elastic · nastasha-solomon · Jun 24, 2022 · Jun 13, 2022 · Jun 13, 2022 · Jun 16, 2022
@@ -62,7 +62,7 @@ image::images/additional-filters.png[Shows multiple ways to filter information]
 === Customize the Alerts table
 Use the toolbar buttons in the upper-left of the Alerts table to customize the columns you want displayed:
 
-* **Columns**: Reorder the columns. 
+* **Columns**: Reorder the columns.
 * **_x_ fields sorted**: Sort the table by one or more columns.
 * **Fields**: Select the fields to display in the table. You can also add <<alerts-runtime-fields, runtime fields>> to detection alerts and display them in the Alerts table.
 
@@ -109,6 +109,8 @@ The alert details flyout also lists the number and names of cases to which the a
 
 The *Highlighted Fields* section displays the most relevant fields for the alert type. Use this section to inform your triage efforts as you investigate the alert.
 
+NOTE: The *Session ID* field provides a unique ID for the Linux session. To collect it and other session data, you must enable the *Include session data* setting on your Endpoint Security integration policy. Refer to <<enable-session-view, Enable Session View data>> for more information.
+
 The *Alert prevalence* column shows the total number of alerts within the selected timeframe that have identical values. For example, an alert with an alert prevalence of 3 for the `host.name` field means three alerts with the same `host.name` value exist within the given timeframe. Alert prevalence data can help you investigate relationships with other alerts and gain more context about the event producing the alert.
 
 The *Enriched data* section displays available threat indicator matches and threat intelligence data. Click the info icon to learn more about what data is collected.