Issue #63: Add Endpoint installation instructions (#129) (#145)

* Issue #63: Add Endpoint installation instructions

* Add installation instructions to index

* Small tweak to intro

* add image for verifying datasets. Fix ordered lists

* Remove hosts-overview reference

* Fix ordered list

* Fix level 2 header in preview. Add link to full disk access

* Switch images to new directory

* Fix TOC

* Fix headers

* Fix headers by adding float tags

* Make top Ingest manager a warning

* Address Eriks feedback. Add identifiers to each heder

* Try removing xpack. Incorporate feedback

* Fix code block for beats

* Remove Ingest manager file.

* Remove Ingest Manager warning

* Experiment with header structure

* Rearrange TOC

* Fix toc

* Final TOC fix

* Fix title header on main page

* Another TOC fix

* TOC fixes

* Fix full disk access include

* [DOCS] Updates nesting in Getting Started

* Fix broken link

* Add part intro to Investigate Events section

* Fix Investigate Event build errors

Co-authored-by: lcawl <lcawley@elastic.co>

Co-authored-by: Nate Archer <12628964+DonNateR@users.noreply.github.com>
Co-authored-by: lcawl <lcawley@elastic.co>

docs/detections/machine-learning/machine-learning.asciidoc

@@ -25,7 +25,7 @@ interface on the *Detections* page can be used for for viewing, starting, and
 stopping {es-sec} machine learning jobs.
 
 TIP: To add a custom job to the `ML job settings` interface, add `Security` to
-the job's `Groups` field ({kib} -> {ml-cap} -> Create/Edit job -> Job 
+the job's `Groups` field ({kib} -> {ml-cap} -> Create/Edit job -> Job
 details).
 
 [float]
@@ -45,14 +45,14 @@ Or
 * Your shipped data is ECS-compliant, and {kib} is configured with the shipped
 data's index patterns.
 
-<<prebuilt-ml-jobs>> describes all available {ml} jobs, and lists 
+<<prebuilt-ml-jobs>> describes all available {ml} jobs, and lists
 which ECS fields are required on your hosts when you are not using {beats} to
 ship your data. For information on tuning anomaly results to reduce the number
 of false positive, see <<tuning-anomaly-results>>.
 
-NOTE: Machine learning jobs look back and analyse two weeks of historical data 
-prior to the time they are enabled. After jobs are enabled, they continuously 
-analyse incoming data. When jobs are stopped and restarted within the two week 
+NOTE: Machine learning jobs look back and analyse two weeks of historical data
+prior to the time they are enabled. After jobs are enabled, they continuously
+analyse incoming data. When jobs are stopped and restarted within the two week
 time frame, previously analysed data is not processed again.
 
 [float]
@@ -62,18 +62,15 @@ To view the `Anomalies` table widget and `Max Anomaly Score By Job` details,
 the user must have the `machine_learning_admin` or `machine_learning_user` role.
 
 NOTE: To adjust the `score` threshold that determines which
-{ml-docs}/xpack-ml.html[anomalies] are shown, you can modify {kib} -> 
+{ml-docs}/xpack-ml.html[anomalies] are shown, you can modify {kib} ->
 Stack Management -> Advanced Settings -> `securitySolution:defaultAnomalyScore`.
 
 [[prebuilt-ml-jobs]]
 == Prebuilt job reference
 
-Prebuilt jobs automatically detect file system and network anomalies on your 
+Prebuilt jobs automatically detect file system and network anomalies on your
 hosts. To enable jobs when you are not using {beats}, you must map your data to
 the ECS fields listed in each job description.
 
