[DOCS]: Terminology topic about security-docs HOT 4 OPEN

• Elastic Endpoint: Endpoint resides on the host (see below) and provides capabilities such as collecting events, detecting and preventing malicious activity, whitelisting, artifact delivery, etc. (Previously referred to at Endgame as the Sensor.)

• Host: Any system or host that is connected to a network and functions as a client or server in any capacity. Desktop computers, laptops, and servers are all examples of hosts. (Previously referred to at Endgame as the Endpoint.)

• Agent: A single, unified agent that makes installation and management easier. Contains the Beats and Endpoint. This is sent to host machines (laptops, desktops) and the Endpoint binary is stood up and run.

• Analyze Event: An interactive event map that allows users to inspect and down a process tree. Users can zoom down to individual event level to see every file or process ran on an event, and zoom up to see parent and child processes to the event.

• Exception: Exception to the rule can be created by users to define field values and list of values that the user wants the rule engine to ignore when the rule runs.

• Rule: Rules are queries users can create that generates detection alerts in the SIEM when the query conditions are met.

• SIEM: A use case supported by the Elastic Security app. Lets security practitioners investigate and triage common host and network security workflows in a more streamlined way.

• Policy: Allows users to configure protections and event data collection through the UI, and apply that configuration to one or more hosts.

• Detection Alert: An alert generated by a rule inside the SIEM.

• Timeline: An interactive workspace for threat hunting and alert investigations. User can drag objects of interest into the Timeline Event Viewer to create exactly the query filter they need. User can drag items from table widgets within Hosts and Network pages, or even from within Timeline itself. A timeline is responsive and persists as you move through the SIEM app collecting data. User can add any Timeline to an existing or new Case.

• Case: Cases are used to open and track security issues directly in SIEM. Cases list the original reporter and all users who contribute to a case (participants). Case comments support Markdown syntax, and allow linking to saved Timelines. Additionally, you can send cases to external systems from within SIEM (currently ServiceNow and Jira).

• Ingest Manager: A new Kibana app that lets you quickly add integrations for popular services and platforms in a few clicks. Helps users centrally manage an entire fleet of Elastic Agents. (Currently in an alpha/"Experimental" phase). For more information see: Ingest Docs

from security-docs.

Took a stab at endpoint management related concepts, @jmikell821 let me know if any additional clarification will help!

@dontcallmesherryli could you help fill in some of the definitions above to help give some context for the docs team?

cc: @kevinlog

from security-docs.

Yep, on my to-do list, thanks @caitlinbetz

from security-docs.

@jmikell821 I updated the terms on your comment: #42 (comment)

FYI, a lot of the terms are pre-defined already here: https://www.elastic.co/guide/en/kibana/current/siem-ui.html
I copy/pasted the wording for Cases and Timeline.

from security-docs.