Add latest changes from gitlab-org/gitlab@master

3 files changed, 45 insertions, 3 deletions

diff --git a/doc/user/application_security/index.md b/doc/user/application_security/index.md
index 8e97427e061..e1056eb2002 100644
--- a/doc/user/application_security/index.md
+++ b/doc/user/application_security/index.md
@@ -7,9 +7,11 @@ type: reference, howto
 GitLab can check your application for security vulnerabilities that may lead to unauthorized access,
 data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you
 can fix them before merging. The [Security Dashboard](security_dashboard/index.md) provides a
-high-level view of vulnerabilities detected in your projects, pipeline, and groups. With the
-information provided, you can immediately begin risk analysis and remediation.
+high-level view of vulnerabilities detected in your projects, pipeline, and groups. The [Threat Monitoring](threat_monitoring/index.md)
+page provides runtime security metrics for application environments. With the information provided,
+you can immediately begin risk analysis and remediation.
 
+<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For an overview of application security with GitLab, see
 [Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84).
 
diff --git a/doc/user/application_security/offline_deployments/index.md b/doc/user/application_security/offline_deployments/index.md
index f72b632ff82..6fc16684d79 100644
--- a/doc/user/application_security/offline_deployments/index.md
+++ b/doc/user/application_security/offline_deployments/index.md
@@ -13,7 +13,7 @@ connected to the internet, in what is sometimes known as an offline,
 limited connectivity, Local Area Network (LAN), Intranet, or "air-gap"
 environment.
 
-In this situation, the GitLab instance can be one, or more, servers and services running in a network that can talk to one another, but have zero, or perhaps very restricted access to the internet. Assume anything within the GitLab instance and supporting infrastrusture (private maven repository for example) can be accessed via local network connection. Assume any files from the internet must come in via physical media (USB drive, hard drive).
+In this situation, the GitLab instance can be one, or more, servers and services running in a network that can talk to one another, but have zero, or perhaps very restricted access to the internet. Assume anything within the GitLab instance and supporting infrastructure (private Maven repository for example) can be accessed via local network connection. Assume any files from the internet must come in via physical media (USB drive, hard drive).
 
 GitLab scanners generally will connect to the internet to download the
 latest sets of signatures, rules, and patches. A few extra steps are necessary
diff --git a/doc/user/application_security/threat_monitoring/index.md b/doc/user/application_security/threat_monitoring/index.md
new file mode 100644
index 00000000000..07427af7c7d
--- /dev/null
+++ b/doc/user/application_security/threat_monitoring/index.md
@@ -0,0 +1,40 @@
+---
+type: reference, howto
+---
+
+# Threat Monitoring **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+
+The **Threat Monitoring** page provides metrics for the GitLab
+application runtime security features. You can access these metrics by
+navigating to your project's **Security & Compliance > Threat Monitoring** page.
+
+GitLab supports statistics for the following security features:
+
+- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
+
+## Web Application Firewall
+
+The Web Application Firewall section provides metrics for the NGINX
+Ingress controller and ModSecurity firewall. This section has the
+following prerequisites:
+
+- Project has to have at least one [environment](../../../ci/environments.md).
+- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity) has to be enabled.
+- [Elastic Stack](../../clusters/applications.md#web-application-firewall-modsecurity) has to be installed.
+
+If you are using custom Helm values for the Elastic Stack you have to
+configure Filebeat similarly to the [vendored values](https://gitlab.com/gitlab-org/gitlab/-/blob/f610a080b1ccc106270f588a50cb3c07c08bdd5a/vendor/elastic_stack/values.yaml).
+
+The **Web Application Firewall** section displays the following information
+about your Ingress traffic:
+
+- The total amount of requests to your application
+- The proportion of traffic that is considered anomalous according to
+  the configured rules
+- The request breakdown graph for the selected time interval
+
+If a significant percentage of traffic is anomalous, you should
+investigate it for potential threats by
+[examining the application logs](../../clusters/applications.md#web-application-firewall-modsecurity).