Siem guide 7.x

docs/en/siem/index.asciidoc

@@ -1,17 +1,18 @@
 :doctype: book
-:siem-soln-cap: SIEM Monitoring
-:siem-soln: SIEM monitoring
+:siem-soln: SIEM
+:siem-app: SIEM app
 :siem-ui: SIEM UI
 
-= SIEM Solution Guide 
 
-//include::{asciidoc-dir}/../../shared/versions.asciidoc[]
+= SIEM Guide (Beta)
+
+include::{asciidoc-dir}/../../shared/versions.asciidoc[]
 
 include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
 
 include::overview.asciidoc[]
 
-//include::installation.asciidoc[]
+include::installation.asciidoc[]
 
-//include::siem-ui.asciidoc[]
+include::siem-ui.asciidoc[]
 

docs/en/siem/installation.asciidoc

@@ -4,11 +4,10 @@
 
 beta[]
 
-To get up and running with security monitoring, you need:
+You need:
 
-* An Elasticsearch cluster and Kibana (version 6.x or later) with a basic
-license. To learn how to get started quickly, see
-{stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
+* An *Elasticsearch* cluster and *Kibana* (version 7.2 or later) with a basic
+license. See {stack-gs}/get-started-elastic-stack.html[Getting started with the {stack}].
 +
 [TIP]
 ==============
@@ -19,24 +18,82 @@ https://www.elastic.co/cloud/elasticsearch-service/signup[Try the {es}
 Service for free].
 ==============
 
-* {beats} shippers (version 6.x or later) installed on each system you want to
+* *{beats}* shippers (version 7.x or later) installed for each system you want to
 monitor
 
 You might need to modify UI settings in {kib} to change default behaviors,
-such as the index pattern used to query the data, and the timestamp field used
-for sorting. For more information, see {kib}.
+such as the index pattern used to query the data. For more information, see {kib}.
 
 [float]
 [[install-beats]]
 === Install {beats} shippers
 
-To populate the security UI with metrics and
-log data, you need to install and configure the following shippers:
+To populate the {siem-app} with hosts and network security events, you need to install and
+configure Beats on the systems from which you want to ingest security events:
 
-* https://www.elastic.co/products/beats/packetbeat[{packetbeat}] for analyzing
-network packets 
 * https://www.elastic.co/products/beats/filebeat[{filebeat}] for forwarding and
 centralizing logs and files
-* https://www.elastic.co/products/beats/auditbeat[{auditbeat}] for monitoring
-directories for file changes
+* https://www.elastic.co/products/beats/auditbeat[{auditbeat}] for collecting security events
+* https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}] for centralizing 
+Windows event logs
+* https://www.elastic.co/products/beats/packetbeat[{packetbeat}] for analyzing
+network packets 
+
+NOTE: {siem-soln} also works with custom and third-party data sources in addition to
+those supported by Beats. {ecs-ref}[Elastic Common Schema (ECS)] makes this
+possible. 
+
+You can install {beats} using a {kib}-based guide or directly from the command line.
+
+[float]
+==== Install {beats} using the {kib}-based guide
+
+Follow the instructions in the Add Data section of the {kib} home page. Click
+*Add log data* or *Add metrics*, and follow the links for the types of data you
+want to collect.
+
+[role="screenshot"]
+image::add-data.png[]
+
+[float]
+==== Download and install {beats} from the command line
+
+If your data source isn't in the list, or you want to install {beats} the old
+fashioned way:
+
+* *{filebeat} and {filebeat} modules.* See the
+{filebeat-ref}/filebeat-modules-quickstart.html[{filebeat} modules quick start]
+and enable modules for the events you want to collect. If there is no module
+for the events you want to collect, see the
+{filebeat-ref}/filebeat-getting-started.html[{filebeat} getting started] to
+learn how to configure inputs.
+
+* *Auditbeat.* See {auditbeat-ref}/auditbeat-getting-started.html[{auditbeat} getting started].
+
+* *Winlogbeat.* See {winlogbeat-ref}/winlogbeat-getting-started.html[{winlogbeat} getting started].
+
+* *Packetbeat.* See {packetbeat-ref}/packetbeat-getting-started.html[{packetbeat} getting started].
+
+[float]
+=== Enable modules and configuration options
+
+For either approach, you need to enable modules in {auditbeat} and {filebeat}
+to populate the {SIEM-app} with data.
+
+To populate *Hosts* data, enable these {auditbeat} modules:
+
+* {auditbeat-ref}/auditbeat-module-system.html[System module  - Linux, macOS, Win]
+* {auditbeat-ref}/auditbeat-module-auditd.html[Auditd module (Linux Kernel Audit info)]
+* {auditbeat-ref}/auditbeat-module-file_integrity.html[File integrity module (FIM) - Linux, macOS, Win]
+
+
+To populate *Network* data, enable these {filebeat} modules:
 
