Merge branch 'main' into issue-5441-the-notes-expansion

Author: nastasha-solomon

docs/detections/alerts-view-details.asciidoc

@@ -124,10 +124,32 @@ image::images/visualizations-section-rp.png[Visualizations section of the Overvi
 
 Click **Visualizations** to display the following previews:
 
-* **Session view preview**: Shows a preview of <<session-view,session view>> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. 
+* **Session viewer preview**: Shows a preview of <<session-view,Session View>> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. 
 
 * **Analyzer preview**: Shows a preview of the <<visual-event-analyzer,visual analyzer graph>>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline.
 
+[discrete]
+[[expanded-visualizations-view]]
+=== Expanded visualizations view
+
+preview::[]
+
+.Requirements
+[sidebar]
+--
+To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>>. 
+--
+
+The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session viewer preview** or **Analyzer preview** from the right panel. 
+
+[role="screenshot"]
+image::images/visualize-tab-lp.png[Expanded view of visualization details, 80%]
+
+As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout.
+
+[role="screenshot"]
+image::images/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] 
+
 [discrete]
 [[insights-section]]
 == Insights 

docs/detections/images/visualize-tab-lp-alert-details.gif

@@ -29,7 +29,9 @@ Or
 +
 ** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
 
-. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. Alternatively, open the alert details flyout, go to the Visualizations section, then click **Analyzer preview**. This opens the **Analyzer** tab in Timeline.
+. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout. 
++
+TIP: Turn on the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>> to access the event analyzer from the **Visualize** tab in the alert or event details flyout.
 
 +
 [role="screenshot"]

docs/detections/images/visualize-tab-lp.png

@@ -113,6 +113,14 @@ The `securitySolution:enableAssetCriticality` setting determines whether asset c
 
 Including data from cold and frozen {ref}/data-tiers.html[data tiers] in <<visual-event-analyzer, visual event analyzer>> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
 
+[discrete]
+[[visualizations-in-flyout]]
+== Access the event analyzer and Session View from the event or alert details flyout
+
+preview::[]
+
+The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** <<expanded-visualizations-view,tab>> on the alert or event details flyout. This setting is turned off by default. 
+
 [discrete]
 == Change the default search interval and data refresh time
 

docs/detections/visual-event-analyzer.asciidoc

@@ -124,10 +124,28 @@ The Visualizations section is located on the **Overview** tab in the right panel
 
 Click **Visualizations** to display the following previews:
 
-* **Session view preview**: Shows a preview of <DocLink slug="/serverless/security/session-view">session view</DocLink> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. 
+* **Session view preview**: Shows a preview of <DocLink slug="/serverless/security/session-view">Session View</DocLink> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. 
 
 * **Analyzer preview**: Shows a preview of the <DocLink slug="/serverless/security/visual-event-analyzer">visual analyzer graph</DocLink>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline.
 
+<div id="expanded-visualizations-view"></div>
+
+### Expanded visualizations view
+
+<DocCallOut template="technical_preview" />
+
+<DocCallOut title="Requirements">
+To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <DocLink slug="/serverless/security/advanced-settings" section="visualizations-in-flyout" >advanced setting</DocLink>.
+</DocCallOut>
+
+The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session view preview** or **Analyzer preview** from the right panel. 
+
+<DocImage size="xl" url="../images/view-alert-details/-detections-visualize-tab-lp.png" alt="Expanded view of visualization details"/>
+
+As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout.
+
+![Examine alert details from event analyzer](../images/view-alert-details/-detections-visualize-tab-lp-alert-details.gif)
+
 <div id="insights-section"></div>
 
 ## Insights 

docs/getting-started/advanced-setting.asciidoc

@@ -39,7 +39,11 @@ To find events that can be visually analyzed:
 
     * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
 
-1. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer.
+1. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the Hosts, Alerts, and Timelines pages, as well as the alert details flyout. 
+
+    <DocCallOut title="Tip">
+    Turn on the `securitySolution:enableVisualizationsInFlyout` <DocLink slug="/serverless/security/advanced-settings" section="visualizations-in-flyout">advanced setting</DocLink> to access the event analyzer from the **Visualize** tab in the alert or event details flyout.
+     </DocCallOut>
 
     <DocImage size="xl" url="../images/visual-event-analyzer/-detections-analyze-event-button.png" alt="Shows analyze event option" />
 

docs/serverless/alerts/view-alert-details.mdx

@@ -140,6 +140,14 @@ The `securitySolution:maxUnassociatedNotes` field determines the maximum number
 
 Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in <DocLink slug="/serverless/security/visual-event-analyzer">visual event analyzer</DocLink> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
 
+<div id="visualizations-in-flyout"></div>
+
+## Access the event analyzer and session view from the event or alert details flyout 
+
+<DocCallOut template="technical_preview" />
+
+The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** <DocLink slug="/serverless/security/view-alert-details" section="expanded-visualizations-view">tab</DocLink> on the alert or event details flyout. This setting is turned off by default. 
+
 ## Change the default search interval and data refresh time
 
 These settings determine the default time interval and refresh rate ((elastic-sec))