Elastic Agent
ElasticReviews from AWS customer
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
21 reviews
from
External reviews are not included in the AWS star rating for the product.
Streamlined Security Investigations with Elastic
What do you like best about the product?
I appreciate the ability to visualize data and turn it into actionable intelligence with Elastic Security. We use it to create dashboards that monitor our security posture, attack surface, and threat landscape. The integration with our incident management system is seamless, and the setup was simple and straightforward. Elastic Security has allowed our team to conduct investigations more efficiently.
What do you dislike about the product?
I find building sequencing rules where multiple events must occur in order over a given time challenging.
What problems is the product solving and how is that benefiting you?
I use Elastic Security to efficiently investigate and detect security incidents. It allows us to visualize data, creating dashboards to monitor our security posture and turn insights into actionable intelligence.
Easy Alert Management and Powerful Cases for Security Investigations
What do you like best about the product?
You can manage the alerts in an easy way. From alerts panel you can have all the information needed for a security investigation. Also, with the cases feature, you can create your own database of alerts
What do you dislike about the product?
Sometimes, charging is slow, and it's difficult to copy fileds and values from timelines
What problems is the product solving and how is that benefiting you?
It's helping us as a SIEM
Powerful Detection and Deep Visibility with Practical Usability in Elastic Security
What do you like best about the product?
Elastic Security stands out for its powerful detection capabilities and deep visibility across endpoints and logs, while still being relatively easy to use once the workflows are understood. Implementation is smooth in environments already using the Elastic stack, and integrations with existing tools are flexible and well-documented. The platform offers a rich set of features for threat detection, hunting, and response that scales well for SOC operations. Customer support and community resources are strong, making troubleshooting manageable. Overall, it’s a feature-dense, frequently used platform that balances advanced capability with practical usability.
What do you dislike about the product?
The learning curve can be steep at the beginning, especially when tuning detections and managing advanced features without prior Elastic experience.
What problems is the product solving and how is that benefiting you?
Elastic Security helps centralize detection by allowing us to create custom rules that identify threats across multiple data sources in one platform. Its ability to ingest logs from tools like CrowdStrike and other security products gives us unified visibility for faster investigations. This reduces tool sprawl and improves our SOC’s efficiency in detecting and responding to incidents.
Pre-Built Elastic Security Use Cases That Make Migration Easier
What do you like best about the product?
Most helpful, which was one of the reason for choosing Elastic Security is pre-build security use-cases ready to use.
What do you dislike about the product?
Upside is, when you migrate from different tool, to learn specifics, eg. IP address stored in multiple fileds for ability to search either by text or regex.
What problems is the product solving and how is that benefiting you?
Primarily we use it as SIEM tool and also as EDR tool.
Prebuilt Rules and Easy Integrations Make Elastic a Strong Choice
What do you like best about the product?
I think one of the best things about Elastic is the large set of prebuilt rules created by Elastic themselves.
I also like how the parsing and mapping are really easy to follow and implement, especially when you can find an integration that’s already created for the technology you need to monitor.
I also like how the parsing and mapping are really easy to follow and implement, especially when you can find an integration that’s already created for the technology you need to monitor.
What do you dislike about the product?
What I was missing most was a proper SOAR. I haven’t tried the workflows yet, but I have high expectations for them.
In the past, we tested the AI assistant in the first version and were a bit disappointed. Nowadays, I think it has improved quite a lot.
Another thing I’ve noticed lately is that when using and correlating different log sources, especially through the integrations by Elastic, I sometimes find fields that should match but don’t. For example, Source.ip vs client.ip, or user.name vs source.user.name. This inconsistency has made it quite difficult to correlate threat intelligence with the dashboards.
In the past, we tested the AI assistant in the first version and were a bit disappointed. Nowadays, I think it has improved quite a lot.
Another thing I’ve noticed lately is that when using and correlating different log sources, especially through the integrations by Elastic, I sometimes find fields that should match but don’t. For example, Source.ip vs client.ip, or user.name vs source.user.name. This inconsistency has made it quite difficult to correlate threat intelligence with the dashboards.
