kibana/docs/siem/index.asciidoc

[role="xpack"]
[[xpack-siem]]
= Elastic Security

[partintro]
--

Elastic Security combines SIEM threat detection features with endpoint
prevention and response capabilities in one solution, including:

* A detection engine to identify attacks and system misconfiguration
* A workspace for event triage and investigations
* Interactive visualizations to investigate process relationships
* Embedded case management and automated actions
* Detection of signatureless attacks with prebuilt {ml} anomaly jobs and
detection rules

[role="screenshot"]
image::siem/images/overview-ui.png[Elastic Security in Kibana]

[float]
== Add data

Kibana provides step-by-step instructions to help you add data. The
{security-guide}[Security Guide] is a good source for more
detailed information and instructions.

[float]
=== {Beats}

https://www.elastic.co/products/beats/auditbeat[{auditbeat}],
https://www.elastic.co/products/beats/filebeat[{filebeat}],
https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}], and
https://www.elastic.co/products/beats/packetbeat[{packetbeat}]
send security events and other data to Elasticsearch.

The default index patterns for Elastic Security events are `auditbeat-*`, `winlogbeat-*`,
`filebeat-*`, `packetbeat-*`, `endgame-*`, `logs-*`, and `apm-*-transaction*`. To change the default pattern patterns, go to *Stack Management > Advanced Settings > securitySolution:defaultIndex*.

[float]
=== Elastic Security endpoint agent

The agent detects and protects against malware, and ships host and network
events directly to Elastic Security.

[float]
=== Elastic Common Schema (ECS) for normalizing data

The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be
used for storing event data in Elasticsearch. ECS helps users normalize their
event data to better analyze, visualize, and correlate the data represented in
their events.

Elastic Security can ingest and normalize events from ECS-compatible data sources.

--


include::siem-ui.asciidoc[]
include::machine-learning.asciidoc[]
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00			`[role="xpack"]`
			`[[xpack-siem]]`
[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`= Elastic Security`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
			`[partintro]`
			`--`

[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`Elastic Security combines SIEM threat detection features with endpoint`
			`prevention and response capabilities in one solution, including:`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`* A detection engine to identify attacks and system misconfiguration`
			`* A workspace for event triage and investigations`
			`* Interactive visualizations to investigate process relationships`
			`* Embedded case management and automated actions`
			`* Detection of signatureless attacks with prebuilt {ml} anomaly jobs and`
			`detection rules`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
			`[role="screenshot"]`
[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`image::siem/images/overview-ui.png[Elastic Security in Kibana]`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
			`[float]`
			`== Add data`

			`Kibana provides step-by-step instructions to help you add data. The`
[DOCS] Updates links to security docs (#72099) 2020-07-16 18:51:46 +02:00			`{security-guide}[Security Guide] is a good source for more`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00			`detailed information and instructions.`

			`[float]`
Added endgame-* index and new heading 3 Elastic Endpoint SMP. (#51071) 2019-11-21 22:46:34 +01:00			`=== {Beats}`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
			`https://www.elastic.co/products/beats/auditbeat[{auditbeat}],`
			`https://www.elastic.co/products/beats/filebeat[{filebeat}],`
			`https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}], and`
			`https://www.elastic.co/products/beats/packetbeat[{packetbeat}]`
			`send security events and other data to Elasticsearch.`

[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			The default index patterns for Elastic Security events are `auditbeat-`, `winlogbeat-`,
			`filebeat-`, `packetbeat-`, `endgame-`, `logs-`, and `apm--transaction`. To change the default pattern patterns, go to Stack Management > Advanced Settings > securitySolution:defaultIndex.
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
Added endgame-* index and new heading 3 Elastic Endpoint SMP. (#51071) 2019-11-21 22:46:34 +01:00			`[float]`
[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`=== Elastic Security endpoint agent`
Added endgame-* index and new heading 3 Elastic Endpoint SMP. (#51071) 2019-11-21 22:46:34 +01:00
[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`The agent detects and protects against malware, and ships host and network`
			`events directly to Elastic Security.`
Added endgame-* index and new heading 3 Elastic Endpoint SMP. (#51071) 2019-11-21 22:46:34 +01:00
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00			`[float]`
			`=== Elastic Common Schema (ECS) for normalizing data`

			`The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be`
			`used for storing event data in Elasticsearch. ECS helps users normalize their`
			`event data to better analyze, visualize, and correlate the data represented in`
			`their events.`

[Docs]Security docs 7.9 updates (#75156) * security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections 2020-08-18 07:25:06 +02:00			`Elastic Security can ingest and normalize events from ECS-compatible data sources.`
[Doc]Add docs for siem app (#39030) * Add docs for siem app * Incorporate more review comments * Fix punctuation 2019-06-17 20:28:52 +02:00
			`--`


			`include::siem-ui.asciidoc[]`
[SIEM] Adds Machine Learning section to 'Using the SIEM UI' docs (#42399) ## Summary Adding `Anomaly Detection with Machine Learning` section to docs for new Machine Learning features. Example generated docs: ![image](https://user-images.githubusercontent.com/2946766/62312719-2a32d780-b44c-11e9-9967-4639eedf05d5.png) ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [] ~This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~ - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [x] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [ ] ~[Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~ - [ ] ~This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~ ### For maintainers - [ ] ~This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ - [ ] ~This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~ 2019-08-02 15:28:53 +02:00			`include::machine-learning.asciidoc[]`