diff --git a/docs/en/siem/images/siem-architecture.png b/docs/en/siem/images/siem-architecture.png index b051cb379..0ab2915d3 100644 Binary files a/docs/en/siem/images/siem-architecture.png and b/docs/en/siem/images/siem-architecture.png differ diff --git a/docs/en/siem/installation.asciidoc b/docs/en/siem/installation.asciidoc index c49cb5862..db65e58e5 100644 --- a/docs/en/siem/installation.asciidoc +++ b/docs/en/siem/installation.asciidoc @@ -98,10 +98,5 @@ To populate *Network* data, enable these {filebeat} modules: * {filebeat-ref}/filebeat-module-iptables.html[Iptables/Ubiquiti module] * {filebeat-ref}/filebeat-module-coredns.html[CoreDNS module] * {filebeat-ref}/filebeat-module-envoyproxy.html[Envoy proxy module (Kubernetes)] -* Palo Alto firewall module* -//* {filebeat-ref}/filebeat-module-panw.html[Palo Alto firewall module] -* {filebeat-ref}//filebeat-module-cisco.html[Cisco ASA firewall module*] - -// Palo Alto link target currently missing in 7.x: {filebeat-ref}/filebeat-module-panw.html[Palo Alto firewall module] -// https://github.com/elastic/beats/blob/7.x/filebeat/docs/modules/panw.asciidoc - +* {filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks firewall module] +* {filebeat-ref}//filebeat-module-cisco.html[Cisco ASA firewall module] diff --git a/docs/en/siem/overview.asciidoc b/docs/en/siem/overview.asciidoc index 1797d708f..a4792dddd 100644 --- a/docs/en/siem/overview.asciidoc +++ b/docs/en/siem/overview.asciidoc @@ -40,9 +40,9 @@ investigating host and network security events. [float] [[siem-integration]] -==== Elastic integration +==== Additional Elastic components -{siem-soln} also integrates with other Elastic products and features to help you +You can use {siem-soln} with other Elastic products and features to help you identify and investigate suspicious activity: * https://www.elastic.co/products/stack/machine-learning[{ml-cap}] @@ -90,13 +90,8 @@ Common Schema (ECS)]. ** {filebeat-ref}/filebeat-module-iptables.html[Iptables/Ubiquiti module] ** {filebeat-ref}/filebeat-module-coredns.html[CoreDNS module] ** {filebeat-ref}/filebeat-module-envoyproxy.html[Envoy proxy module (Kubernetes)] -** Palo Alto Networks firewall module* -//** {filebeat-ref}/filebeat-module-panw.html[Palo Alto firewall module] -** {filebeat-ref}//filebeat-module-cisco.html[Cisco ASA firewall module*] - -// Palo Alto link target currently missing in 7.x: {filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks firewall module] -// https://github.com/elastic/beats/blob/7.x/filebeat/docs/modules/panw.asciidoc - +** {filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks firewall module] +** {filebeat-ref}//filebeat-module-cisco.html[Cisco ASA firewall module] [float] [[ecs]] diff --git a/docs/en/siem/siem-ui.asciidoc b/docs/en/siem/siem-ui.asciidoc index d59a68b2b..e8c0efb3b 100644 --- a/docs/en/siem/siem-ui.asciidoc +++ b/docs/en/siem/siem-ui.asciidoc @@ -16,11 +16,11 @@ The {siem-app} is a highly interactive workspace for security analysts. It is designed to be discoverable, clickable, draggable and droppable, expandable and collapsible, resizable, moveable, and so forth. -The *{kibana-ref}/kuery-query.html[{kib} Query Language (KQL)] bar* is available +The *{kibana-ref}/kuery-query.html[{kib} Query Language (KQL)]* bar is available throughout the {siem-app} for searching and filtering. -NOTE: The default index patterns for {siem-soln} events are `auditbeat-*``, `winlogbeat-*``, -`filebeat-*``, and `packetbeat-*`. You can change the default index patterns in +NOTE: The default index patterns for {siem-soln} events are `auditbeat-*`, `winlogbeat-*`, +`filebeat-*`, and `packetbeat-*`. You can change the default index patterns in {kib} -> Management -> Advanced Settings -> `siem:defaultIndex`. @@ -43,7 +43,7 @@ image::overview-ui.png[] [[hosts-ui]] === Hosts -The Hosts view provides provides key metrics regarding host-related security +The Hosts view provides key metrics regarding host-related security events, and a set of data tables that let you interact with the Timeline Event Viewer. You can drag and drop items of interest from the Hosts view tables to Timeline for further investigation. @@ -132,9 +132,9 @@ whether your placement is on target to create an `AND` or `OR` filters. [[pivot]] ==== Pivot your data -Right-click a drop area filter to access additional operations to exclude, temporarily -disable, or delete the filter terms. For example, you can change an included -filter to an exclusion. +Click a filter to access additional operations such as exclude, temporarily +disable, or delete items from the query. For example, you can change an included +item so that it is excluded. [float] [[row-renderer]] @@ -142,10 +142,10 @@ filter to an exclusion. As you build and modify your queries, you can see the results of your interactions in the details pane below. -As your query takes shape, an easy-to-follow rendered view appears for each -event. It shows relevant contextual information that helps tell the backstory of -the event. If you see a particular item that interests you, you can drag it to -the drop area for further introspection. +As your query takes shape, an easy-to-follow rendered view appears for events. It +shows relevant contextual information that helps tell the backstory of the +event. If you see a particular item that interests you, you can drag it to the +drop area for further introspection. [float] [[other]] @@ -154,7 +154,7 @@ the drop area for further introspection. The Timeline is flexible and highly interactive. As you would expect, the {siem-app} lets you: -* add, remove, or resize Timeline columns. +* add, remove, reorder, or resize Timeline columns. * save, open, and list Timelines * add notes to individual events * add investigation notes for the whole Timeline