Prerequisites

In order to start implementing the investigation detail page according to the design mockup, we first need to have following PRs merged:

• [investigate] Copy changes from POC #187936
• chore(investigate): Add investigate-app plugin from poc #188122

Acceptance Criteria

We are aiming to have a v1 investigation DETAIL page that has the following components.

Header

Each detail page will have a header with the following design.

Initially, we'll delay the implementation of the "Escalate" button and the "three dots" more menu, and instead opt for a more basic design where the top right button is only "Close investigation". Later, the "Close investigation" action will move into the 3 dot menu and the primary button will have some sort of "Escalate" or related verbiage.

When the "Escalate" button is added (final wording on that button name TBD), clicking it will reveal a menu of connectors that have previously been set up, along with the ability to add a new connector. Note: You can see how this works by looking at how it already works today in the Cases UI, for the most part.

Adding a new connector will open a flyout that should be available from the Response Ops team, since they manage the connectors flow currently.

Related Events

We need to continue to refine how this part of the UI will work, but there will be some concept of "related events" represented for each investigation. This feature can be displayed in "timeline view":

Or in "list view":

The events on the timeline can be optionally filtered:

Observations Stream

Observations can be added to the primary stream on the page, and then are displayed.

To start, we'll prioritize the ability to add visualizations of 3 different types:

• Any existing embeddable visualization ("from the library")
• ES|QL interface, which allows adding a data table, single metric, or Lens visualization from its query results
• Some subset of existing visualizations that exist in the observability app (to begin, this will mostly be visualizations that appear on the alert details pages -- when an investigation is created from an alert, some of the charts from that alert detail page should be automatically added to the investigation when it's created)

Important caveats to the above mockup:

• Language should always be "observation" and not "observation chart", based on early feedback from users
• The option to "Import from > Inventory/Entity" is not planned for V1

Notes

There will be a sidebar displaying collaborative notes, which can be added by any Kibana user who visits this investigation.

Outstanding questions

• What text should be allowed for V1? Is it plain text only, or some amount of markup allowed? The mockup seems to show the ability to bold and make new paragraphs, at the very least.
• Are hyperlinks allowed in V1?
• Are uploaded images planned for V1? If so, can they also be hyperlinked?
• Links to external ticketing systems: should these be possible? If arbitrary hyperlinks are allowed, that would solve this, but if not, are we able to do this?
• Is there a concept of a linked runbook, possibly if it came from the alert the investigation was started from?
• Notes should be deleteable but only by the user who created the note.
• V1 notes may or may not be editable