elastic · nastasha-solomon · Nov 6, 2024 · Oct 27, 2024 · Oct 27, 2024 · Oct 27, 2024
@@ -150,6 +150,7 @@ From the Alerts table or the alert details flyout, you can:
 * <<alerts-run-osquery, Run Osquery against an alert>>
 * <<signals-to-timelines>>
 * <<visual-event-analyzer,Visually analyze an alert's process relationships>>
+* <<notes-alerts-events,Add notes to alerts>>
 
 [float]
 [[detection-alert-status]]

@@ -41,10 +41,10 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo
 * Find basic details about the alert, such as the:
 
 ** Associated rule
-** Alert status
-** Date and time the alert was created
+** Alert status and when the alert was created
 ** Alert severity and risk score (these are inherited from rule that generated the alert)
 ** Users assigned to the alert (click the **Assign alert** image:images/assign-alert.png[Assign alert,15,15] icon to assign more users)
+** Notes attached to the alert (click the **Add note** image:images/add-note-icon.png[Add note,15,15] icon to create a new note)
 
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. 
 
@@ -312,3 +312,13 @@ The **Response** section is located on the **Overview** tab in the right panel.
 image::images/response-action-rp.png[Response section of the Overview tab, 50%]
 
 
+[discrete]
+[[expanded-notes-view]]
+== Notes
+
+The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. 
+
+TIP: Go to the **Notes** <<manage-notes,page>> to find notes that were added to other alerts.
+
+[role="screenshot"]
+image::images/notes-tab-lp.png[Notes tab in the left panel, 70%]
@@ -0,0 +1,46 @@
+[[add-manage-notes]]
+= Notes
+
+Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. 
+
+NOTE: Configure the `securitySolution:maxUnassociatedNotes` <<max-notes-alerts-events,advanced setting>> to specify the maximum number of notes that you can attach to alerts and events. 
+
+[discrete]
+[[notes-alerts-events]]
+== View and add notes to alerts and events
+
+Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (image:images/create-note-icon.png[Add note action,15,15]) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.
+
+After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.
+
+[role="screenshot"]
+image::images/new-note-alert-event.png[New note added to an alert]
+
+[discrete]
+[[notes-timelines]]
+== View and add notes to Timelines
+
+IMPORTANT: You can only add notes to saved Timelines.  
+
+Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option. 
+
+After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline. 
+
+[role="screenshot"]
+image::images/new-note-timeline-tab.png[New note added to a Timeline]
+
+[discrete]
+[[manage-notes]]
+== Manage all notes 
+
+Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to *Investigations* in the main navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then go to **Notes**. From the **Notes** page, you can:
+
+* Search for specific notes
+* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
+* Examine the contents of a note (click the text in the **Note content** column)
+* Delete one or more notes 
+* Examine the alert or event that a note is attached to (click the **Expand alert/event details** image:images/notes-page-document-details.png[Preview alert or event action,15,15] icon)
+* Open the Timeline that the note is attached to (click the **Open saved timeline** image:images/notes-page-timeline-details.png[Open Timeline action,15,15] icon)
+
+[role="screenshot"]
+image::images/notes-management-page.png[Notes management page]
@@ -9,3 +9,4 @@ include::timeline-templates.asciidoc[leveloffset=+2]
 include::../detections/visual-event-analyzer.asciidoc[leveloffset=+1]
 include::../cloud-native-security/session-view.asciidoc[leveloffset=+1]
 include::../osquery/osquery-index.asciidoc[leveloffset=+1]
+include::add-manage-notes.asciidoc[leveloffset=+1]
@@ -72,8 +72,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard 
 * Change how the name, value, and description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete <<add-manage-notes,notes>> attached to alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 [discrete]

@@ -179,6 +179,12 @@ By default, Elastic prebuilt rules in the *Rules* and *Rule Monitoring* tables i
 
 The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <<apply-alert-tags>>.
 
