizontal.svg[More actions]​) → **Add to new case**.
+
+After a visualization has been added to a case, you can modify or interact with it by clicking the **Open Visualization** option in the case's comment menu.
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-open-vis.png[Shows where the Open Visualization option is]
+
+[discrete]
+[[cases-copy-case-uuid]]
+=== Copy the case UUID
+
+Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case's UUID to a clipboard, go to the Cases page and select **Actions** → **Copy Case ID** for the case you want to share. Alternatively, go to a case's details page, then from the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions]), select **Copy Case ID**.
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-copy-case-id.png[Copy Case ID option in More actions menu 40%]
+
+[discrete]
+[[cases-export-import]]
+== Export and import cases
+
+Cases can be <<cases-export,exported>> and <<cases-import,imported>> as saved objects using the Saved Objects <<security-project-settings,project settings>> UI.
+
+[IMPORTANT]
+====
+Before importing Lens visualizations, Timelines, or alerts, ensure their data is present. Without it, they won't work after being imported.
+====
+
+[discrete]
+[[cases-export]]
+=== Export a case
+
+Use the **Export** option to move cases between different {elastic-sec} instances. When you export a case, the following data is exported to a newline-delimited JSON (`.ndjson`) file:
+
+* Case details
+* User actions
+* Text string comments
+* Case alerts
+* Lens visualizations (exported as JSON blobs).
+
+[NOTE]
+====
+The following attachments are _not_ exported:
+
+* **Case files**: Case files are not exported. However, they are accessible in **Project settings** → **Management** → **Files** to download and re-add.
+* **Alerts**: Alerts attached to cases are not exported. You must re-add them after importing cases.
+====
+
+To export a case:
+
+. Go to **Project settings** → **Management** → **Saved objects**.
+. Search for the case by choosing a saved object type or entering the case title in the search bar.
+. Select one or more cases, then click the **Export** button.
+. Click **Export**. A confirmation message that your file is downloading displays.
++
+[TIP]
+====
+Keep the **Include related objects** option enabled to ensure connectors are exported too.
+====
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-export-button.png[Shows the export saved objects workflow]
+
+[discrete]
+[[cases-import]]
+=== Import a case
+
+To import a case:
+
+. Go to **Project settings** → **Management** → **Saved objects**.
+. Click **Import**.
+. Select the NDJSON file containing the exported case and configure the import options.
+. Click **Import**.
+. Review the import log and click **Done**.
++
+[IMPORTANT]
+====
+Be mindful of the following:
+
+* If the imported case had connectors attached to it, you'll be prompted to re-authenticate the connectors. To do so, click **Go to connectors** on the **Import saved objects** flyout and complete the necessary steps. Alternatively, open the main menu, then go to **Project settings** → **Management** → **{connectors-ui}** to access connectors.
+* If the imported case had attached alerts, verify that the alerts' source documents exist in the environment. Case features that interact with alerts (such as the Alert details flyout and rule details page) rely on the alerts' source documents to function.
+====