We just raised a $30M Series A: Read our story

Elastic SIEM OverviewUNIXBusinessApplication

Elastic SIEM is #13 ranked solution in top Security Information and Event Management (SIEM) tools. IT Central Station users give Elastic SIEM an average rating of 8 out of 10. Elastic SIEM is most commonly compared to Splunk:Elastic SIEM vs Splunk. The top industry researching this solution are professionals from a computer software company, accounting for 28% of all views.
What is Elastic SIEM?

Elastic SIEM equips security practitioners with easy data ingestion via Beats, shareable analytics based on the Elastic Common Schema (ECS), and the ability to interact with security data using the SIEM app in Kibana. As threats continue to evolve, so too will Elastic SIEM.

Elastic SIEM Buyer's Guide

Download the Elastic SIEM Buyer's Guide including reviews and more. Updated: November 2021

Elastic SIEM Customers
Harel Insurance & Financial, Delhivery, Voxpopme, POSCO, Fairfax Media, EO Media Group, Netshoes, BPCE, MM Karton, KPN, NS1, Ctcue, Forcura, Engadget, Roanoke College, St. Mary's University, ndiana University, E*Trade, Adobe, Cisco
Elastic SIEM Video

Pricing Advice

What users are saying about Elastic SIEM pricing:
  • "Its price is fine. Its licensing works on a yearly basis. We have to renew the license every year. I also have a good experience with Darktrace. When we buy Darktrace, we get training free of cost, which is not there in Elastic. We have to pay extra for training. There is certainly room for improvement."
  • "It's a monthly cost with Elastic SIEM, but I am not sure of the exact cost."
  • "There is no charge for using the open-source version."

Elastic SIEM Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JM
Director of Engineering at a tech services company with 201-500 employees
Real User
Top 20
Continuously evolving on the security front and it has good speed, detail, and visualization

Pros and Cons

  • "The most valuable features are the speed, detail, and visualization. It has the latest standards."
  • "If you compare this with CrowdStrike or Carbon Black, they can improve."

What is our primary use case?

We want to track and to respond to our security incidents. That's the main reason we use it, to analyze and see like what all the incidents that are happening. We also deploy it for some of our clients.

What is most valuable?

The most valuable features are the speed, detail, and visualization. It has the latest standards.

In the case of DNS traffic or identification logs, you can actually use it on nondiscrimination laws. It has a good speed in which we can analyze the logs and the net flow.

What needs improvement?

The signature security needs improvement. 

If you compare this with CrowdStrike or Carbon Black, they can improve. 

For how long have I used the solution?

I have been using Elastic SIEM for one year. 

What do I think about the stability of the solution?

It is stable.

What do I think about the scalability of the solution?

Scaling is not a problem. Most of these products are cloud-native so we were able to scale it easily.

We are to implement it for smaller, medium, and bigger clients. I have done a few implementations with small and medium businesses and I've done a couple on the bigger side with bigger clients and we don't see much of a difference, but one of them can move down the fabric. With smaller and medium-sized businesses there is only one point of contact whereas with larger businesses there is a whole team that gets involved. 

How are customer service and technical support?

There were a couple of instances where we were in touch with the Elastic support team. The DevOps team was primarily in touch with them. We were able to close all of the issues. There We didn't need to continuously have calls with support. We were able to close it on all forums.

How was the initial setup?

Because I come from a technical background, I find the setup to be easy. It would also be easy for admins, like a manager or somebody who is on DevOps. But somebody without a background could find it complex. Overall, if you asked me to describe it is easy.

If we have to customizations, we can close it in a week's time, max, okay. So as he said to whatever that is, they're magnificent customizations that they want to do and internally what they want. But if we want to add certain rules or connection with the rules. 

Which other solutions did I evaluate?

I have expertise with Dell and I moved from it to Elastic because I had different projects and this was a natural extension. 

What other advice do I have?

You have to decide to what level you're trying to go. Is it an SMB or larger enterprise? Because if it is a bigger enterprise there might be a lot of other cybersecurity products that are already installed on their premises. You need to check the compatibility and how it's going to integrate. 