+* https://www.elastic.co/products/beats/filebeat[{filebeat}]
+* {filebeat-ref}/filebeat-module-zeek.html[Zeek NMS module]
+* {filebeat-ref}/filebeat-module-suricata.html[Suricata IDS module]
+* {filebeat-ref}/filebeat-module-iptables.html[Iptables/Ubiquiti module]
+* {filebeat-ref}/filebeat-module-coredns.html[CoreDNS module]
+* {filebeat-ref}/filebeat-module-envoyproxy.html[Envoy proxy module (Kubernetes)]
+* {filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks firewall module]
+* {filebeat-ref}//filebeat-module-cisco.html[Cisco ASA firewall module]

docs/en/siem/overview.asciidoc

@@ -1,35 +1,29 @@
 [[siem-overview]]
-//[role="xpack"]
-//== Overview
+[role="xpack"]
+== Overview
 
-
-== Coming soon
-
-Won't be long now!
-
-////
 beta[]
 
-{siem-soln-cap} gives you a comprehensive view into your security operations,
-and helps make those insights actionable.
+{siem-soln} enables analysis of host-related and network-related security events
+as part of alert investigations or interactive threat hunting.
 
-The UI in {kib} brings together data from a variety of sources, making it easier
-for you to identify and resolve security issues.
+The {siem-app} in {kib} provides an interactive workspace for security teams to
+triage events and perform initial investigations.
 
 [float]
 [[siem-components]]
-=== SIEM monitoring components
+=== SIEM components
 
-Security monitoring requires the following {stack} components.
+SIEM requires the following {stack} components.
 
 image::images/siem-architecture.png[]
 
-*https://www.elastic.co/products/beats[{beats}]* are open source data
-shippers that you install as agents on your servers to send operational data to
-{es}.
+*https://www.elastic.co/products/beats[{beats}]* are open source data shippers
+that you install as agents on your systems. {beats} send security events and other
+data to {es}. 
 
 *https://www.elastic.co/products/elasticsearch[{es}]* is a real-time,
-distributed storage, search, and analytics engine. {es} excels is indexing
+distributed storage, search, and analytics engine. {es} excels at indexing
 streams of semi-structured data, such as logs or metrics.
 
 *https://www.elastic.co/products/kibana[{kib}]* is an open source analytics and
@@ -38,5 +32,79 @@ view, and interact with data stored in {es} indices. You can easily perform
 advanced data analysis and visualize your data in a variety of charts, tables,
 and maps.
 
-{kib} {siem-ui} provides a dedicated user interface for visualizing host security.
-////
+The {siem-app} in {kib} provides a dedicated user interface for analyzing and
+investigating host and network security events.
+
+[float]
+[[siem-integration]]
+==== Additional Elastic components
+
+You can use {siem-soln} with other Elastic products and features to help you
+identify and investigate suspicious activity:
+
+* https://www.elastic.co/products/stack/machine-learning[{ml-cap}] 
+* https://www.elastic.co/products/stack/alerting[Alerting]
+* https://www.elastic.co/products/stack/canvas[Canvas]
+
+[float]
+[[data-sources]]
+=== Data sources
+
+SIEM can ingest and analyze data from a variety of sources, including Beats
+and Beats modules, and third-party collectors mapped to the {ecs-ref}[Elastic
+Common Schema (ECS)]. 
+
+[float]
+[[hosts-data-sources]]
+==== Hosts data sources
+
+* https://www.elastic.co/products/beats/auditbeat[{auditbeat}]
+** {auditbeat-ref}/auditbeat-module-system.html[System module  - Linux, macOS, Win]
+*** packages
+*** processes
+*** logins
+*** sockets
+*** users and groups
+** {auditbeat-ref}/auditbeat-module-auditd.html[Auditd module (Linux Kernel Audit info)]
+** {auditbeat-ref}/auditbeat-module-file_integrity.html[File integrity module (FIM) - Linux, macOS, Win]
+* https://www.elastic.co/products/beats/filebeat[{filebeat}] 
+** system logs (auth logs) - Linux
+** Santa - macOS
+* https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}]
+** Windows event logs - Windows
+
+[float]
+[[network-data-sources]]
+==== Network data sources
+
+* https://www.elastic.co/products/beats/packetbeat[{packetbeat}]
+** Flows
+** DNS
+** other protocols
+* https://www.elastic.co/products/beats/filebeat[{filebeat}]
+** {filebeat-ref}/filebeat-module-zeek.html[Zeek NMS module]
+** {filebeat-ref}/filebeat-module-suricata.html[Suricata IDS module]
+** {filebeat-ref}/filebeat-module-iptables.html[Iptables/Ubiquiti module]
+** {filebeat-ref}/filebeat-module-coredns.html[CoreDNS module]
+** {filebeat-ref}/filebeat-module-envoyproxy.html[Envoy proxy module (Kubernetes)]
+** {filebeat-ref}/filebeat-module-panw.html[Palo Alto Networks firewall module]
+** {filebeat-ref}//filebeat-module-cisco.html[Cisco ASA firewall module]
+
+[float]
+[[ecs]]
+==== Elastic Common Schema (ECS) for normalizing data
+
+The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be used for
+storing event data in Elasticsearch. ECS helps users normalize their event data
+to better analyze, visualize, and correlate the data represented in their
+events. 
+
+{siem-soln} can ingest and normalize events from ECS-compatible data sources.
+
+[float]
+[[host_id]]
+===== Host identification
+All Beats use the `add_host_metadata` processor to add the `host.name` field to
+events. The default value is `host.name`, but you can change it in Beats
+processor settings.
+