CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →From ELK stack to SIEM
The Elasticsearch + Logstash + Kibana stack became in the 2010s the base of many custom SIEMs. Elastic N.V. (Amsterdam/Mountain View) formalises a vertical security offering with the Elastic SIEM app introduced in Elastic 7.2 (June 2019).
On 13 May 2020 Elastic 7.7 was released, bringing the detection engine and a body of prebuilt detection rules maintained by Elastic. From that moment Elastic SIEM becomes a complete platform with rules, alerts, timeline and case management.
In parallel, in October 2019 Elastic acquired Endgame, integrating the endpoint agent into the same console: Elastic Security is born as a unified SIEM + EDR product.
Architecture
- Elasticsearch — storage and search on distributed shards
- Kibana — Elastic Security console with timeline, alerts, cases, hosts, network, users
- Elastic Agent + Fleet — centralised deployment of integrations (logs, metrics, endpoint)
- Endpoint Security — prevention, detection and response on clients (ex Endgame)
- Detection engine — evaluation of Elastic-DSL, EQL, threshold, ML, indicator match rules
Rules and detection engineering
Rules support multiple paradigms:
- Query rules — KQL/Lucene/Elastic-DSL over indices
- EQL (Event Query Language) — sequence and join over correlated events
- Threshold rules — numeric thresholds on aggregations
- Indicator match — correlation with threat intelligence
- Machine learning rules — ML anomaly detection jobs
- New terms — detection of never-before-seen values
Rules are mapped to MITRE ATT&CK and maintained publicly in the elastic/detection-rules repository (Elastic License 2.0).
Licensing — important point
From January 2021 Elastic changed its licence from Apache 2.0 to dual licensing Elastic License 2.0 + SSPL. Neither is OSI-approved.
- Free “Basic” usage covers Elastic Security (SIEM + many features), but the licence does not allow providing Elasticsearch as a managed service to third parties
- Advanced features (unlimited ML, cross-cluster search, support) require Gold/Platinum/Enterprise subscriptions
- In 2024 Elastic added AGPLv3 as a third option for Elasticsearch and Kibana, but this does not change the OSI status of Elastic License 2.0
In scenarios strictly requiring OSI-compliant software, alternatives such as OpenSearch (AWS fork) or Wazuh + Graylog should be considered.
Fleet and Elastic Agent
Elastic Agent (GA in 7.14, August 2021) replaces Beats as the single agent: it collects logs, metrics and endpoint events. Central management is done through Fleet, with versioned policies and automatic deployment of integrations (over 300 available).
In the Italian context
Elastic Security is adopted by banks, telcos, industrial groups as an integrated SIEM+EDR platform. In many scenarios it coexists with Wazuh or Suricata on the detection side, and with external SOCs consuming API and alerts. Careful evaluation of the licence is part of the procurement process for public administration and regulated sectors.
References: Elastic SIEM introduced in Elastic 7.2 (June 2019). Detection engine and prebuilt rules in Elastic 7.7 (13 May 2020). Endgame acquisition: October 2019. Licence: Elastic License 2.0 + SSPL (from January 2021; not OSI-approved). AGPLv3 added in 2024. Website: https://www.elastic.co/security