diff --git a/docs/management/advanced-options.asciidoc b/docs/management/advanced-options.asciidoc index 00f5ad17a66b68..8b64ebdc9b54a2 100644 --- a/docs/management/advanced-options.asciidoc +++ b/docs/management/advanced-options.asciidoc @@ -224,19 +224,19 @@ might increase the search time. This setting is off by default. Users must opt-i [float] [[kibana-siem-settings]] -==== SIEM +==== Security Solution [horizontal] -`siem:defaultAnomalyScore`:: The threshold above which Machine Learning job anomalies are displayed in the SIEM app. -`siem:defaultIndex`:: A comma-delimited list of Elasticsearch indices from which the SIEM app collects events. -`siem:ipReputationLinks`:: A JSON array containing links for verifying the reputation of an IP address. The links are displayed on -{security-guide}/siem-ui-overview.html#network-ui[IP detail] pages. -`siem:enableNewsFeed`:: Enables the security news feed on the SIEM *Overview* +`securitySolution:defaultAnomalyScore`:: The threshold above which Machine Learning job anomalies are displayed in the Security app. +`securitySolution:defaultIndex`:: A comma-delimited list of Elasticsearch indices from which the Security app collects events. +`securitySolution:ipReputationLinks`:: A JSON array containing links for verifying the reputation of an IP address. The links are displayed on +{security-guide}/network-page-overview.html[IP detail] pages. +`securitySolution:enableNewsFeed`:: Enables the security news feed on the Security *Overview* page. -`siem:newsFeedUrl`:: The URL from which the security news feed content is +`securitySolution:newsFeedUrl`:: The URL from which the security news feed content is retrieved. -`siem:refreshIntervalDefaults`:: The default refresh interval for the SIEM time filter, in milliseconds. -`siem:timeDefaults`:: The default period of time in the SIEM time filter. +`securitySolution:refreshIntervalDefaults`:: The default refresh interval for the Security time filter, in milliseconds. +`securitySolution:timeDefaults`:: The default period of time in the Security time filter. [float] [[kibana-timelion-settings]] diff --git a/docs/siem/images/cases-ui.png b/docs/siem/images/cases-ui.png index d7b125b87a0047..cb6361581d19e9 100644 Binary files a/docs/siem/images/cases-ui.png and b/docs/siem/images/cases-ui.png differ diff --git a/docs/siem/images/detections-ui.png b/docs/siem/images/detections-ui.png index b698ac5d084692..b3fd7b5b51b8bd 100644 Binary files a/docs/siem/images/detections-ui.png and b/docs/siem/images/detections-ui.png differ diff --git a/docs/siem/images/hosts-ui.png b/docs/siem/images/hosts-ui.png index 77cdb227e1d0bb..57b09e340355ed 100644 Binary files a/docs/siem/images/hosts-ui.png and b/docs/siem/images/hosts-ui.png differ diff --git a/docs/siem/images/ml-ui.png b/docs/siem/images/ml-ui.png index 568ae324dadd7a..e301f6e28a45f7 100644 Binary files a/docs/siem/images/ml-ui.png and b/docs/siem/images/ml-ui.png differ diff --git a/docs/siem/images/network-ui.png b/docs/siem/images/network-ui.png index 52caa7835d51af..a33040c41ddd3d 100644 Binary files a/docs/siem/images/network-ui.png and b/docs/siem/images/network-ui.png differ diff --git a/docs/siem/images/overview-ui.png b/docs/siem/images/overview-ui.png index 09128775a50973..cf5475c89952ee 100644 Binary files a/docs/siem/images/overview-ui.png and b/docs/siem/images/overview-ui.png differ diff --git a/docs/siem/images/timeline-ui.png b/docs/siem/images/timeline-ui.png index fbf5843fc445cd..ad1794c4b93c9e 100644 Binary files a/docs/siem/images/timeline-ui.png and b/docs/siem/images/timeline-ui.png differ diff --git a/docs/siem/index.asciidoc b/docs/siem/index.asciidoc index ceb4ac2bf1f349..18895f0533fd71 100644 --- a/docs/siem/index.asciidoc +++ b/docs/siem/index.asciidoc @@ -1,19 +1,22 @@ [role="xpack"] [[xpack-siem]] -= SIEM += Elastic Security [partintro] -- -The SIEM app in Kibana provides an interactive workspace for security teams to -triage events and perform initial investigations. It enables analysis of -host-related and network-related security events as part of alert investigations -or interactive threat hunting. +Elastic Security combines SIEM threat detection features with endpoint +prevention and response capabilities in one solution, including: +* A detection engine to identify attacks and system misconfiguration +* A workspace for event triage and investigations +* Interactive visualizations to investigate process relationships +* Embedded