elastic · nastasha-solomon · May 25, 2021 · May 3, 2021 · May 6, 2021 · May 10, 2021
diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc
@@ -1,27 +1,77 @@
 [[alerts-ui-manage]]
 [role="xpack"]
-== Managing detection alerts
+== Manage detection alerts
 
 The Detections page displays all <<detection-alert-def, detection alerts>>.
-From the Alerts table, you can change an alert's status, and start
+From the Alerts table, you can filter alerts, change an alert's status, and start
 investigating and analyzing alerts in Timeline.
 
 TIP: From Timeline, you can <<cases-ui-open, create cases>> to track issues and
 share information with colleagues.
 
-To view detection alerts created by a specific rule, you can:
+[float]
+[[detection-view-and-filter-alerts]]
+=== View and filter detection alerts
+The Detections page offers a variety of ways for you to organize and triage detection alerts as you investigate suspicious events. You can:
 
 * Filter for a specific rule in the KQL bar (for example,
 `signal.rule.name :"SSH (Secure Shell) from the Internet"`).
-* View detection alerts in the *Rule details* page (click
-*Manage detection rules* -> rule name in the *All rules* table).
 
 NOTE: KQL autocomplete for `.siem-signals-*` indices is available on the
 *Detections* and *Rule details* pages, and in Timeline when either `All` or
 `Detection alerts` is selected.
 
-TIP: Use the icons in the upper left corner of the Alerts table to customize
-displayed columns and row renderers, and view the table in full screen mode.
+* Use the date and time filter to select a time range that you’re interested in exploring. By default, this filter is set to search through the last 24 hours.
+* View detection alerts generated by a specific rule. To do this, click
+*Manage detection rules* and then click on a rule name in the All rules table. A new page showing the detailed view of the rule displays and alert details are stored in the Alerts table beneath the Detection alert trend histogram.
+* Use the *Stack by* dropdown in the Detection alert trend histogram to select specific parameters for which to visualize the individual counts. For example, if you choose to stack by `signal.rule.name`, the histogram will display the total counts by alert name.
+* Augment the results shown in the Alerts table to include alerts from building blocks or only show alerts from indicator match rules. By default, building block alerts are excluded from the Alerts table. Opting to include them expands the results and displays building block alerts alongside regular detection alerts.
+
+NOTE: When updating alert results to also include building block alerts, the Security app searches the `.siem-signals-<Kibana space>` index for the `signal.rule.building_block_type` field. When looking for alerts created from indicator match rules, the app searches the same index for the `signal.rule.threat_mapping` field.
+
+[role="screenshot"]
+image::images/additional-filters.png[Shows multiple ways to filter information]
+
+[float]
+[[customize-the-alerts-table]]
+=== Customize the Alerts table
+Use the icons in the upper left corner of the Alerts table to customize the columns you want displayed and to view the table in full screen mode.
+
+[role="screenshot"]
+image::images/alert-table-columns-and-size.gif[width=100%][height=100%][Demo that shows how to select the customize display icon and full screen icon]
+
+Click the *Customize Event Renderers* icon to enable event renderers within the Alerts table. When enabled, event renderers show relevant details that provide more context to the event. For example, if you enable the *Flow* Event Renderer, the Alerts table shows relevant details describing the flow of the data between a source and destination. These details could include hosts, ports, protocol, direction, duration, amount transferred, process, and geographic location.
+
+[role="screenshot"]
+image::images/customize-event-renderer.png[Shows the Event Renderer icon, 200]
+
+All event renderers are disabled by default. To switch between event views in the Alerts table, you can enable individual event renderers or click *Enable all*. Closing *Customize Event Renderers* page saves your configurations.
+
+[role="screenshot"]
+image::images/customize-event-renderer-page.png[Shows the Event Renderer page]
+
+[float]
+[[view-alert-details]]
+=== View alert details
+To further inspect an alert, click the *View details* icon from the Alerts table.
+
+[role="screenshot"]
+image::images/view-alert-details.png[Shows the Event Renderer icon, 200]
+
+The Alert details flyout appears and offers several options for viewing alert details:
+
+* *Summary*: Offers an aggregated view of alert details. Alerts that have been enriched with `threat.indicator` data also display the *threat summary* section, which is an additional section located beneath the alert summary. In the *threat summary* section, you can view mapped data for the following `threat.indicator` subfields:
+** `matched.field`
+** `matched.type`
+** `source (threat.indicator.provider)`
+** `first_seen`
+** `last_seen`
+
+NOTE: If an alert has more than one threat, `threat.indicator` data is still aggregated under the *threat summary* section, but parsed out in the *Threat Intel* tab.
+
+* *Threat Intel*: Shows the number of matched intelligence sources and displays threats individually. Threats are organized by timestamp (the most recent threat alert is shown at the top and the oldest is at the bottom) and the available `threat.indicator` and `source.event` data is portrayed for each threat. If the alert has not been enriched with threat data the *Threat Intel* tab displays the message `No Threat Intel Enrichment Found` and provides a link to Threat Intel module documentation.
+* *Table*: Shows the alert details in table format. Alert details are organized into field value pairs.
+* *JSON View*: Shows the alert details in JSON format.
 
 [float]
 [[detection-alert-status]]
@@ -100,4 +150,4 @@ For information about exceptions and how to use them, see
 === Visually analyze process relationships
 
 For process events received from the Elastic Endpoint agent, you can open a
-visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.
+visual mapping of the relationships and hierarchy connecting related processes. For more information see, <<visual-event-analyzer>>.
diff --git a/docs/detections/images/additional-filters.png b/docs/detections/images/additional-filters.png
diff --git a/docs/detections/images/alert-table-columns-and-size.gif b/docs/detections/images/alert-table-columns-and-size.gif
diff --git a/docs/detections/images/customize-event-renderer-page.png b/docs/detections/images/customize-event-renderer-page.png
diff --git a/docs/detections/images/customize-event-renderer.png b/docs/detections/images/customize-event-renderer.png
diff --git a/docs/detections/images/view-alert-details.png b/docs/detections/images/view-alert-details.png
diff --git a/docs/events/images/test2.gif b/docs/events/images/test2.gif
diff --git a/docs/getting-started/security-ui.asciidoc b/docs/getting-started/security-ui.asciidoc
@@ -151,7 +151,7 @@ Use your keyboard to navigate through rows, columns, and menu options in the Ela
 * Use the directional arrows to move keyboard focus right, left, up, and down in a table.
 
 [role="screenshot"]
-image::images/timeline-ui-accessiblity-directional-arrows.gif[width=100%][height=100%][Demo that shows how to to move keyboard focus right, left, up, and down in a table]
+image::images/timeline-ui-accessiblity-directional-arrows.gif[width=100%][height=100%][Demo that shows how to move keyboard focus right, left, up, and down in a table]
 
 * Press the `Tab` key to navigate through a table cell with multiple elements, such as buttons, field names, and menus. Pressing the `Tab` key will apply keyboard focus in a sequential manner to each element in the table cell.