+[discrete]
+[[max-notes-alerts-events]]
+== Set the maximum notes limit for alerts and events 
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <<add-manage-notes,notes>> that you can attach to alerts and events. The maximum limit and default value is 1000. 
+
 [discrete]
 [[exclude-cold-frozen-data-rule-executions]]
 == Exclude cold and frozen data from rule executions 

diff --git a/docs/serverless/alerts/alerts-ui-manage.mdx b/docs/serverless/alerts/alerts-ui-manage.mdx
@@ -148,6 +148,7 @@ From the Alerts table or the alert details flyout, you can:
 * <DocLink slug="/serverless/security/alerts-run-osquery">Run Osquery against an alert</DocLink>
 * <DocLink slug="/serverless/security/alerts-manage" section="view-alerts-in-timeline">View alerts in Timeline</DocLink>
 * <DocLink slug="/serverless/security/visual-event-analyzer">Visually analyze an alert's process relationships</DocLink>
+* <DocLink slug="/serverless/security/add-manage-notes" section="notes-alerts-events">Add notes to alerts</DocLink>
 
 <div id="detection-alert-status"></div>
 

diff --git a/docs/serverless/alerts/view-alert-details.mdx b/docs/serverless/alerts/view-alert-details.mdx
@@ -47,10 +47,10 @@ From the right panel, you can also:
 * Find basic details about the alert, such as the:
 
     * Associated rule
-    * Alert status
-    * Date and time the alert was created
+    * Alert status and when the alert was created
     * Alert severity and risk score (these are inherited from rule that generated the alert)
     * Users assigned to the alert (click the <DocIcon type="plusInCircle" title="Assign alert" /> icon to assign more users)
+    * Notes attached to the alert (click the <DocIcon type="plusInCircle" title="Add note" /> icon to create a new note)
 * Click the **Table** or **JSON** tabs to display the alert details in table or JSON format. In table format, alert details are displayed as field-value pairs. 
 
 <div id="preview-panel"></div>
@@ -296,3 +296,15 @@ The expanded Prevalence view provides the following details:
 The **Response** section is located on the **Overview** tab in the right panel. It shows <DocLink slug="/serverless/security/rules-create">response actions</DocLink> that were added to the rule associated with the alert. Click **Response** to display the response action's results in the left panel.
 