case management and automated actions +* Detection of signatureless attacks with prebuilt {ml} anomaly jobs and +detection rules [role="screenshot"] -image::siem/images/overview-ui.png[SIEM Overview in Kibana] - +image::siem/images/overview-ui.png[Elastic Security in Kibana] [float] == Add data @@ -31,15 +34,14 @@ https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}], and https://www.elastic.co/products/beats/packetbeat[{packetbeat}] send security events and other data to Elasticsearch. -The default index patterns for SIEM events are `auditbeat-*`, `winlogbeat-*`, -`filebeat-*`, `packetbeat-*`, `endgame-*`, and `apm-*-transaction*`. You can -change the default index patterns in -*Kibana > Management > Advanced Settings > siem:defaultIndex*. +The default index patterns for Elastic Security events are `auditbeat-*`, `winlogbeat-*`, +`filebeat-*`, `packetbeat-*`, `endgame-*`, `logs-*`, and `apm-*-transaction*`. To change the default pattern patterns, go to *Stack Management > Advanced Settings > securitySolution:defaultIndex*. [float] -=== Elastic Endpoint Sensor Management Platform +=== Elastic Security endpoint agent -The Elastic Endpoint Sensor Management Platform (SMP) ships host and network events directly to the SIEM application, and is fully ECS compliant. +The agent detects and protects against malware, and ships host and network +events directly to Elastic Security. [float] === Elastic Common Schema (ECS) for normalizing data @@ -49,7 +51,7 @@ used for storing event data in Elasticsearch. ECS helps users normalize their event data to better analyze, visualize, and correlate the data represented in their events. -SIEM can ingest and normalize events from ECS-compatible data sources. +Elastic Security can ingest and normalize events from ECS-compatible data sources. -- diff --git a/docs/siem/machine-learning.asciidoc b/docs/siem/machine-learning.asciidoc index baaa789cccd7ee..c56332f1183cec 100644 --- a/docs/siem/machine-learning.asciidoc +++ b/docs/siem/machine-learning.asciidoc @@ -3,14 +3,12 @@ == Anomaly Detection with Machine Learning For *{ess-trial}[Free Trial]* -and *https://www.elastic.co/subscriptions[Platinum License]* deployments, -Machine Learning functionality is available throughout the SIEM app. You can -view the details of detected anomalies within the `Anomalies` table widget -shown on the Hosts, Network and associated Details pages, or even narrow to -the specific daterange of an anomaly from the `Max Anomaly Score` details in -the overview of the Host and IP Details pages. Each of these interfaces also -offer the ability to drag and drop details of the anomaly to Timeline, such -as the `Entity` itself, or any of the associated `Influencers`. +and *https://www.elastic.co/subscriptions[Platinum subscription]* deployments, +Machine Learning functionality is available throughout Elastic Security. You can +view the details of detected anomalies in the `Anomalies` table +shown on the Hosts, Network and associated details pages. You can drag and drop +anomaly details to Timeline, such as the `Entity` itself, or any of the +associated `Influencers`. [role="screenshot"] image::siem/images/ml-ui.png[Machine Learning - Max Anomaly Score] diff --git a/docs/siem/siem-ui.asciidoc b/docs/siem/siem-ui.asciidoc index 1caa13dc6c903e..98f8bc218aa76c 100644 --- a/docs/siem/siem-ui.asciidoc +++ b/docs/siem/siem-ui.asciidoc @@ -1,20 +1,20 @@ [role="xpack"] [[siem-ui]] -== Using the SIEM UI +== Using Elastic Security -The SIEM app is a highly interactive workspace for security analysts. It is -designed to be discoverable, clickable, draggable and droppable, expandable and -collapsible, resizable, moveable, and so forth. You start with an overview. Then -you can use the interactive UI to drill down into areas of interest. +Elastic Security is a highly interactive workspace designed for security +analysts. It provides a clear overview of events and alerts from your +environment, and you can use the interactive UI to drill down into areas of +interest. [float] [[hosts-ui]] === Hosts -The Hosts view provides key metrics regarding host-related security events, and -data tables and widgets that let you interact with the Timeline Event Viewer. +The Hosts page provides key metrics regarding host-related security events, and +data tables and histograms that let you interact with the Timeline Event Viewer. You can drill down for deeper insights, and drag and drop items of