Add documentation for the Threat Monitoring page

doc/user/application_security/index.md

@@ -7,9 +7,11 @@ type: reference, howto
 GitLab can check your application for security vulnerabilities that may lead to unauthorized access,
 data leaks, denial of services, and more. GitLab reports vulnerabilities in the merge request so you
 can fix them before merging. The [Security Dashboard](security_dashboard/index.md) provides a
-high-level view of vulnerabilities detected in your projects, pipeline, and groups. With the
-information provided, you can immediately begin risk analysis and remediation.
+high-level view of vulnerabilities detected in your projects, pipeline, and groups. The [Threat Monitoring](threat_monitoring/index.md)
+page provides runtime security metrics for application environments. With the information provided,
+you can immediately begin risk analysis and remediation.
 
+<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
 For an overview of application security with GitLab, see
 [Security Deep Dive](https://www.youtube.com/watch?v=k4vEJnGYy84).
 

doc/user/application_security/threat_monitoring/index.md

+---
+type: reference, howto
+---
+
+# Threat Monitoring **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9.
+
+The **Threat Monitoring** page provides metrics for the GitLab
+application runtime security features. You can access these metrics by
+navigating to your project's **Security & Compliance > Threat Monitoring** page.
+
+GitLab supports statistics for the following security features:
+
+- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity)
+
+## Web Application Firewall
+
+The Web Application Firewall section provides metrics for the NGINX
+Ingress controller and ModSecurity firewall. This section has the
+following prerequisites:
+
+- Project has to have at least one [environment](../../../ci/environments.md).
+- [Web Application Firewall](../../clusters/applications.md#web-application-firewall-modsecurity) has to be enabled.
+- [Elastic Stack](../../clusters/applications.md#web-application-firewall-modsecurity) has to be installed.
+
+If you are using custom Helm values for the Elastic Stack you have to
+configure Filebeat similarly to the [vendored values](https://gitlab.com/gitlab-org/gitlab/-/blob/f610a080b1ccc106270f588a50cb3c07c08bdd5a/vendor/elastic_stack/values.yaml).
+
+The **Web Application Firewall** section displays the following information
+about your Ingress traffic:
+
+- The total amount of requests to your application
+- The proportion of traffic that is considered anomalous according to
+  the configured rules
+- The request breakdown graph for the selected time interval
+
+If a significant percentage of traffic is anomalous, you should
+investigate it for potential threats by
+[examining the application logs](../../clusters/applications.md#web-application-firewall-modsecurity).