 <DocImage size="l" url="../images/view-alert-details/-detections-response-action-rp.png" alt="Response section of the Overview tab"/>
+
+<div id="expanded-notes-view"></div>
+
+## Notes
+
+The **Notes** tab (located in the left panel) shows all notes attached to the alert, in addition to the user who created them and when they were created. When you add a new note, the alert's summary also updates and shows how many notes are attached to the alert. 
+
+<DocCallOut title="Tip">
+Go to the **Notes** <DocLink slug="/serverless/security/add-manage-notes" section="manage-notes">page</DocLink> to find notes that were added to other alerts.
+</DocCallOut>
+
+<DocImage size="l" url="../images/view-alert-details/-detections-notes-tab-lp.png" alt="Notes tab in the left panel"/>
diff --git a/docs/serverless/investigate/add-manage-notes.mdx b/docs/serverless/investigate/add-manage-notes.mdx
@@ -0,0 +1,54 @@
+---
+slug: /serverless/security/add-manage-notes
+title: Notes
+description: Create and manage notes for alerts, events, and Timeline.
+tags: ["serverless","security","how-to","manage"]
+---
+
+<DocBadge template="technical preview" />
+<div id="add-manage-notes"></div>
+
+Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. 
+
+<DocCallOut title="Note">
+Configure the `securitySolution:maxUnassociatedNotes` <DocLink slug="/serverless/security/advanced-settings" section="max-notes-alerts-events">advanced settings</DocLink> to specify the maximum number of notes that you can attach to alerts and events.
+</DocCallOut>
+
+<div id="notes-alerts-events"></div>
+
+## View and add notes to alerts and events 
+
+Open the alert or event details flyout to access the **Notes** tab, where you can view existing notes and add new ones. To quickly open the tab, click the **Add note** action (<DocIcon type="editorComment" title="The action that lets you to add a new note" />) in the Alerts or Events table. Then, enter a note into the text box, and click **Add note** to create it.
+
+After notes are created, the **Add note** icon displays a notification dot. In the details flyout for alerts, the alert summary in the right panel also shows how many notes are attached to the alert.
+
+<DocImage size="xl" url="../images/notes/-notes-new-note-alert-event.png" alt="New note added to an alert"/>
+
+<div id="notes-timelines"></div>
+
+## View and add notes to Timelines
+
+<DocCallOut title="Important" color="warning">
+You can only add notes to saved Timelines.
+</DocCallOut>
+
+Open the **Notes** Timeline tab, where you can view existing notes for the Timeline and add new ones. Alternatively, use the details flyout for alerts and events that you're investigating from Timeline. Be aware that notes added this way are automatically attached to the alert or event and the Timeline unless you deselect the **Attach to current Timeline** option. 
+
+After notes are created, the **Notes** Timeline tab displays the total number of notes attached to the Timeline. 
+
+<DocImage size="xl" url="../images/notes/-notes-new-note-timeline-tab.png" alt="New note added to a Timeline"/>
+
+<div id="manage-notes"></div>
+
+## Manage notes 
+
+Use the **Notes** page to view and interact with all existing notes. To access the page, navigate to **Investigations** in the main navigation menu or by using the global search field, then go to **Notes**. From the **Notes** page, you can:
+
+* Search for specific notes
+* Filter notes by the user who created them or by the object they're attached to (notes can be attached to alerts, events, or Timelines)
+* Examine the contents of a note (select the text in the **Note content** column)
+* Delete one or more notes 
+* Examine the alert or event that a note is attached to (click the **Expand alert/event details** <DocIcon type="expand" title="Preview alert or event details action" /> icon)
+* Open the Timeline that the note is attached to (click the **Open saved timeline** <DocIcon type="timelineWithArrow" title="Preview alert or event details action" /> icon)
+
+<DocImage size="xl" url="../images/notes/-notes-management-page.png" alt="Notes management page"/>
diff --git a/docs/serverless/investigate/timelines-ui.mdx b/docs/serverless/investigate/timelines-ui.mdx
@@ -78,8 +78,7 @@ You can also modify a Timeline's display in other ways:
 * Copy a column name or values to a clipboard 
 * Change how the name, value, or description of a field are displayed in Timeline
 * View the Timeline in full screen mode
-* Add or delete notes on individual events
-* Add or delete investigation notes on the entire Timeline
+* Add or delete <DocLink slug="/serverless/security/add-manage-notes">notes</DocLink> attached to alerts, events, or Timeline
 * Pin interesting events to the Timeline
 
 <div id="add-remove-timeline-fields"></div>

diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json
@@ -663,6 +663,10 @@
               "classic-sources": [ "enSecurityCasesSettings" ]
             }
           ]
+        },           
+        {
+          "slug": "/serverless/security/add-manage-notes",
+          "classic-sources": [ "enSecurityAddManageNotes" ]
         }
       ]
     },

diff --git a/docs/serverless/settings/advanced-settings.mdx b/docs/serverless/settings/advanced-settings.mdx
@@ -126,6 +126,10 @@ You can change these settings, which affect the news feed displayed on the
 * `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
     retrieved.
 
+## Set the maximum notes limit for alerts and events 
+
+The `securitySolution:maxUnassociatedNotes` field determines the maximum number of <DocLink slug="/serverless/security/add-manage-notes">notes</DocLink> that you can attach to alerts and events. The maximum limit and default value is 1000. 
+
 ## Exclude cold and frozen tier data from analyzer queries
 
 Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in <DocLink slug="/serverless/security/visual-event-analyzer">visual event analyzer</DocLink> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
-Original file line number
+Diff line change
@@ Expand Up / @@ -663,6 +663,10 @@ @@
                   "classic-sources": [ "enSecurityCasesSettings" ]
                 }
               ]
+            },
+            {
+              "slug": "/serverless/security/add-manage-notes",
+              "classic-sources": [ "enSecurityAddManageNotes" ]
             }
           ]
         },
@@ Expand Down @@