github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Adds docs for siem app (#39113)

Browse source
This commit is contained in:
Karen Metts 2019-06-17 16:54:17 -04:00 committed by GitHub
parent 4b371b3c15
commit 52ae25e908
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 129 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/index.asciidoc
View file

@ -54,6 +54,8 @@ include::apm/index.asciidoc[]
include::uptime/index.asciidoc[]
include::siem/index.asciidoc[]
include::graph/index.asciidoc[]
include::dev-tools.asciidoc[]

BIN
docs/siem/images/hosts-ui.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 150 KiB

BIN
docs/siem/images/network-ui.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
docs/siem/images/overview-ui.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 109 KiB

BIN
docs/siem/images/timeline-ui.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 218 KiB

54
docs/siem/index.asciidoc Normal file
View file

@ -0,0 +1,54 @@
[role="xpack"]
[[xpack-siem]]
= SIEM
[partintro]
--
coming[7.2]
beta[]
The SIEM app in Kibana provides an interactive workspace for security teams to
triage events and perform initial investigations. It enables analysis of
host-related and network-related security events as part of alert investigations
or interactive threat hunting.
[role="screenshot"]
image::siem/images/overview-ui.png[SIEM Overview in Kibana]
[float]
== Add data
Kibana provides step-by-step instructions to help you add data. The
{siem-guide}[SIEM Guide] is a good source for more
detailed information and instructions.
[float]
=== {Beats}
https://www.elastic.co/products/beats/auditbeat[{auditbeat}],
https://www.elastic.co/products/beats/filebeat[{filebeat}],
https://www.elastic.co/products/beats/winlogbeat[{winlogbeat}], and
https://www.elastic.co/products/beats/packetbeat[{packetbeat}]
send security events and other data to Elasticsearch.
The default index patterns for SIEM events are `auditbeat-*`, `winlogbeat-*`,
`filebeat-*`, and `packetbeat-*``. You can change the default index patterns in
*Kibana > Management > Advanced Settings > siem:defaultIndex*.
[float]
=== Elastic Common Schema (ECS) for normalizing data
The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be
used for storing event data in Elasticsearch. ECS helps users normalize their
event data to better analyze, visualize, and correlate the data represented in
their events.
SIEM can ingest and normalize events from ECS-compatible data sources.
--
include::siem-ui.asciidoc[]

73
docs/siem/siem-ui.asciidoc Normal file
View file

@ -0,0 +1,73 @@
[role="xpack"]
[[siem-ui]]
== Using the SIEM UI
The SIEM app is a highly interactive workspace for security analysts. It is
designed to be discoverable, clickable, draggable and droppable, expandable and
collapsible, resizable, moveable, and so forth. You start with an overview. Then
you can use the interactive UI to drill down into areas of interest.
[float]
[[hosts-ui]]
=== Hosts
The Hosts view provides key metrics regarding host-related security events, and
data tables and widgets that let you interact with the Timeline Event Viewer.
You can drill down for deeper insights, and drag and drop items of interest from
the Hosts view tables to Timeline for further investigation.
[role="screenshot"]
image::siem/images/hosts-ui.png[]
[float]
[[network-ui]]
=== Network
The Network view provides key network activity metrics, facilitates
investigation time enrichment, and provides network event tables that enable
interaction with the Timeline. You can drill down for deeper insights, and drag
and drop items of interest from the Network view to Timeline for further
investigation.
[role="screenshot"]
image::siem/images/network-ui.png[]
[float]
[[timelines-ui]]
=== Timeline
Timeline is your workspace for threat hunting and alert investigations.
[role="screenshot"]
image::siem/images/timeline-ui.png[SIEM Timeline]
You can drag objects of interest into the Timeline Event Viewer to create
exactly the query filter you need. You can drag items from table widgets within
Hosts and Network pages, or even from within Timeline itself.
A timeline is responsive and persists as you move through the SIEM app
collecting data.
See the {siem-guide}[SIEM Guide] for more details on data sources and an
overview of UI elements and capabilities.
[float]
[[sample-workflow]]
=== Sample workflow
An analyst notices a suspicious user ID that warrants further investigation, and
clicks a url that links to the SIEM app.
The analyst uses the tables, widgets, and filtering and search capabilities in
the SIEM app to get to the bottom of the alert. The analyst can drag items of
interest to the timeline for further analysis.
Within the timeline, the analyst can investigate further--drilling down,
searching, and filtering--and add notes and pin items of interest.
The analyst can name the timeline, write summary notes, and share it with others
if appropriate.