diff --git a/docs/en/secops/images/secops-architecture.png b/docs/en/secops/images/secops-architecture.png
new file mode 100644
index 000000000..35eb9db6d
Binary files /dev/null and b/docs/en/secops/images/secops-architecture.png differ
diff --git a/docs/en/secops/index.asciidoc b/docs/en/secops/index.asciidoc
new file mode 100644
index 000000000..ef6afe363
--- /dev/null
+++ b/docs/en/secops/index.asciidoc
@@ -0,0 +1,17 @@
+:doctype: book
+:sec: SecOps
+:sec-soln: security monitoring
+:sec-ui: SecOps
+
+= Security Monitoring Guide
+
+include::{asciidoc-dir}/../../shared/versions.asciidoc[]
+
+include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
+
+include::overview.asciidoc[]
+
+include::installation.asciidoc[]
+
+include::sec-ui.asciidoc[]
+
diff --git a/docs/en/secops/installation.asciidoc b/docs/en/secops/installation.asciidoc
new file mode 100644
index 000000000..1c1bafe3f
--- /dev/null
+++ b/docs/en/secops/installation.asciidoc
@@ -0,0 +1,42 @@
+[[install-sec-monitoring]]
+[role="xpack"]
+== Get up and running
+
+beta[]
+
+To get up and running with security monitoring, you need:
+
+* An Elasticsearch cluster and Kibana (version 6.x or later) with a basic
+license. To learn how to get started quickly, see
+{stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
++
+[TIP]
+==============
+You can skip installing {es} and {kib} by using our
+https://www.elastic.co/cloud/elasticsearch-service[hosted {es} Service] on
+Elastic Cloud. The {es} Service is available on both AWS and GCP.
+https://www.elastic.co/cloud/elasticsearch-service/signup[Try the {es}
+Service for free].
+==============
+
+* {beats} shippers (version 6.x or later) installed on each system you want to
+monitor
+
+You might need to modify UI settings in {kib} to change default behaviors,
+such as the index pattern used to query the data, and the timestamp field used
+for sorting. For more information, see {kib}.
+
+[float]
+[[install-beats-for-sec]]
+=== Install {beats} shippers
+
+To populate the security UI with metrics and
+log data, you need to install and configure the following shippers:
+
+* https://www.elastic.co/products/beats/packetbeat[{packetbeat}] for analyzing
+network packets 
+* https://www.elastic.co/products/beats/filebeat[{filebeat}] for forwarding and
+centralizing logs and files
+* https://www.elastic.co/products/beats/auditbeat[{auditbeat}] for monitoring
+directories for file changes
+
diff --git a/docs/en/secops/overview.asciidoc b/docs/en/secops/overview.asciidoc
new file mode 100644
index 000000000..562149c6f
--- /dev/null
+++ b/docs/en/secops/overview.asciidoc
@@ -0,0 +1,20 @@
+[[sec-monitoring-overview]]
+[role="xpack"]
+== Overview
+
+beta[]
+
+{sec} gives you a comprehensive view into your security operations.
+
+The UI in {kib} UI to brings together data
+from a variety of sources, making it easier for you
+to identify and resolve security issues.
+
+[float]
+[[secops-components]]
+=== Security monitoring components
+
+Security monitoring requires the following {stack} components.
+
+image::images/secops-architecture.png[]
+
diff --git a/docs/en/secops/sec-ui.asciidoc b/docs/en/secops/sec-ui.asciidoc
new file mode 100644
index 000000000..eb00180a0
--- /dev/null
+++ b/docs/en/secops/sec-ui.asciidoc
@@ -0,0 +1,14 @@
+[[sec-ui-overview]]
+[role="xpack"]
+== {sec-ui} UI
+
+beta[]
+
+After you have security monitoring <<install-sec-monitoring,up and
+running>> and data is streaming to {es}, use the {sec-ui} UI in {kib} to monitor
+and identify security problems in real time.
+
+For more information about working with the {sec-ui} UI, see the
+{kib} documentation.
+
+