Make sure it is easy to use and check to see what level you want to track. If there are incidents like unknown IPs and if you look at the logs and find there is no harm in the IPs there will be scrutiny on the endpoints. 

Consider what kind of team you're going to have and what their ability is to customize things, to connect to different logs. They should look at the operation and see how to customize it and connect it.  

Finally, consider your budget and how much you want to spend. 

I would rate it an eight out of ten. It is evolving every day on the security front but there are still certain areas that can be improved more.

In the next release, I'd like to see more improvements so that we can do more automation and have more automatic responses. That would be more helpful so that we don't have to delay the manual sources.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
SA
Consultant at a computer software company with 5,001-10,000 employees
Real User
Top 5
Fast, highly scalable, and agents don't overload the terminals, but needs a simulation environment, a mobile app, and better documentation

Pros and Cons

  • "It is very quick to react. I can set it to check anomalies or suspicious behavior every 30 seconds. It is very fast."
  • "Elastic has a lot of beats, such as Winlogbeat and Filebeat. Beats are the agents that have to be installed on the terminals to send the data. When we install beats or Elastic agents on every terminal, they don't overload the terminals. In other SIEM solutions such as Splunk or QRadar, when beats or agents are installed on endpoints, they are very heavy for the terminals. They consume a lot of power of the terminals, whereas Elastic agents hardly consume any power and don't overload the terminals."
  • "There should be a simulation environment to check whether my Elastic implementation is functioning perfectly fine. Other solutions have their own Android and iOS applications that I can install on my mobile so that I am continuously connected to the SIEM."
  • "Its documentation should be a bit better. I have to spend at least a couple of hours to find the solution for a simple thing. When we buy Elastic, training is not included for free with Elastic. We have to pay extra for the training. They should include training in the price."

What is our primary use case?

There are around 150 pre-built use cases. One of the major use cases is when somebody tries to fiddle with logs, Elastic SIEM creates an alert because logs are the most critical things from the security aspect. For example, I have more than 1,000 terminals, which can be desktops, laptops, or any sort of servers. If somebody tries to delete Windows logs, Elastic SIEM immediately generates an alert indicating that somebody is trying to fiddle with the logs. Elastic SIEM sends me a pop-up message as well as an email.

What is most valuable?

It is very quick to react. I can set it to check anomalies or suspicious behavior every 30 seconds. It is very fast.

Elastic has a lot of beats, such as Winlogbeat and Filebeat. Beats are the agents that have to be installed on the terminals to send the data. When we install beats or Elastic agents on every terminal, they don't overload the terminals. In other SIEM solutions such as Splunk or QRadar, when beats or agents are installed on endpoints, they are very heavy for the terminals. They consume a lot of power of the terminals, whereas Elastic agents hardly consume any power and don't overload the terminals. 

What needs improvement?

There should be a simulation environment to check whether my Elastic implementation is functioning perfectly fine. Other competitors provide a simulation environment so that I can simulate an IT attack and see how my solution is reacting or giving me alerts. I have not found any such feature in Elastic.

Other solutions have their own Android and iOS applications that I can install on my mobile so that I am continuously connected to the SIEM. This is something missing in Elastic. There is no mobile app.

Its documentation should be a bit better. I have to spend at least a couple of hours to find the solution for a simple thing. The documentation should be more precise and much better than what their counterparts are offering.

When we buy Elastic, training is not included for free with Elastic. We have to pay extra for the training. They should include training in the price.

What do I think about the stability of the solution?

It is, for sure, reliable.

What do I think about the scalability of the solution?

It is highly scalable. We at least have two dozen people who are using it. Some people may be using only a part of it, and some may be fully involved in it.

We have plans to increase its usage. We are ready with a running full-fledged server, and we can even handle data for potential customers. We are definitely planning to widen its usage.

How are customer service and technical support?

I have interacted with them. They are quite responsive, and they do respond within the SLA.

How was the initial setup?

I was not there when the deployment was done, but based on what I have heard, it was complex because of the server deployment and cluster formation, and it took at least two months.

What's my experience with pricing, setup cost, and licensing?

Its price is fine. Its licensing works on a yearly basis. We have to renew the license every year.

