[Docs][SIEM] Cases UI docs

docs/en/siem/cases-overview.asciidoc

@@ -1,6 +1,65 @@
 [[cases-overview]]
 [role="xpack"]
 
-= Cases
+= Cases (Beta)
 
-// Placeholder
+beta[]
+
+Cases are used to open and track security issues directly in the {siem-app}. 
+They list the original reporter and all users who contribute to a case
+(`participants`). Comments support markdown syntax, and allow linking to saved
+<<timelines-overview, Timelines>>. Additionally, you can send cases to external
+systems from within the {siem-app} (currently {sn}). <<cases-ui-integrations>>
+describes how to set this up.
+
+You can create and manage cases via the UI or the <<cases-api-overview>>.
+
+IMPORTANT: To make sure you can view and open cases, see <<case-permisions>>.
+
+[role="screenshot"]
+image::images/cases-ui-home.png[]
+
+[float]
+[[cases-ui-open]]
+== Open a new case
+
+Open a new case to keep track of security issues and share their details with colleagues.
+
+. Go to *SIEM* -> *Cases* -> *Create new case*.
+. Give the case a name, and add a description and any relevant tags.
++
+TIP: In the `Description` area, you can use
+https://www.markdownguide.org/cheat-sheet[markdown] syntax and insert a
+timeline link (click the icon in the top right corner of the area).
+
+. When ready, create the case.
+. If external connections are configured, you can send the case to {sn}.
+
+[role="screenshot"]
+image::images/cases-ui-open.png[]
+
+[float]
+[[cases-ui-manage]]
+== Manage existing cases
+
+You can search existing cases, and filter them by tags, reporter, and status
+(open or closed).
+
+To view a case, click on its name. You can then:
+
+* Add a new comment.
+* Edit existing comments and the case's description.
+* Send updates to {sn} (if external connections are configured).
+* Close the case.
+* Reopen a closed case.
+* Edit tags.
+* Refresh cases to retrieve the latest updates.
+
+[float]
+[[case-permisions]]
+== Cases prerequisites
+
+To view cases, you need the {kib} space `Read` privilege for the Saved Objects
+Management feature. To create cases and add comments, you need the `All` {kib}
+space privilege for the Saved Objects Management feature. For more information,
+see {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges].

docs/en/siem/cases-ui-integrations.asciidoc

@@ -0,0 +1,59 @@
+[[cases-ui-integrations]]
+[role="xpack"]
+== Configuring external connections
+
+You can push new cases and case updates to {sn}. To do this, you need to create
+a connector, which stores the information required to push cases to {sn} via
+{sn}'s https://developer.servicenow.com/dev.do#!/reference/api/madrid/rest/c_TableAPI[Table API].
+After you have created a connector, you can set {siem-soln} cases to close
+automatically when they are sent to {sn}.
+
+[float]
+=== Create a new connector
+
+. Go to *SIEM* -> *Cases* -> *Edit external connection*.
++
+[role="screenshot"]
+image::images/cases-ui-connector.png[]
+. Click `Add new connector option`, and then click {sn}.
++
+[role="screenshot"]
+image::images/cases-ui-sn-connector.png[]
+. Fill in the following:
+* _Connector name_: A name for the connector.
+* _URL_: The URL of the {sn} instance to which you want to send cases.
+* _Username_: The username of the {sn} account used to access the {sn}
+instance.
+* _Password_: The password of the the {sn} account used to access the {sn}
+instance.
+. To represent a SIEM case as a {sn} incident, these SIEM case fields are
+mapped to {sn} incidents fields as follows:
+** `Title`: Mapped to the {sn} `Short description` field. When an update to a
+SIEM case title is sent to {sn}, the existing {sn} `Short description` field is
+overwritten.
+** `Description`: Mapped to the {sn} `Description` field. When an update to a
+SIEM case description is sent to {sn}, the existing {sn} `Description` field is
+overwritten.
+** `Comments`: Mapped to the {sn} `Comments` field. When a comment is updated
+in a SIEM case, a new comment is added to the {sn} incident.
+. Save the connector.
+
+[float]
+=== Close sent cases automatically
+
+To close cases when they are sent to {sn}, select the
+_Automatically close SIEM cases when pushing new incident to third-party_
+option.
+
+[float]
+=== Change and update connectors
+
+You can create additional connectors, update existing connectors, and change
+the connector used to send cases to {sn}.
+
+. To change the connector used to send cases to {sn}: 
+.. Go to *SIEM* -> *Cases* -> *Edit external connection*.
+.. Select the required connector from the `Incident management system` list.
+. To update an existing connector:
+.. Click `Update connector`.
+.. Update the the connector fields as required.

docs/en/siem/index.asciidoc

@@ -63,6 +63,8 @@ include::prebuilt-rules-changelog.asciidoc[]
 
 include::cases-overview.asciidoc[]
 
+include::cases-ui-integrations.asciidoc[]
+
 include::cases-api.asciidoc[]
 
 include::cases-api-create.asciidoc[]

docs/en/siem/siem-ui.asciidoc

@@ -178,6 +178,17 @@ according to various attributes, including `Risk scores`, `Severities`, and
 `Top event categories`. The `All signals` table helps with investigations,
 allowing you to search, filter, and aggregate all {siem-soln} signals.
 
+[float]
+[[cases-ui]]
+=== Cases
+
+The Cases page is used to open and track security issues directly in the
+{siem-app}. For information on how to open and manage cases, see
+<<cases-overview>>.
+
+[role="screenshot"]
+image::images/cases-ui-home.png[]
+
 [float]
 [[timelines-ui]]
 === Timelines