What is our primary use case?
We primarily use the solution to have a correlation on all the Windows event logs. We use it more for forensic purposes now. We are looking for something which will be a more proactive product for us and be able to detect any threats and take automatic action.
What is most valuable?
All of the features on the solution are useful due to the fact that I have the full Stack, therefore I can collect and then visualize. We have the dashboard tutor as well.
The solution has a good community surrounding it for lots of helpful documentation for troubleshooting purposes.
What needs improvement?
The solution is lacking some features of AI and machine learning. There may be a feature out there we are not using or maybe it's on a different solution, however, having more AI would be so helpful for us.
The solution needs to be more reactive to investigations. We need to be able to detect and prevent any attacks before it can damage our infrastructure. Currently, this solution doesn't offer that.
I know there are some features which are coming, and which is already available. To be honest, I haven't had any time to play around and check what could be the advantages of them. Compared to other products, already the features available - and there are lots of things which are provided - are quite useful. We are not managing it. We're only using it. For us, if we had the technical skills to manage the solution, we might be able to see and understand a few features that we're not already taking advantage of.
For how long have I used the solution?
I've been using the solution for three years.
What do I think about the scalability of the solution?
The solution is scalable for us now, although it didn't start that way.
We have about 50 users between SecOps and the Microsoft team. The network team of between 50 and 100 people are using it on a regular basis.
How are customer service and technical support?
I never had to be in contact with technical support. I mainly rely on the communities around the solution and that is where I find almost all of the information I need. They're great. There's lots of information available that helps you troubleshoot issues.
Which solution did I use previously and why did I switch?
We previously used a product from Quest Software called Change Auditor. We actually didn't switch off this solution. We use both Quest and ELK in our organization.
The main difference is that one you have to pay for, while the other one is much cheaper and if you don't need all the features, you can use it for free.
ELK has much more information, as well. You can grab much more information with ELK than you can with Change Auditor, without adding any additional modules.
How was the initial setup?
The initial setup as I recall was pretty easy. However, I moved to an infrastructure that had a connection to a second ELK instance that I am not managing.
The settings on that instance are more complex than my initial setup.
I am not a specialist in big data infrastructure. I am a process engineer. You need some dedicated and well-trained people as soon as you have a large infrastructure and you are sending a lot of events to the elastic instance so that it is performed correctly. That's always the challenge you have with on-premise infrastructure.
What's my experience with pricing, setup cost, and licensing?
I'm not sure how much the company pays to use ELK. It's not part of the job that I handle.
What other advice do I have?
We're ELK customers. Mostly I'm a specialist on the infrastructure of the solution.
The solution is perfect as long as you are using it for forensics. In terms of threat detection, it could be better. There could be another product that is more appropriate for that aspect.
I'd rate the solution eight out of ten.
Which deployment model are you using for this solution?