 NOTE: Some jobs use fields that are not ECS-compliant. These jobs are only
 available when you use {beats} to ship data.
-
-include::{ml-dir}/anomaly-detection/ootb-ml-jobs-siem.asciidoc[tag=siem-jobs]
-

docs/events/index.asciidoc

@@ -1,9 +1,11 @@
-[chapter]
 [[investigate-events]]
 
 = Investigate events
 
+[partintro]
+---
 This sections describes how to use timelines and the timeline graphical interface to investigate events.
+---
 
-include::timeline-ui-overview.asciidoc[]
-include::timeline-templates.asciidoc[]
+include::timeline-ui-overview.asciidoc[leveloffset=+1]
+include::timeline-templates.asciidoc[leveloffset=+1]

docs/events/timeline-templates.asciidoc

@@ -1,5 +1,5 @@
 [[timeline-templates-ui]]
-== About Timeline templates
+= About Timeline templates
 
 You can attach Timeline templates to detection rules. When attached, the rule's
 alerts use the template when they are investigated in Timeline. This enables
@@ -143,4 +143,4 @@ the template `ndjson` file.
 NOTE: Each template object in the file must be represented in a single line.
 Multiple template objects are delimited with newlines.
 
-NOTE: You cannot export prebuilt templates.
+NOTE: You cannot export prebuilt templates.

docs/events/timeline-ui-overview.asciidoc

@@ -1,5 +1,4 @@
 [[timelines-ui]]
-[role="xpack"]
 = Investigating events in Timeline
 
 Use Timeline as your workspace for investigations and threat hunting.
@@ -140,7 +139,7 @@ You can view, duplicate, delete, and create templates from existing Timelines:
 * _Delete timeline_
 
 TIP: To perform the same action on multiple Timelines, select Timelines and
-then the required action from the _Bulk actions_ menu. 
+then the required action from the _Bulk actions_ menu.
 
 [discrete]
 [[import-export-timelines]]

docs/getting-started/index.asciidoc

@@ -2,16 +2,20 @@
 [[getting-started]]
 = Get started with Elastic Security
 
+[partintro]
+--
 Looking to get started with Elastic Security? This section describes the Elastic Security UI in Kibana, the system requirements required to run the Elastic Agent with the Elastic Endpoint Security integration, as well as instructions on how to configure and install Elastic Security on your host.
+--
 
 include::sec-app-requirements.asciidoc[leveloffset=+1]
 include::detections-req.asciidoc[leveloffset=+2]
 include::cases-req.asciidoc[leveloffset=+2]
 include::ml-req.asciidoc[leveloffset=+2]
-include::sensor-full-disk-access.asciidoc[leveloffset=+2]
 include::net-map-req.asciidoc[leveloffset=+2]
+include::sensor-full-disk-access.asciidoc[leveloffset=+2]
+include::install-endpoint.asciidoc[leveloffset=+1]
 include::ingest-data.asciidoc[leveloffset=+1]
-include::security-ui.asciidoc[]
-include::network-page-overview.asciidoc[leveloffset=+1]
-include::../management/hosts/hosts-overview.asciidoc[leveloffset=+1]
-include::../management/admin/admin-pg-ov.asciidoc[leveloffset=+1]
+include::security-ui.asciidoc[leveloffset=+1]
+include::network-page-overview.asciidoc[leveloffset=+2]
+include::{security-docs-root}/docs/management/hosts/hosts-overview.asciidoc[leveloffset=+2]
+include::{security-docs-root}/docs/management/admin/admin-pg-ov.asciidoc[leveloffset=+2]

docs/getting-started/ingest-data.asciidoc

@@ -8,16 +8,16 @@ To ingest data, you can use:
 * Third-party collectors configured to ship ECS-compliant data.
 <<siem-field-reference>> provides a list of all fields used in {es-sec}.
 * *Elastic agent and ingest manager* sends logs, metrics, and endpoint security
-data to {es} (beta). 
+data to {es} (beta).
 
 [IMPORTANT]
 ==============
-If you use a third-party collector to ship data to the {siem-app}, you must 
-map its fields to the {ecs-ref}[Elastic Common Schema (ECS)]. Additionally, 
-you must add its index to the {es-sec} indices (*{kib}* -> 
+If you use a third-party collector to ship data to the {siem-app}, you must
+map its fields to the {ecs-ref}[Elastic Common Schema (ECS)]. Additionally,
+you must add its index to the {es-sec} indices (*{kib}* ->
 *Stack Management* -> *Advanced Settings* -> *`securitySolution:defaultIndex`*).
 
