elastic · nastasha-solomon · Jan 28, 2025 · Jan 22, 2025 · Jan 23, 2025 · Jan 23, 2025
@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
-To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. 
+To change case closure options, add custom fields, templates, and connectors for external incident management systems, and create custom observable types, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. 
 
 [role="screenshot"]
 image::images/cases-settings.png[Shows the case settings page]
@@ -123,3 +123,27 @@ image::images/cases-add-template.png[Add a template in case settings]
 When users create cases, they can optionally select a template and use its values or override them.
 
 NOTE: If you update or delete templates, existing cases are unaffected.
+
+[float]
+[[cases-observable-types]]
+=== Observable types
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher.
+--
+
+Create custom observable types for enhanced case collaboration.
+
+. In the *Observable types* section, click *Add observable*.
+. Enter a descriptive label for the observable type, then click *Save*.
+
+After creating a new observable type, you can remove or edit it from the **Settings** page.
+
+NOTE: You can create up to 10 custom observable types.
+
+IMPORTANT: If you delete an observable that's using a custom observable type, the observable will no longer exist in the cases to which it was added.
+
+[role="screenshot"]
+image::images/cases-observable-types.png[Add an observable type in case settings]
@@ -101,6 +101,7 @@ TIP: Comments can contain Markdown. For syntax help, click the Markdown icon (im
 * <<cases-lens-visualization>>
 * Modify the case's description, assignees, category, severity, status, and tags. 
 * <<cases-ui-integrations,Manage connectors>> and send updates to external systems (if you've added a connector to the case)
+* <<cases-add-observables>> 
 * <<cases-copy-case-uuid>>
 * Refresh the case to retrieve the latest updates
 
@@ -194,14 +195,46 @@ After a visualization has been added to a case, you can modify or interact with
 [role="screenshot"]
 image::images/cases-open-vis.png[Shows where the Open Visualization option is]
 
+[float]
+[[cases-add-observables]]
+=== Add observables
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have a https://www.elastic.co/pricing[Platinum subscription] or higher.
+--
+
+An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated incidents and better understand the severity and scope of a case.
+
+To create an observable:
+
+. Click the *Observables* tab.
+. Provide the necessary details:
+** **Type**: Select a type for the observable. You can choose a preset type or a <<cases-observable-types,custom one>>. 
++
+NOTE: Each case can have a maximum of 50 observables.
++
+** *Value*: Enter a value for the observable. The value must align with the type you select. 
+** *Description* (Optional): Provide additional information about the observable. 
+
+. Click *Add observable* to add the observable to the case. 
+
+After adding an observables to a case, you can remove or edit it by using the **Actions** menu (**…**).
+
+TIP: Go to the **Similar cases** tab to access other cases with the same observables. 
+
+[role="screenshot"]
+image::images/cases-add-observables.png[Shows you where to add observables]
+
 [float]
 [[cases-copy-case-uuid]]
 === Copy the case UUID
 
 Each case has a universally unique identifier (UUID) that you can copy and share. To copy a case's UUID to a clipboard, go to the Cases page and select *Actions* -> *Copy Case ID* for the case you want to share. Alternatively, go to a case's details page, then from the *More actions* menu (…), select *Copy Case ID*.
 
 [role="screenshot"]
-image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 40%,40%]
+image::images/cases-copy-case-id.png[Copy Case ID option in More actions menu 30%,30%]
 
 [float]
 [[cases-export-import]]

@@ -108,6 +108,7 @@ Comments can contain Markdown. For syntax help, click the Markdown icon (image:i
 * <<cases-lens-visualization,Add a Lens visualization>>
 * Modify the case's description, assignees, category, severity, status, and tags.
 * Manage connectors and send updates to external systems (if you've added a connector to the case)
+* <<cases-add-observables>> 
 * <<cases-copy-case-uuid,Copy the case UUID>>
 * Refresh the case to retrieve the latest updates
 
@@ -212,6 +213,38 @@ After a visualization has been added to a case, you can modify or interact with
 [role="screenshot"]
 image::images/cases-open-manage/-cases-cases-open-vis.png[Shows where the Open Visualization option is]
 
+[float]
+[[cases-add-observables]]
+=== Add observables
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have the Security Analytics Essentials <<elasticsearch-manage-project,project feature>>.
+--
+
+An observable is a piece of information about an investigation, for example, a suspicious URL or a file hash. Use observables to identify correlated incidents and better understand the severity and scope of a case.
+
+To create an observable:
+
+. Click the *Observables* tab.
+. Provide the necessary details:
+** **Type**: Select a type for the observable. You can choose a preset type or a <<security-cases-observable-types,custom one>>. 
++
+NOTE: Each case can have a maximum of 50 observables.
++
+** *Value*: Enter a value for the observable. The value must align with the type you select. 
+** *Description* (Optional): Provide additional information about the observable. 
+
+. Click *Add observable* to add the observable to the case. 
+
+After adding an observables to a case, you can remove or edit it by using the **Actions** menu (**…**).
+
+TIP: Go to the **Similar cases** tab to access other cases with the same observables. 
+
+[role="screenshot"]
+image::images/cases-open-manage/-cases-cases-add-observables.png[Shows you where to add observables]
+
 [discrete]
 [[cases-copy-case-uuid]]
 === Copy the case UUID

@@ -124,3 +124,27 @@ When users create cases, they can optionally select a template and use its field
 ====
 If you update or delete templates, existing cases are unaffected.
 ====
+
+[float]
+[[security-cases-observable-types]]
+== Observable types
+
+.Requirements
+[sidebar]
+--
+To use observables, you must have the Security Analytics Essentials <<elasticsearch-manage-project,project feature>>.
+--
+
+Create custom observable types for enhanced case collaboration.
+
+. In the *Observable types* section, click *Add observable*.
+. Enter a descriptive label for the observable type, then click *Save*.
+
+After creating a new observable type, you can remove or edit it from the **Settings** page.
+
+NOTE: You can create up to 10 custom observable types.
+
+IMPORTANT: If you delete an observable that's using a custom observable type, the observable will no longer exist in the cases to which it was added.
+
+[role="screenshot"]
+image::images/cases-settings/security-cases-observable-types.png[Add an observable type in case settings]