elastic · benskelker · Apr 21, 2020 · Apr 20, 2020 · Apr 20, 2020 · Apr 20, 2020
diff --git a/docs/management/advanced-options.asciidoc b/docs/management/advanced-options.asciidoc
@@ -217,6 +217,9 @@ might increase the search time. This setting is off by default. Users must opt-i
 [horizontal]
 `siem:defaultAnomalyScore`:: The threshold above which Machine Learning job anomalies are displayed in the SIEM app.
 `siem:defaultIndex`:: A comma-delimited list of Elasticsearch indices from which the SIEM app collects events.
+`siem:ipReputationLinks`:: A JSON array containing links for verifying an IP
+address’s reputation. The links are displayed on
+{siem-guide}/siem-ui-overview.html#network-ui[IP detail] pages.
 `siem:enableNewsFeed`:: Enables the security news feed on the SIEM *Overview*
 page.
 `siem:newsFeedUrl`:: The URL from which the security news feed content is

diff --git a/docs/siem/images/cases-ui.png b/docs/siem/images/cases-ui.png
diff --git a/docs/siem/siem-ui.asciidoc b/docs/siem/siem-ui.asciidoc
@@ -50,6 +50,22 @@ or the Detections API.
 [role="screenshot"]
 image::siem/images/detections-ui.png[]
 
+[float]
+[[cases-ui]]
+=== Cases (Beta)
+
+Cases are used to open and track security issues directly in the {siem-app}. 
+They list the original reporter and all users who contribute to a case
+(`participants`). Case comments support markdown syntax, and allow linking to
+saved Timelines. Additionally, you can send cases to external systems from
+within the {siem-app} (currently ServiceNow).
+
+For information about opening, updating, and closing cases, see
+{siem-guide}/cases-overview.html[Cases] in the SIEM Guide.
+
+[role="screenshot"]
+image::siem/images/cases-ui.png[]
+
 [float]
 [[timelines-ui]]
 === Timeline