-{siem-soln} uses the {ecs-ref}/ecs-host.html[`host.name`] ECS field as the 
+{siem-soln} uses the {ecs-ref}/ecs-host.html[`host.name`] ECS field as the
 primary key for identifying hosts.
 ==============
 
@@ -70,7 +70,7 @@ for the events you want to collect, see the
 No matter how you installed {beats}, you need to enable modules in {auditbeat}
 and {filebeat} to populate {es-sec} with data.
 
-TIP: For a full list of security-related beat modules, 
+TIP: For a full list of security-related beat modules,
 https://www.elastic.co/integrations?solution=security[click here].
 
 To populate *Hosts* data, enable these {auditbeat} modules:
@@ -98,4 +98,4 @@ and {filebeat} modules:
 ** {filebeat-ref}/filebeat-module-aws.html[AWS module]
 ** {filebeat-ref}/filebeat-module-cef.html[CEF module]
 ** {filebeat-ref}/filebeat-module-googlecloud.html[Google Cloud module]
-** {filebeat-ref}/filebeat-module-netflow.html[NetFlow module]
+** {filebeat-ref}/filebeat-module-netflow.html[NetFlow module]

docs/getting-started/install-endpoint.asciidoc

@@ -0,0 +1,74 @@
+[[install-endpoint]]
+[role="xpack"]
+= Configure and install Elastic Security
+
+
+Like other Elastic integrations, Elastic Endpoint Security can be integrated into the Elastic Agent through {ingest-guide}/ingest-management-overview.html[Ingest Manager]. Upon configuration, the integration allows the Elastic Agent to monitor for events on your host and send data to the Elastic Security app.
+
+NOTE: Configuring the Endpoint Integration on the Elastic Agent requires that the user have permission to use Ingest Manager in Kibana.
+
+[discrete]
+[[security-before-you-begin]]
+== Before you begin
+
+If you're using the Elastic Agent on macOS Mojave (10.14) or later, ensure that you have enabled <<sensor-full-disk-access,Full Disk Access>>. Lastly, review the Elastic Security system requirements.
+
+[discrete]
+[[add-security-integration]]
+== Add Elastic Security integration
+
+1. In Kibana, select **Security** > **Administration**. If this is not your first time using Elastic Security, select **Ingest Manager** > **Integrations** and search for "Elastic Endpoint Security".
++
+[role="screenshot"]
+image::images/install-endpoint/security-integration.png[]
++
+2. On the Administration page of the security app or the Elastic Endpoint Security integration page in Ingest Manager, select **Add Endpoint Security**. The integration configuration page appears.
+3. Select a configuration for the Elastic Agent. You can use either the **Default config**, or adds security integration to a custom or existing configuration. For more details on Elastic Agent configuration settings, see {ingest-guide}/elastic-agent-configuration.html[Configuration settings].
+4. Configure the Elastic Endpoint Security integration with a name and optional description. When done configuring, select **Save integration**. Kibana redirects you back to the administration section of the security app.
++
+[role="screenshot"]
+image::images/install-endpoint/add-elastic-endpoint-security.png[]
++
+5. On the Enable Elastic Endpoint Security on your Agent's page, select the name of your new integration. To enroll your Agents with Endpoint Security, select **Enroll Agent**.
+6. Kibana redirects you back to Ingest manager to add the Elastic Agent to your host.
+
+[discrete]
+[[enroll-security-agent]]
+== Configure and enroll Elastic Agent
+
+There are two methods to install the Elastic Agent with the Elastic Endpoint Security integration using Ingest Manager.
+
+[discrete]
+=== Enroll with Fleet
+
+1. Go to Ingest Manager. Select **Overview** > **Add agent**.
++
+[role="screenshot"]
+image::images/install-endpoint/add-agent.png[]
++
+2. In the Add agent pane of the Configurations section, download the Elastic Agent on your host's machine.
+3. After the download is complete, select an agent configuration. The selected integrations should include **Elastic Endpoint Security**.
++
+[role="screenshot"]
+image::images/install-endpoint/endpoint-configuration.png[]
++
+4. After the Elastic Agent is installed on your host machine, open a command-line interface, and navigate to your Agent's directory. Copy the commands from Ingest Manager for your OS to enroll and run the Agent.
+
+After you have enrolled the Elastic Agent on your host, select **Continue**. The host now appears on the Hosts view page inside the Elastic Security app.
+
+[discrete]
+=== Standalone mode
+
+If you want to manage the Elastic Agent without using Fleet to manage your hosts, you can enroll the Agent on your host in {ingest-guide}/ingest-management-getting-started.html#agent-standalone-mode.
+
+1. In the Add agent pane, select the **Standalone mode** tab.
+2. Download the Elastic Agent on your host's machine and select an agent configuration.
+3. In the installed Agent's directory, create a file named `elastic-agent.yml`. Copy your configuration into the file from Step 3 of the Add agent pane. Remember to modify `ES_USERNAME` and `ES_PASSWORD` in the `outputs` section with your Elastic username and password.
+4. Save the file and start the Agent using `./elastic-agent run` for your OS.
+5. Once the Agent begins to send data, verify that the data is viewable in Kibana by going to **Ingest Manager** > **Datasets**.
+
+[role="screenshot"]
+image::images/install-endpoint/datasets.png[]
+
+
+TIP: To unenroll an agent from your host, see {ingest-guide}/unenroll-elastic-agent.html[Unenroll Elastic Agent].