I also have a good experience with Darktrace. When we buy Darktrace, we get training free of cost, which is not there in Elastic. We have to pay extra for training. There is certainly room for improvement.

Which other solutions did I evaluate?

I was not in this company when this was chosen.

What other advice do I have?

I would advise going for the latest version, but it may or may not be backward compatible. Nowadays, version 7.12 is the latest version, and I see that it is actually not compatible with the older versions. 

I would rate Elastic SIEM a seven out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
Learn what your peers think about Elastic SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
553,954 professionals have used our research since 2012.
SA
Consultant at a computer software company with 5,001-10,000 employees
Real User
Top 5
Easy and quick to set up, and the runtime performance is good

Pros and Cons

  • "The most valuable feature is the speed, as it responds in a very short time."
  • "The training that is offered for Elastic is in need of improvement because there is no depth to it."

What is our primary use case?

This is a log aggregation tool and we are using it for security purposes.

There are 145 pre-built use cases, but we are still making some ourselves. One we built is an alarm for log deletion. For example, if a hacker tries to delete the log from a bank machine then it will raise an alarm immediately. A second use case is an alert for too many false login attempts, perhaps indicating a brute-force attack.

What is most valuable?

The most valuable feature is the speed, as it responds in a very short time. I think that the alerts are generated in less than a minute.

It is very easy to set up and doesn't take much time.

What needs improvement?

There are sensors called beats that have to be installed on all of the client machines, and there are seven or eight of them. As it is now, each beat needs to be configured separately, which can be quite hectic if my client has 1000+ machines. It would take a considerable period of time for us to complete the installation. They have begun working on this in the form of agents, which is a centralized management tool wherein all beats will be installed in a single stroke.

The training that is offered for Elastic is in need of improvement because there is no depth to it. It hardly takes 15 or 20 minutes to complete a training session that they say will take two hours to finish. Clearly, something is missing. If a new engineer wants to work with Elastic then it is really very hard for them to understand the technology. 

For how long have I used the solution?

I have been using Elastic SIEM for two or three months.

What do I think about the stability of the solution?

This is a stable system and it has never crashed.

What do I think about the scalability of the solution?

Elastic SIEM is definitely stable. We have just started working on it, so we have no more than perhaps 100 users at this point. At the same time, we are confident that it can be scaled up to any extent.

How are customer service and technical support?

I am satisfied with the technical support.

How was the initial setup?

The initial setup is easy. The length of time for deployment on a machine depends on the configuration that is required. If it uses all 145 use cases then it will take a long time. If on the other hand there are only a small set of use cases, it will be very quick. I would say that it takes no more than 30 minutes to install one.

Which other solutions did I evaluate?

I have personally worked with Splunk in the past, but here at this company, they only use Elastic. I believe that one of the major differences between these two is the pricing model. With Splunk, it depends on how much data we are ingesting. For us, it is approximately 500 GB per day. Elastic has a different pricing system that is ultimately cheaper.

One of the advantages of Splunk is that they offer extensive training that is free of cost.

What other advice do I have?

My advice to anybody who is considering this product is that it is a very competitive tool that is very new in the market and the vendor is doing their best to improve services. I highly recommend it and suggest that people choose it without a second thought.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
TW
I.T. Manager at a healthcare company with 51-200 employees
Real User
Top 5
Analyses your security data quickly and effectively

Pros and Cons

  • "Just the ability to do a lot more than just up-down is nice, which a lot of people take for granted."
  • "The biggest challenge has been related to the implementation."

What is our primary use case?

We plan to use it to analyze the data that we're pumping into it from Active Directory and from firewalls, then we'll pass that information onto our own external SOC.

What is most valuable?

We really haven't had any significant SIEM solutions, so it's all new to us, other than a simple up-down solution. Just the ability to do a lot more than just up-down is nice, which a lot of people take for granted.

What needs improvement?

The biggest challenge has been related to the implementation. It's a very complex product which, without a lot of knowledge or a lot of training, it's very difficult to get into and make use of. They try and make a lot of the general features very simple to access; a lot of the dashboards are very simple to use and so forth, but a lot of the refined capabilities take serious skills. They're not necessarily the easiest to implement.

