843c2383ea
* security docs 7.9 updates * terminology * updates advanced settings * terminology * corrections
61 lines
2 KiB
Plaintext
61 lines
2 KiB
Plaintext
[role="xpack"]
|
|
[[xpack-siem]]
|
|
= Elastic Security
|
|
|
|
[partintro]
|
|
--
|
|
|
|
Elastic Security combines SIEM threat detection features with endpoint
|
|
prevention and response capabilities in one solution, including:
|
|
|
|
* A detection engine to identify attacks and system misconfiguration
|
|
* A workspace for event triage and investigations
|
|
* Interactive visualizations to investigate process relationships
|
|
* Embedded case management and automated actions
|
|
* Detection of signatureless attacks with prebuilt {ml} anomaly jobs and
|
|
detection rules
|
|
|
|
[role="screenshot"]
|
|
image::siem/images/overview-ui.png[Elastic Security in Kibana]
|
|
|
|
[float]
|
|
== Add data
|
|
|
|
Kibana provides step-by-step instructions to help you add data. The
|
|
{security-guide}[Security Guide] is a good source for more
|
|
detailed information and instructions.
|
|
|
|
[float]
|
|
=== {Beats}
|
|
|
|
https://www.elastic.co/products/beats/auditbeat[{auditbeat}],
|
|
https://www.elastic.co/products/beats/filebeat[{filebeat}],
|
|
https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}], and
|
|
https://www.elastic.co/products/beats/packetbeat[{packetbeat}]
|
|
send security events and other data to Elasticsearch.
|
|
|
|
The default index patterns for Elastic Security events are `auditbeat-*`, `winlogbeat-*`,
|
|
`filebeat-*`, `packetbeat-*`, `endgame-*`, `logs-*`, and `apm-*-transaction*`. To change the default pattern patterns, go to *Stack Management > Advanced Settings > securitySolution:defaultIndex*.
|
|
|
|
[float]
|
|
=== Elastic Security endpoint agent
|
|
|
|
The agent detects and protects against malware, and ships host and network
|
|
events directly to Elastic Security.
|
|
|
|
[float]
|
|
=== Elastic Common Schema (ECS) for normalizing data
|
|
|
|
The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be
|
|
used for storing event data in Elasticsearch. ECS helps users normalize their
|
|
event data to better analyze, visualize, and correlate the data represented in
|
|
their events.
|
|
|
|
Elastic Security can ingest and normalize events from ECS-compatible data sources.
|
|
|
|
--
|
|
|
|
|
|
include::siem-ui.asciidoc[]
|
|
include::machine-learning.asciidoc[]
|