-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add docs for siem app * Incorporate more review comments * Fix punctuation
- Loading branch information
Showing
7 changed files
with
129 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
[role="xpack"] | ||
[[xpack-siem]] | ||
= SIEM | ||
|
||
[partintro] | ||
-- | ||
coming[7.2] | ||
|
||
beta[] | ||
|
||
The SIEM app in Kibana provides an interactive workspace for security teams to | ||
triage events and perform initial investigations. It enables analysis of | ||
host-related and network-related security events as part of alert investigations | ||
or interactive threat hunting. | ||
|
||
|
||
[role="screenshot"] | ||
image::siem/images/overview-ui.png[SIEM Overview in Kibana] | ||
|
||
|
||
[float] | ||
== Add data | ||
|
||
Kibana provides step-by-step instructions to help you add data. The | ||
{siem-guide}[SIEM Guide] is a good source for more | ||
detailed information and instructions. | ||
|
||
[float] | ||
=== {Beats} | ||
|
||
https://www.elastic.co/products/beats/auditbeat[{auditbeat}], | ||
https://www.elastic.co/products/beats/filebeat[{filebeat}], | ||
https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}], and | ||
https://www.elastic.co/products/beats/packetbeat[{packetbeat}] | ||
send security events and other data to Elasticsearch. | ||
|
||
The default index patterns for SIEM events are `auditbeat-*`, `winlogbeat-*`, | ||
`filebeat-*`, and `packetbeat-*``. You can change the default index patterns in | ||
*Kibana > Management > Advanced Settings > siem:defaultIndex*. | ||
|
||
[float] | ||
=== Elastic Common Schema (ECS) for normalizing data | ||
|
||
The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be | ||
used for storing event data in Elasticsearch. ECS helps users normalize their | ||
event data to better analyze, visualize, and correlate the data represented in | ||
their events. | ||
|
||
SIEM can ingest and normalize events from ECS-compatible data sources. | ||
|
||
-- | ||
|
||
|
||
include::siem-ui.asciidoc[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
[role="xpack"] | ||
[[siem-ui]] | ||
== Using the SIEM UI | ||
|
||
The SIEM app is a highly interactive workspace for security analysts. It is | ||
designed to be discoverable, clickable, draggable and droppable, expandable and | ||
collapsible, resizable, moveable, and so forth. You start with an overview. Then | ||
you can use the interactive UI to drill down into areas of interest. | ||
|
||
[float] | ||
[[hosts-ui]] | ||
=== Hosts | ||
|
||
The Hosts view provides key metrics regarding host-related security events, and | ||
data tables and widgets that let you interact with the Timeline Event Viewer. | ||
You can drill down for deeper insights, and drag and drop items of interest from | ||
the Hosts view tables to Timeline for further investigation. | ||
|
||
[role="screenshot"] | ||
image::siem/images/hosts-ui.png[] | ||
|
||
|
||
[float] | ||
[[network-ui]] | ||
=== Network | ||
|
||
The Network view provides key network activity metrics, facilitates | ||
investigation time enrichment, and provides network event tables that enable | ||
interaction with the Timeline. You can drill down for deeper insights, and drag | ||
and drop items of interest from the Network view to Timeline for further | ||
investigation. | ||
|
||
[role="screenshot"] | ||
image::siem/images/network-ui.png[] | ||
|
||
[float] | ||
[[timelines-ui]] | ||
=== Timeline | ||
|
||
Timeline is your workspace for threat hunting and alert investigations. | ||
|
||
[role="screenshot"] | ||
image::siem/images/timeline-ui.png[SIEM Timeline] | ||
|
||
You can drag objects of interest into the Timeline Event Viewer to create | ||
exactly the query filter you need. You can drag items from table widgets within | ||
Hosts and Network pages, or even from within Timeline itself. | ||
|
||
A timeline is responsive and persists as you move through the SIEM app | ||
collecting data. | ||
|
||
See the {siem-guide}[SIEM Guide] for more details on data sources and an | ||
overview of UI elements and capabilities. | ||
|
||
[float] | ||
[[sample-workflow]] | ||
=== Sample workflow | ||
|
||
An analyst notices a suspicious user ID that warrants further investigation, and | ||
clicks a url that links to the SIEM app. | ||
|
||
The analyst uses the tables, widgets, and filtering and search capabilities in | ||
the SIEM app to get to the bottom of the alert. The analyst can drag items of | ||
interest to the timeline for further analysis. | ||
|
||
Within the timeline, the analyst can investigate further--drilling down, | ||
searching, and filtering--and add notes and pin items of interest. | ||
|
||
The analyst can name the timeline, write summary notes, and share it with others | ||
if appropriate. | ||
|
||
|
||
|