diff --git a/doc/administration.md b/doc/administration.md
new file mode 100644
index 0000000000000000000000000000000000000000..447bf65d567cc062058bc6247155155f394bc171
--- /dev/null
+++ b/doc/administration.md
@@ -0,0 +1,29 @@
+# SOCtools Administration Guide
+
+TODO:
+Describe what components are there and how they work together, how data flow. (There already is architecture.md, review/update it)
+
+## User management
+
+How user management is handled (Keycloak)? Is everything centralized or are there "local" users in some applications?
+How to add/edit user accounts
+
+
+## Data ingestion
+
+How to forward logs from some servers/applications to SOCtools, what must be set up to in NiFi.
+
+Other data sources except logs? Emails?
+
+How to set up data feeds in MISP and analyzers in Cortex.
+
+
+## Data processing in NiFi 
+
+What the current NiFi pipeline does. How to reconfigure it.
+
+
+## Other tools?
+
+Is there anything in Elasticsearch, Kibana, MISP, The Hive, etc., which is specific to SOCtools and should be described (i.e. can't be found in official documentation of these tools)?
+