[Request] [8.18, 9.0, and Serverless] Observables can be added to cases (#6477)

* First draft

* fixed anchor ref

* Fixes minor heading issues

* Adds reqs for Serverless and ESS

* Revisions to text

* Fixes error

* Refreshes images

* more new images

* Fixed reference to image

* Resizes images

* Moves images down

* Update docs/cases/cases-manage.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <[email protected]>

* Update docs/cases/cases-manage.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <[email protected]>

* Ben's edits

* Update docs/cases/cases-manage-settings.asciidoc

* Applying more of Ben's edits

* Update docs/cases/cases-manage.asciidoc

Co-authored-by: natasha-moore-elastic <[email protected]>

* Update docs/cases/cases-manage.asciidoc

Co-authored-by: natasha-moore-elastic <[email protected]>

* Update docs/cases/cases-manage-settings.asciidoc

Co-authored-by: natasha-moore-elastic <[email protected]>

* Nat's edits and other syntax edits

---------

Co-authored-by: Benjamin Ironside Goldstein <[email protected]>
Co-authored-by: natasha-moore-elastic <[email protected]>

Author: 3 people

docs/cases/cases-manage-settings.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
-To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. 
+To change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. 
 
 [role="screenshot"]
 image::images/cases-settings.png[Shows the case settings page]
@@ -123,3 +123,27 @@ image::images/cases-add-template.png[Add a template in case settings]
 When users create cases, they can optionally select a template and use its values or override them.
 
 NOTE: If you update or delete templates, existing cases are unaffected.
+
+[float]
+[[cases-observable-types]]
+=== Observable types
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher.
+--
+
+Create custom observable types for enhanced case collaboration.
+
+. In the **Observable types** section, click **Add observable type**.
+. Enter a descriptive label for the observable type, then click **Save**.
+
+After creating a new observable type, you can remove or edit it from the **Settings** page.
+
+NOTE: You can create up to 10 custom observable types.
+
+IMPORTANT: Deleting a custom observable type deletes all instances of it. 
+
+[role="screenshot"]
+image::images/cases-observable-types.png[Add an observable type in case settings]

docs/cases/cases-manage.asciidoc

@@ -101,6 +101,7 @@ TIP: Comments can contain Markdown. For syntax help, click the Markdown icon (im
 * <<cases-lens-visualization>>
 * Modify the case's description, assignees, category, severity, status, and tags. 
 * <<cases-ui-integrations,Manage connectors>> and send updates to external systems (if you've added a connector to the case)
+* <<cases-add-observables>> 
 * <<cases-copy-case-uuid>>
 * Refresh the case to retrieve the latest updates
 
@@ -194,14 +195,46 @@ After a visualization has been added to a case, you can modify or interact with
 [role="screenshot"]
 image::images/cases-open-vis.png[Shows where the Open Visualization option is]
 
+[float]
+[[cases-add-observables]]
+=== Add observables
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher.
+--
+
+An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case.
+
+To create an observable:
+
+. Click the **Observables** tab, then click **Add observable**.
++
+NOTE: Each case can have a maximum of 50 observables.
++
+. Provide the necessary details:
+** **Type**: Select a type for the observable. You can choose a preset type or a <<cases-observable-types,custom one>>. 
+** **Value**: Enter a value for the observable. The value must align with the type you select. 
+** **Description** (Optional): Provide additional information about the observable. 
+
+. Click **Add observable**. 
+
+After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**).
+
+TIP: Go to the **Similar cases** tab to access other cases with the same observables. 
+
+[role="screenshot"]
+image::images/cases-add-observables.png[Shows you where to add observables]
+
 [float]
 [[cases-copy-case-uuid]]
 === Copy the case UUID
 
 Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case's UUID to a clipboard, go to the Cases page and select *Actions* -> *Copy Case ID* for the case you want to share. Alternatively, go to a case's details page, then from the *More actions* menu (…​), select *Copy Case ID*.
 
 [role="screenshot"]
-image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 40%,40%]
+image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 30%,30%]
 
 [float]
 [[cases-export-import]]

docs/cases/images/cases-add-observables.png

@@ -108,6 +108,7 @@ Comments can contain Markdown. For syntax help, click the Markdown icon (image:i
 * <<cases-lens-visualization,Add a Lens visualization>>
 * Modify the case's description, assignees, category, severity, status, and tags.
 * Manage connectors and send updates to external systems (if you've added a connector to the case)
+* <<cases-add-observables>> 
 * <<cases-copy-case-uuid,Copy the case UUID>>
 * Refresh the case to retrieve the latest updates
 
@@ -212,6 +213,38 @@ After a visualization has been added to a case, you can modify or interact with
 [role="screenshot"]
 image::images/cases-open-manage/-cases-cases-open-vis.png[Shows where the Open Visualization option is]
 
+[float]
+[[cases-add-observables]]
+=== Add observables
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have the Security Analytics Essentials <<elasticsearch-manage-project,project feature>>.
+--
+
+An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated events and better understand the severity and scope of a case.
+
+To create an observable:
+
+. Click the **Observables** tab, then click **Add observable**.
++
+NOTE: Each case can have a maximum of 50 observables.
++
+. Provide the necessary details:
+** **Type**: Select a type for the observable. You can choose a preset type or a <<security-cases-observable-types,custom one>>. 
+** **Value**: Enter a value for the observable. The value must align with the type you select. 
+** **Description** (Optional): Provide additional information about the observable. 
+
+. Click **Add observable**. 
+
+After adding an observable to a case, you can remove or edit it by using the **Actions** menu (**…**).
+
+TIP: Go to the **Similar cases** tab to access other cases with the same observables. 
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-add-observables.png[Shows you where to add observables]
+
 [discrete]
 [[cases-copy-case-uuid]]
 === Copy the case UUID

docs/cases/images/cases-add-template.png

@@ -124,3 +124,27 @@ When users create cases, they can optionally select a template and use its field
 ====
 If you update or delete templates, existing cases are unaffected.
 ====
+
+[float]
+[[security-cases-observable-types]]
+== Observable types
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have the Security Analytics Essentials <<elasticsearch-manage-project,project feature>>.
+--
+
+Create custom observable types for enhanced case collaboration.
+
+. In the **Observable types** section, click **Add observable type**.
+. Enter a descriptive label for the observable type, then click **Save**.
+
+After creating a new observable type, you can remove or edit it from the **Settings** page.
+
+NOTE: You can create up to 10 custom observable types.
+
+IMPORTANT: Deleting a custom observable type deletes all instances of it. 
+
+[role="screenshot"]
+image::images/cases-settings/security-cases-observable-types.png[Add an observable type in case settings]