For how long have I used the solution?

We've been trying to implement it and get it up and going for a good three to four months now.

What do I think about the stability of the solution?

Elastic SIEM is pretty stable. I did have a problem during one of the upgrades, but customer support was able to resolve it for me quickly. Other than that, it's been very reliable and stable.

How are customer service and technical support?

The customer service is great; not a whole lot of back-and-forth going on.

How was the initial setup?

The initial setup was pretty straightforward.

What's my experience with pricing, setup cost, and licensing?

It's a monthly cost with Elastic SIEM, but I am not sure of the exact cost.

What other advice do I have?

In our case, being a medium-sized business, it takes a lot of resources to learn how to properly use and implement it — you need to have a good understanding. They give you a very good framework and a very good solution to work with, but there's a lot of intuition that's required to actually make it work well. It requires a lot more effort than they would lead you to believe or that you would even expect.

On a scale from one to ten, I would give this solution a rating of eight. This is based on my experiences from the past as we're still implementing it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JJ
CEO at a tech services company with 51-200 employees
Real User
Top 20
Stable, good technical support, and valuable machine learning features

Pros and Cons

  • "The most valuable feature is the machine learning capability."
  • "This solution is very hard to implement."

What is our primary use case?

We use Elastic SIEM for security and analytics.

What is most valuable?

The most valuable feature is the machine learning capability.

What needs improvement?

This solution is very hard to implement. It is not a simple product but rather, it has many features and we need to understand all of them. For example, there is the analytics, the parser, and the visualizer, and setting them all up is a little bit complex.

In the next release of this product, I would like to see SOAR automation features, similar to what Splunk Phantom has.

For how long have I used the solution?

We are conducting a PoC with Elastic SIEM and I have about two months of experience with it.

What do I think about the stability of the solution?

The deployment is stable, although they are evolving very fast. They frequently update everything.

We are using Elastic SIEM on a daily basis, even during holidays.

What do I think about the scalability of the solution?

I would say that it is scalable.

How are customer service and technical support?

The technical support is good.

How was the initial setup?

The initial setup is quite complex. Starting from the point where we were collecting the data, the deployment probably took about a month. However, simply installing the applications only takes a few days.

What about the implementation team?

We have an engineer in the company who handled the deployment. So far, things have been good.

What other advice do I have?

My advice to anybody who is implementing Elastic SIEM is to understand how the data works first. It is really different from other types of products.

Overall, the product is very stable and it is well-liked. I think that everybody should consider using it.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
ITCS user
Cyber Security Consultant at a tech services company with 51-200 employees
Real User
Top 5Leaderboard
A cost-effective solution with good performance

Pros and Cons

  • "The performance is good and it is faster than IBM QRadar."
  • "The interface could be more user friendly because it is sometimes hard to deal with."

What is our primary use case?

Elastic SIEM is used to monitor and deal with system log files.

What is most valuable?

The best part about this solution is that it is open-source and free to use.

The performance is good and it is faster than IBM QRadar.

What needs improvement?

The interface could be more user friendly because it is sometimes hard to deal with.

The initial setup can be made easier.

For how long have I used the solution?

I have been using Elastic SIEM for six months.

What do I think about the stability of the solution?

I am satisfied with the stability of Elastic SIEM.

How are customer service and technical support?

There is no technical support for the open-source, free version.

Which solution did I use previously and why did I switch?

I have used other SIEM solutions but this one is open-source, unlike some of the others.

It is also faster than IBM QRadar.

How was the initial setup?

The initial setup is complex and it is not easy to deploy.

It is also possible to have a cloud-based deployment.

What's my experience with pricing, setup cost, and licensing?

There is no charge for using the open-source version.

What other advice do I have?

This solution is complex and cannot be used by just anybody. That said, for people who don't want to buy a product or who want to do everything themselves, I would recommend it. The real problem is that its complexity means that it takes a lot of time to set up and learn to use. There is a lot of configuration and hard work.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Elastic SIEM Report and get advice and tips from experienced pros sharing their opinions.