What problems is the product solving and how is that benefiting you?
One of the biggest problems we faced when implementing our MSSP was separating data among customers. Elastic handles this quite well, and that’s a big reason we chose it.
Its good tool with good interface for SIEM
What do you like best about the product?
EDR Capability and K8 support along with SIEM
What do you dislike about the product?
Elastic agent issues, some times seems unhealthy or blocking bussiness actions
What problems is the product solving and how is that benefiting you?
Mainly SIEM for SOC service
Flexible, Preconfigured Rules with Integrated Case Management
What do you like best about the product?
I like its flexibility, the preconfigured rules, and the integrated case management for sharing information.
What do you dislike about the product?
It feels a bit complex at first. It’s a large, heavy, and fairly complex infrastructure to maintain on-prem.
What problems is the product solving and how is that benefiting you?
I mainly use it as a SIEM for our SOC, as it gives us a complete overview of our environment.
Powerful, Customisable Security Platform for Complex Environments
What do you like best about the product?
What I like best about Elastic Security is the flexibility and depth it gives across SIEM, endpoint, and observability in a single platform. I can ingest almost any data source, normalize it to ECS, and build detections that actually reflect how our environment works—rather than forcing our workflows to fit a rigid tool. The visibility, correlation, and customisation make it especially powerful for real-world SOC operations and complex environments.
What do you dislike about the product?
What I dislike about Elastic Security is the learning curve and operational overhead, especially for teams new to the Elastic Stack. Getting the most value requires strong knowledge of ECS, ingest pipelines, and cluster tuning, and some advanced use cases still involve a fair amount of manual configuration. The flexibility is powerful, but it can be overwhelming without experienced resources or good upfront design.
What problems is the product solving and how is that benefiting you?
Elastic Security solves the problem of fragmented security visibility by bringing SIEM, endpoint, and log analytics into a single, searchable platform. Instead of juggling multiple tools and data silos, I can correlate endpoint, network, and cloud data in real time, build detections that match our actual risk scenarios, and investigate incidents much faster. This directly benefits me by reducing alert fatigue, improving investigation speed, and giving full control over how security data is collected, enriched, and acted upon.
Blazing-Fast KQL/ES|QL and Unified Telemetry with Elastic Defend
What do you like best about the product?
The standout feature of Elastic Security is the speed and flexibility of KQL and ES|QL. In high-stakes threat hunts, being able to pivot through massive datasets with near-instant results is critical. The native integration of Elastic Defend is a close second; having endpoint telemetry and SIEM logs in a single schema (ECS) eliminates the "translation tax" usually required when mapping disparate data sources. While the AI Assistant is a great efficiency booster for generating complex queries, the true value lies in the platform’s customizability.
What do you dislike about the product?
One of the primary challenges with Elastic Security is the heavy administrative overhead required to maintain a healthy environment. Unlike "set-and-forget" SaaS solutions, Elastic requires constant "care and feeding" of ingest pipelines, index lifecycle management (ILM), and shard mapping. If the mapping isn't perfect, you run into mapping explosions or unparsed fields that can render critical logs invisible during a hunt. This complexity often turns a Threat Analyst into a part-time Data Engineer just to ensure the data is searchable.
Another significant pain point is the steep learning curve of the newer query languages. While ES|QL is powerful, the transition from KQL or Lucene creates a temporary efficiency gap for the team. Additionally, the licensing and resource consumption can be unpredictable; since pricing is based on compute and storage (RAM/CPU) rather than just data volume or seats, a poorly written query by a junior analyst or a sudden spike in log volume can lead to performance degradation or unexpected scaling costs that are difficult to budget for in a large-scale SOC.
Finally, the native SOAR capabilities still feel somewhat immature compared to dedicated platforms. While basic automated actions exist, building complex, multi-step response playbooks—especially those involving third-party integrations outside the Elastic ecosystem—can be clunky and often requires external tools to achieve true automation. For a high-tier DFIR workflow, the built-in case management also lacks some of the deeper forensic documentation features needed for evidence chain-of-custody, forcing us to rely on external platforms for formal reporting.