interest from -the Hosts view tables to Timeline for further investigation. +the Hosts page to Timeline for further investigation. [role="screenshot"] image::siem/images/hosts-ui.png[] @@ -24,11 +24,8 @@ image::siem/images/hosts-ui.png[] [[network-ui]] === Network -The Network view provides key network activity metrics, facilitates -investigation time enrichment, and provides network event tables that enable -interaction with the Timeline. You can drill down for deeper insights, and drag -and drop items of interest from the Network view to Timeline for further -investigation. +The Network page displays key network activity metrics in an interactive map, +and provides network event tables that enable interaction with Timeline. [role="screenshot"] image::siem/images/network-ui.png[] @@ -38,14 +35,13 @@ image::siem/images/network-ui.png[] === Detections (beta) The Detections feature automatically searches for threats and creates -signals when they are detected. Signal detection rules define the conditions -for creating signals. The SIEM app comes with prebuilt rules that search for -suspicious activity on your network and hosts. Additionally, you can +alerts when they are detected. Detection rules define the conditions +for when alerts are created. Elastic Security comes with prebuilt rules that +search for suspicious activity on your network and hosts. Additionally, you can create your own rules. -See {security-guide}/detection-engine-overview.html[Detections] in the SIEM -Guide for information on managing detection rules and signals via the UI -or the Detections API. +See {security-guide}/detection-engine-overview.html[Detections] for information +on managing detection rules and alerts. [role="screenshot"] image::siem/images/detections-ui.png[] @@ -54,14 +50,14 @@ image::siem/images/detections-ui.png[] [[cases-ui]] === Cases (beta) -Cases are used to open and track security issues directly in SIEM. +Cases are used to open and track security issues directly in Elastic Security. Cases list the original reporter and all users who contribute to a case (`participants`). Case comments support Markdown syntax, and allow linking to saved Timelines. Additionally, you can send cases to external systems from -within SIEM (currently ServiceNow and Jira). +within Elastic Security. For information about opening, updating, and closing cases, see -{security-guide}/cases-overview.html[Cases] in the SIEM Guide. +{security-guide}/cases-overview.html[Cases] in the Elastic Security Guide. [role="screenshot"] image::siem/images/cases-ui.png[] @@ -73,31 +69,31 @@ image::siem/images/cases-ui.png[] Timeline is your workspace for threat hunting and alert investigations. [role="screenshot"] -image::siem/images/timeline-ui.png[SIEM Timeline] +image::siem/images/timeline-ui.png[Elastic Security Timeline] You can drag objects of interest into the Timeline Event Viewer to create exactly the query filter you need. You can drag items from table widgets within Hosts and Network pages, or even from within Timeline itself. -A timeline is responsive and persists as you move through the SIEM app +A timeline is responsive and persists as you move through Elastic Security collecting data. -See the {security-guide}[Security Guide] for more details on data sources and an -overview of UI elements and capabilities. +For detailed information about Timeline, see +{security-guide}/timelines-ui.html[Investigating events in Timeline]. [float] [[sample-workflow]] === Sample workflow An analyst notices a suspicious user ID that warrants further investigation, and -clicks a url that links to the SIEM app. +clicks a URL that links to Elastic Security. -The analyst uses the tables, widgets, and filtering and search capabilities in -the SIEM app to get to the bottom of the alert. The analyst can drag items of -interest to the timeline for further analysis. +The analyst uses the tables, histograms, and filtering and search capabilities in +Elastic Security to get to the bottom of the alert. The analyst can drag items of +interest to Timeline for further analysis. -Within the timeline, the analyst can investigate further--drilling down, -searching, and filtering--and add notes and pin items of interest. +Within Timeline, the analyst can investigate further - drilling down, +searching, and filtering - and add notes and pin items of interest. The analyst can name the timeline, write summary notes, and share it with others if appropriate.