What is our primary use case?
This is a log aggregation tool and we are using it for security purposes.
There are 145 pre-built use cases, but we are still making some ourselves. One we built is an alarm for log deletion. For example, if a hacker tries to delete the log from a bank machine then it will raise an alarm immediately. A second use case is an alert for too many false login attempts, perhaps indicating a brute-force attack.
What is most valuable?
The most valuable feature is the speed, as it responds in a very short time. I think that the alerts are generated in less than a minute.
It is very easy to set up and doesn't take much time.
What needs improvement?
There are sensors called beats that have to be installed on all of the client machines, and there are seven or eight of them. As it is now, each beat needs to be configured separately, which can be quite hectic if my client has 1000+ machines. It would take a considerable period of time for us to complete the installation. They have begun working on this in the form of agents, which is a centralized management tool wherein all beats will be installed in a single stroke.
The training that is offered for Elastic is in need of improvement because there is no depth to it. It hardly takes 15 or 20 minutes to complete a training session that they say will take two hours to finish. Clearly, something is missing. If a new engineer wants to work with Elastic then it is really very hard for them to understand the technology.
For how long have I used the solution?
I have been using Elastic SIEM for two or three months.
What do I think about the stability of the solution?
This is a stable system and it has never crashed.
What do I think about the scalability of the solution?
Elastic SIEM is definitely stable. We have just started working on it, so we have no more than perhaps 100 users at this point. At the same time, we are confident that it can be scaled up to any extent.
How are customer service and technical support?
I am satisfied with the technical support.
How was the initial setup?
The initial setup is easy. The length of time for deployment on a machine depends on the configuration that is required. If it uses all 145 use cases then it will take a long time. If on the other hand there are only a small set of use cases, it will be very quick. I would say that it takes no more than 30 minutes to install one.
Which other solutions did I evaluate?
I have personally worked with Splunk in the past, but here at this company, they only use Elastic. I believe that one of the major differences between these two is the pricing model. With Splunk, it depends on how much data we are ingesting. For us, it is approximately 500 GB per day. Elastic has a different pricing system that is ultimately cheaper.
One of the advantages of Splunk is that they offer extensive training that is free of cost.
What other advice do I have?
My advice to anybody who is considering this product is that it is a very competitive tool that is very new in the market and the vendor is doing their best to improve services. I highly recommend it and suggest that people choose it without a second thought.
I would rate this solution an eight out of ten.
Which deployment model are you using for this solution?