Skip to content

Initialize docs for secops #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 30, 2019
Merged

Initialize docs for secops #189

merged 1 commit into from
Jan 30, 2019

Conversation

karenzone
Copy link
Contributor

Set up files and file structure for secops

@andrewkroh
Copy link
Member

These docs should not be included in 7.0 so I'm wondering how we handle this since we haven't branched for 7.0 yet.

@andrewkroh andrewkroh self-assigned this Jan 24, 2019
@andrewkroh
Copy link
Member

@elastic/secops We're starting a doc book for the project so we can start documenting some of the ways to get compatible host/network data into the system.

@karenzone karenzone self-assigned this Jan 24, 2019
@lcawl
Copy link
Contributor

lcawl commented Jan 24, 2019

I can successfully build this book with the following command:
./docs/build_docs.pl --doc stack-docs/docs/en/secops/index.asciidoc --chunk 1

If you don't want it to be published yet, we can just refrain from adding it to the https://github.com/elastic/docs/blob/master/conf.yaml for now.

andrewkroh
andrewkroh reviewed Jan 27, 2019
View reviewed changes
docs/en/secops/installation.asciidoc
centralizing logs and files
* https://www.elastic.co/products/beats/auditbeat[{auditbeat}] for monitoring
directories for file changes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to split this apart and describe what the options are for host security monitoring and the options for the network security monitoring. We could list the products and what data they provide.

Host Security Monitoring

Network Security Monitoring

  • Filebeat Bro Module
  • Filebeat Suricata Module
  • Filebeat Netflow Input
  • Filebeat IPTables Module
  • Packetbeat
  • Auditbeat System Socket Module
  • Any ECS compatible data source

Another way to present the information would be to turn it around and list the things you can monitor like processes, packages, and flows; and then list all things that can be used to monitor them. This might present better as a matrix with the features on the left and products across the top.

Host Security Monitoring

  • Processes - Auditbeat / Filebeat Santa
  • Network Connections - Auditbeat System Sockets Module / Winlogbeat + Sysmon
  • System Changes - Auditbeat System Host Module
  • Users - Auditbeat System User Module
  • Logins / Logoffs - Auditbeat Login Module
  • Packages - Auditbeat System Package Module

Network Security Monitoring

  • Flows - Packetbeat / Filebeat Netflow / Filebeat Bro / Filebeat Suricata
  • Firewalls
    • IPTables - Filebeat
  • Deep Packet Inspection
    • DHCP - Packetbeat
    • DNS - Packetbeat / Filebeat Bro / Filebeat Suricata
    • HTTP - Packetbeat / Filebeat Bro
    • TLS - Packetbeat / Filebeat Bro
    • ICMP - Packetbeat

@karenzone I'll let you decide on what's the best way to present the information. I can help with filling in the details. We could merge this as and then continue to iterate from here or make the changes now.

@karenzone karenzone merged commit 0156c2d into elastic:master Jan 30, 2019
@karenzone karenzone deleted the secops branch February 4, 2019 20:50
@karenzone karenzone mentioned this pull request Mar 21, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

Assignees

@andrewkroh andrewkroh

@karenzone karenzone

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@karenzone @andrewkroh @lcawl