[DOCS] Updates to Elastic Security Overview (#476)

Author: jmikell821

docs/es-overview.asciidoc

@@ -41,8 +41,8 @@ logs, and metrics. Common security-related modules are listed
 <<enable-beat-modules, here>>.
 * The {security-app} in {kib} is used to manage the *Detection engine*,
 *Cases*, and *Timeline*, as well as administer hosts running Endpoint Security:
-** Detection engine - Automatically searches for suspicious host and network
-activity via:
+** Detection engine: Automatically searches for suspicious host and network
+activity via the following:
 *** <<detection-engine-overview, Detection rules>>: Periodically search the data
 ({es} indices) sent from your hosts for suspicious events. When a suspicious
 event is discovered, a detection alert is generated. External systems, such as
@@ -55,14 +55,14 @@ values that can be used as part of an exception's conditions. When
 {es-sec-endpoint} is installed on your hosts, you can add malware exceptions
 directly to the endpoint from the Security app.
 *** <<included-jobs, {ml-cap} jobs>>: Automatic anomaly detection of host and
-network events. Anomaly scores are provided per host, and can be used with
+network events. Anomaly scores are provided per host and can be used with
 detection rules.
 ** <<timelines-ui, Timeline>>: Workspace for investigating alerts and events.
 Timelines use queries and filters to drill down into events related to
 a specific incident. Timeline templates are attached to rules and use predefined
 queries when alerts are investigated. Timelines can be saved and shared with
 others, as well as attached to Cases.
-** <<cases-overview, Cases>>: Internal system for opening, tracking, and sharing
+** <<cases-overview, Cases>>: An internal system for opening, tracking, and sharing
 security issues directly in the Security app. Cases can be integrated with
 external ticketing systems.
 ** <<admin-page-ov, Administration>>: View and manage hosts running {es-sec-endpoint}.
@@ -76,7 +76,7 @@ For more background information, see:
 * https://www.elastic.co/products/elasticsearch[{es}]: A real-time,
 distributed storage, search, and analytics engine. {es} excels at indexing
 streams of semi-structured data, such as logs or metrics.
-* https://www.elastic.co/products/kibana[{kib}]: An open source analytics and
+* https://www.elastic.co/products/kibana[{kib}]: An open-source analytics and
 visualization platform designed to work with {es}. You use {kib} to search,
 view, and interact with data stored in {es} indices. You can easily perform
 advanced data analysis and visualize your data in a variety of charts, tables,
@@ -88,9 +88,38 @@ and maps.
 The Elastic https://www.elastic.co/endpoint-security/[Endpoint Security agent integration]
 provides capabilities such as collecting events, detecting and preventing
 malicious activity, exceptions, and artifact delivery. The
-{fleet-guide}/fleet-overview.html[{fleet}] is used to
+{fleet-guide}/fleet-overview.html[{fleet}] app is used to
 install and manage Elastic agents and integrations on your hosts.
 
+[discrete]
+[[self-protection]]
+==== Elastic Endpoint self-protection
+
+Self-protection means that {elastic-endpoint} has guards against users and attackers that may try to interfere with its functionality. This protection feature is consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {elastic-endpoint}. Self-protection is enabled by default when {elastic-endpoint} installs on supported platforms, listed below.
+
+Self-protection is enabled on the following 64-bit Windows versions:
+
+* Windows 8.1
+* Windows 10
+* Windows Server 2012 R2
+* Windows Server 2016
+* Windows Server 2019
+
+Self-protection is also enabled on the following macOS versions:
+
+* macOS 10.15 (Catalina)
+* macOS 11 (Big Sur)
+
+NOTE: Other Windows and macOS variants (and all Linux distributions) do not have self-protection.
+
+For {stack} version >= 7.11.0, self-protection defines the following permissions:
+
+* Users -- even Administrator/root -- *cannot* delete {elastic-endpoint} files (located at `c:\Program Files\Elastic\Endpoint` on Windows, and `/Library/Elastic/Endpoint` on macOS).
+* Users *cannot* terminate the {elastic-endpoint} program or service.
+* Administrator/root users *can* read the Endpoint's files. On Windows, the easiest way to read Endpoint files is to start an Administrator `cmd.exe` prompt. On macOS, an Administrator can use the `sudo` command.
+* Administrator/root users *can* stop the {elastic-agent}'s service. On Windows, run the `sc stop "Elastic Agent"` command. On macOS, run the `sudo launchctl stop elastic-agent` command.
+
+
 [discrete]
 [[siem-integration]]
 === Integration with other Elastic products
@@ -113,12 +142,13 @@ By default, {es-sec} monitors {apm-app-ref}/apm-getting-started.html[APM]
 index patterns in the `securitySolution:defaultIndex` setting ({kib} -> Stack Management -> Advanced Settings -> `securitySolution:defaultIndex`).
 
 [discrete]
-=== Third-party collectors mapped to ECS
+[[ecs-compliant-reqs]]
+=== ECS compliance data requirements
 
 The {ecs-ref}[Elastic Common Schema (ECS)] defines a common set of fields to be used for
 storing event data in Elasticsearch. ECS helps users normalize their event data
 to better analyze, visualize, and correlate the data represented in their
-events. {es-sec} can ingest and normalize events from any ECS-compliant data source.
+events. {es-sec} supports events and indicator index data from any ECS-compliant data source.
 
 IMPORTANT: {es-sec} requires {ecs-ref}[ECS-compliant data]. If you use third-party data collectors to ship data to {es}, the data must be mapped to ECS.
 <<siem-field-reference>> lists ECS fields used in {es-sec}.