docs/getting-started/sec-app-requirements.asciidoc

@@ -2,7 +2,7 @@
 = Elastic Security system requirements
 
 {es-sec} is an inbuilt part of {kib}. To use {es-sec}, you only need an {stack}
-deployment (an {es} cluster and {kib}). For information on installing the 
+deployment (an {es} cluster and {kib}). For information on installing the
 {stack}, see
 {stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
 
@@ -18,7 +18,7 @@ available on Azure, AWS, and GCP. You can {ess-trial}[try it out for free].
 ==============
 
 To use {es-sec}, you must have at least the `Read` privilege for the `Security`
-feature in the {kib} space (see {kibana-ref}/xpack-spaces.html[Spaces]).  
+feature in the {kib} space (see {kibana-ref}/xpack-spaces.html[Spaces]).
 
 There are some additional requirements for specific features:
 

docs/getting-started/sensor-full-disk-access.asciidoc

@@ -3,6 +3,8 @@
 
 Elastic Endpoint Security requires full disk access to protect you from malware and other cybersecurity threats. Full Disk Access permissions is a new privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. This means you need to manually grant permission for Elastic Endpoint Security to access these protected areas of your Mac.
 
+This article describes how to enable full disk access for both the Elastic Agent, required in order to enable Elastic Endpoint Security, and the legacy Endgame sensor.
+
 1. Open the **System Preferences** application.
 +
 2. Click **Security and Privacy**. On the Security and Privacy panel, select the **Privacy** tab.
@@ -13,18 +15,11 @@ Elastic Endpoint Security requires full disk access to protect you from malware
 image::images/select-fda.png[Select Full Disk Access]
 --
 +
-4. In the lower-left corner of the panel, click the **Lock button** and enter your username and password. You can now add the `esensor` file.
-+
-5. Click the + button to view Finder. Navigate to the `/Library/Endgame` directory, select the `esensor` file, and then click *Open*.
-+
---
-image::images/select-esensor-file.png[Select esensor file]
---
-+
-6. In the **Privacy** tab, confirm that the `esensor` file appears in the list of applications that have full access permission, as seen in the following image:
-+
---
-image::images/esensor-permission-granted.png[Verify that permission is granted]
---
+4. In the lower-left corner of the panel, click the **Lock button** and enter your username and password. You can now add the `elastic-agent` or `esensor` file.
+
+5. Click the + button to view Finder. Navigate to the `/Library/Endgame` directory, select the `elastic-agent` or `esensor` file, and then click *Open*.
+
+6. In the **Privacy** tab, confirm that the `elastic-agent` or `esensor` file appears in the list of applications that have full access permission, as seen in the following image:
+
 
 Elastic Endpoint Security now has the access required to fully protect your system.

docs/index.asciidoc

@@ -8,6 +8,7 @@
 :ml-dir:       {stack-docs-root}/docs/en/stack/ml
 :sn: ServiceNow
 :ibm-r: IBM Resilient
+:beats-dir:    {beats-root}
 
 [[elastic-endpoint]]
 = Elastic Security Solution