Another significant pain point is the steep learning curve of the newer query languages. While ES|QL is powerful, the transition from KQL or Lucene creates a temporary efficiency gap for the team. Additionally, the licensing and resource consumption can be unpredictable; since pricing is based on compute and storage (RAM/CPU) rather than just data volume or seats, a poorly written query by a junior analyst or a sudden spike in log volume can lead to performance degradation or unexpected scaling costs that are difficult to budget for in a large-scale SOC.
Finally, the native SOAR capabilities still feel somewhat immature compared to dedicated platforms. While basic automated actions exist, building complex, multi-step response playbooks—especially those involving third-party integrations outside the Elastic ecosystem—can be clunky and often requires external tools to achieve true automation. For a high-tier DFIR workflow, the built-in case management also lacks some of the deeper forensic documentation features needed for evidence chain-of-custody, forcing us to rely on external platforms for formal reporting.
What problems is the product solving and how is that benefiting you?
Elastic Security effectively solves the problem of data siloization and "the translation tax." In traditional environments, analysts often have to jump between EDR consoles for endpoint artifacts and a separate SIEM for network logs, manually correlating timestamps and hostnames. Elastic consolidates this via the Elastic Common Schema (ECS), providing a unified view of the entire attack surface. For me, this has been a game-changer during complex investigations—such as the recent UNC3886 threat hunt—because it allows me to pivot from a suspicious process tree directly to related network connections or cloud audit logs without losing context or wasting time normalizing data manually.
The platform also addresses the issue of investigative latency through its high-performance search capabilities and the introduction of ES|QL. By solving the bottleneck of slow query returns on massive historical datasets, Elastic allows me to perform iterative "what-if" hunting at scale. This benefits me by significantly reducing our Mean Time to Detect (MTTD); I can test a hypothesis against months of telemetry in seconds rather than hours. This speed, combined with Automated Response Actions like host isolation, empowers me to transition instantly from discovery to containment, which is critical when dealing with advanced persistent threats that move laterally with high velocity.
Finally, Elastic helps bridge the analytical resource gap with its AI-driven assistants and pre-built detection rules mapped to the MITRE ATT&CK framework. By automating the "low-level" detection of known TTPs, the platform solves the problem of alert fatigue, freeing up my time to focus on high-tier DFIR work and strategic threat modeling. This benefits my career and the organization by shifting our posture from basic log monitoring to a sophisticated, hunt-centric operation where we are looking for the "unknown unknowns" rather than just triaging endless commodity malware alerts.
The platform also addresses the issue of investigative latency through its high-performance search capabilities and the introduction of ES|QL. By solving the bottleneck of slow query returns on massive historical datasets, Elastic allows me to perform iterative "what-if" hunting at scale. This benefits me by significantly reducing our Mean Time to Detect (MTTD); I can test a hypothesis against months of telemetry in seconds rather than hours. This speed, combined with Automated Response Actions like host isolation, empowers me to transition instantly from discovery to containment, which is critical when dealing with advanced persistent threats that move laterally with high velocity.
Finally, Elastic helps bridge the analytical resource gap with its AI-driven assistants and pre-built detection rules mapped to the MITRE ATT&CK framework. By automating the "low-level" detection of known TTPs, the platform solves the problem of alert fatigue, freeing up my time to focus on high-tier DFIR work and strategic threat modeling. This benefits my career and the organization by shifting our posture from basic log monitoring to a sophisticated, hunt-centric operation where we are looking for the "unknown unknowns" rather than just triaging endless commodity malware alerts.
Great Authentication Flexibility, but Anonymous Login Needs Manual Disabling
What do you like best about the product?
Elastic xpack secqurity is great for connecting with multipule domain controller or various authentication methord
What do you dislike about the product?
its still have some drawback like anonymous login ,sepratly need to disable otherwise it will be vernable
What problems is the product solving and how is that benefiting you?
Access control you can have role based access , even you can control fileds level access using kibana role manager
showing 1 - 10