elastic · joepeeples · May 22, 2023 · May 17, 2023 · May 17, 2023 · May 18, 2023
@@ -10,7 +10,7 @@ Interact with various dashboard elements:
 
 * Use the date and time picker in the upper-right to specify a time range for displaying information on the dashboard. 
 
-* In sections that list alert counts, click a number to investigate those alerts in Timeline.
+* In sections that list alert counts, click a number to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to investigate the alerts in Timeline.
 
 * Click the name of a detection rule, case, host, or user to open its details page.
 

@@ -51,9 +51,9 @@ Interact with the table to filter data, view more details, and take action:
 
 * Select the *Host risk classification* menu to filter the chart by the selected classification. 
 * Click a host name link to go to the Host details page.
-* Hover over a host name link to display inline actions: *Add to timeline investigation*, which adds the selected value to a new Timeline, and *Copy to Clipboard*, which copies the host name value for you to paste later. 
+* Hover over a host name link to display inline actions: *Add to timeline*, which adds the selected value to a new Timeline, and *Copy to Clipboard*, which copies the host name value for you to paste later. 
 * Click *View all* in the upper-right to display all host risk information on the Hosts page. 
-* Click the number link in the *Alerts* column to launch Timeline, which populates a query with the selected host name value.
+* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline, which populates a query with the selected host name value.
 
 [role="screenshot"]
 image::images/launch-timeline.gif[Launch Timeline from Host Risk Scores table]
@@ -73,9 +73,9 @@ Interact with the table to filter data, view more details, and take action:
 
 * Select the *User risk classification* menu to filter the chart by the selected classification. 
 * Click a user name link to go to the User details page. 
-* Hover over a host name link to display inline actions: *Add to timeline investigation*, which adds the selected value to a new Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. 
+* Hover over a host name link to display inline actions: *Add to timeline*, which adds the selected value to a new Timeline, and *Copy to Clipboard*, which copies the user name value for you to paste later. 
 * Click *View all* in the upper-right to display all user risk information on the Users page. 
-* Click the number link in the *Alerts* column to launch Timeline, which populates a query with the selected user name value.
+* Click the number link in the *Alerts* column to view the alerts on the Alerts page. Hover over the number and select *Investigate in timeline* (image:images/timeline-button-osquery.png[Investigate in timeline icon,20,20]) to launch Timeline, which populates a query with the selected user name value.
 
 NOTE: The host risk and user risk score tables are not affected by the date and time range. 
 

@@ -17,16 +17,18 @@ The Alerts page offers various ways for you to organize and triage detection ale
 [role="screenshot"]
 image::images/view-alert-details.png[View details button, 200]
 
+* View the rule that created an alert. Click the name in the *Rule* column to open the rule's details page.
+
 * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices.
 
 * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours.
 
 * Visualize and group alerts by specific fields in the visualization section. Use the buttons on the left to select a view type (*Summary*, *Trend*, *Counts*, or *Treemap*), and use the menus on the right to select the ECS fields used for grouping alerts. Refer to <<visualize-alerts>> for more on each view type.
 
-* Hover over a value in the data grid to display available inline actions, such as *Filter In*, *Filter Out*, and *Add to timeline investigation*. Click the expand button to open a full context menu of options, including *Show top values*, *Copy to Clipboard*, and *View rule details*. The available options vary based on the type of data.
+* Hover over a value to display available <<inline-actions, inline actions>>, such as *Filter In*, *Filter Out*, and *Add to timeline*. Click the expand icon for more options, including *Show top _x_* and *Copy to Clipboard*. The available options vary based on the type of data.
 +
 [role="screenshot"]
-image::images/inline-actions-menu.gif[width=75%][height=75%][Animation of using the inline additional actions menu]
+image::images/inline-actions-menu.png[Inline additional actions menu,45%]
 
 * Filter alert results to include building block alerts or to only show alerts from indicator match rules by selecting the *Additional filters* drop-down. By default, <<building-block-rule, building block alerts>> are excluded from the Overview and Alerts pages. You can choose to include building block alerts on the Alerts page, which expands the number of alerts.
 +

@@ -17,6 +17,11 @@ The alert details flyout contains these informational tabs:
 [role="screenshot"]
 image::images/alert-details-flyout.png[Alert details flyout, 90%]
 
+Hover over fields on the *Overview* and *Table* tabs to display available <<inline-actions, inline actions>>. 
+
+[role="screenshot"]
+image::images/alert-details-flyout-inline-actions.png[Alert details flyout, 75%]
+
 [discrete]
 [[alert-details-overview]]
 === Overview tab

@@ -32,6 +32,29 @@ The navigation menu contains direct links and expandable groups, identified by t
 [role="screenshot"]
 image::images/nav-overview.gif[Overview of the navigation menu]
 
+[float]
+[[inline-actions]]
+== Inline actions for fields and values
+
+Throughout the {security-app}, you can hover over many data fields and values to display inline actions, which allow you to customize your view or investigate further based on that field or value. 
+
+[role="screenshot"]
+image::images/inline-actions-menu.png[Inline additional actions menu,45%]
+
+In some visualizations, these actions are available in the legend by clicking a value's options icon (image:images/three-dot-icon-vertical.png[Vertical three-dot icon,16,16]).
+
+[role="screenshot"]
+image::images/inline-actions-legend.png[Actions in a visualization legend,90%]
+
+Inline actions include the following (some actions are unavailable in some contexts):
+
+* *Filter In*: Add a filter that includes the selected value.
+* *Filter Out*: Add a filter that excludes the selected value.
+* *Add to timeline*: Launch Timeline and populate a query with the selected value.
+* *Toggle column in table*: Add or remove the selected field as a column in the displayed alerts or events table. (This action is only available on an alert or event's details flyout.)
+* *Show top _x_*: Open a modal displaying the top events or detection alerts involving the selected field.
+* *Copy to Clipboard*: Copy the selected field-value pair so you can paste it elsewhere.
+
 [float]
 == {security-app} pages