Elastic Security Reviews

Currently, I am using QRadar, which I consider legacy and outdated compared to Elastic Security and Splunk. I also explored Elastic Security yet haven't implemented it in production.

Elastic Security offers advanced features such as machine learning and integration with ChatGPT. It can be used on-premises without an internet connection, making it versatile. The platform provides more visibility and requires less effort in monitoring. It is cost-effective and offers a good price compared to other solutions.

Elastic Security has developed its security capabilities and is currently in the early stages. It provides observability, security, and SIEM (Security Information and Event Management). It's an integrated security solution for enterprise-level organizations, offering visibility through Kibana. Additionally, it offers insights regarding alerts, reports, and cases, and the ability to create whitelisting and rules.

Elastic Security offers good insight regarding alerts, reports, and cases. Users can create whitelisting and rules; creating rules in Elastic is user-friendly and doesn't necessarily require an expert to manage it. A large portion of their knowledge base is available online. Additionally, Elastic Security is as flexible and configurable as Microsoft Sentinel.

We primarily use the solution for log management. We use its basic functionality.

The dashboards are great.

It's very customizable, which is quite helpful. 

It's mostly stable. 

The solution can scale.

It is a reasonably priced product that is open-source and can be free to use. 

I use Elastic Security to aggregate all logs from different devices in one place. It works pretty well and provides one overview of everything.

The solution's most valuable features are anomaly detection and connectivity reporting. Elastic Security also has many automation capabilities, which can feed some information to other systems.

There are around 150 pre-built use cases. One of the major use cases is when somebody tries to fiddle with logs, Elastic SIEM creates an alert because logs are the most critical things from the security aspect. For example, I have more than 1,000 terminals, which can be desktops, laptops, or any sort of servers. If somebody tries to delete Windows logs, Elastic SIEM immediately generates an alert indicating that somebody is trying to fiddle with the logs. Elastic SIEM sends me a pop-up message as well as an email.

It is very quick to react. I can set it to check anomalies or suspicious behavior every 30 seconds. It is very fast.

Elastic has a lot of beats, such as Winlogbeat and Filebeat. Beats are the agents that have to be installed on the terminals to send the data. When we install beats or Elastic agents on every terminal, they don't overload the terminals. In other SIEM solutions such as Splunk or QRadar, when beats or agents are installed on endpoints, they are very heavy for the terminals. They consume a lot of power of the terminals, whereas Elastic agents hardly consume any power and don't overload the terminals. 

It is currently deployed as a single instance, but we are currently looking at clusters. We are using it for a logging solution. I'm a developer and act as a server engineer for DevOps Engineers. It's used by developers and mobile developers. It could be used by quite a few different teams.

It is quite comprehensive, and you're able to do a lot of tasks. It has dashboards and we're able to create a lot of search queries. It is not easy to use, but once you get the hang of it, then it provides good graphs and visuals such as these. The indexes allow you to get your results quickly. The filtering and log passing is the advantage of Logstash.

We use Elastic Security for basic SIEM reporting.

The most valuable feature of Elastic Security is that you can install agents, and they are not separately licensed. You can also directly install integrations onto those agents. The solution's user interface is good.

Elastic Security is very customizable, and the dashboards are very easy to build. It's a very, very, very fast tool. If I click on something on my other SIEM to drill down into that thing, it only drills down a little, but Elastic Security will filter everything that's on the screen.

It's a little bit of a learning curve to understand the logic of searching for things and trying to find what you're looking for in Elastic Security. You have to understand because it's not all formatted the same. My last SIEM had a whole drop-down where you literally could click on whatever data source you wanted to look at.

It's not like that in Elastic Security. Sometimes, it's a drop-down, and sometimes it's like a specific thing inside something else. You have to get in there and understand your environment to really know where your data is. Trying to find what you're looking for if you don't know the environment is extremely hard in Elastic Security.