IT Get in touch

Elastic Security: SIEM and detection engine on the ELK stack

Elastic Security unifies SIEM and endpoint (Endgame, acquired October 2019) on the ELK stack. SIEM introduced in Elastic 7.2 (June 2019), detection engine and prebuilt rules in 7.7 (13 May 2020). Apache 2.0 licence (Elastic Basic).

CybersecurityOpen Source
CybersecurityOpen Source Elastic SecuritySIEMELKDetection EngineeringCybersecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

From ELK stack to SIEM

The Elasticsearch + Logstash + Kibana stack became in the 2010s the base of many custom SIEMs. Elastic N.V. (Amsterdam/Mountain View) formalises a vertical security offering with the Elastic SIEM app introduced in Elastic 7.2 (June 2019).

On 13 May 2020 Elastic 7.7 was released, bringing the detection engine and a body of prebuilt detection rules maintained by Elastic. From that moment Elastic SIEM becomes a complete platform with rules, alerts, timeline and case management.

In parallel, in October 2019 Elastic acquired Endgame, integrating the endpoint agent into the same console: Elastic Security is born as a unified SIEM + EDR product.

Architecture

  • Elasticsearch — storage and search on distributed shards
  • Kibana — Elastic Security console with timeline, alerts, cases, hosts, network, users
  • Elastic Agent + Fleet — centralised deployment of integrations (logs, metrics, endpoint)
  • Endpoint Security — prevention, detection and response on clients (ex Endgame)
  • Detection engine — evaluation of Elastic-DSL, EQL, threshold, ML, indicator match rules

Rules and detection engineering

Rules support multiple paradigms:

  • Query rules — KQL/Lucene/Elastic-DSL over indices
  • EQL (Event Query Language) — sequence and join over correlated events
  • Threshold rules — numeric thresholds on aggregations
  • Indicator match — correlation with threat intelligence
  • Machine learning rules — ML anomaly detection jobs
  • New terms — detection of never-before-seen values

Rules are mapped to MITRE ATT&CK and maintained publicly in the elastic/detection-rules repository (Elastic License 2.0).

Licence

As of 2020 Elastic Security is distributed under Apache 2.0 for the core and Elastic License (proprietary, source-available) for “gold” features (advanced ML, cross-cluster search, support). The free “Basic” tier covers SIEM and most detection features. Advanced features require Gold/Platinum/Enterprise subscriptions.

Agents and data collection

Data collection is done via the Beats family (Filebeat, Metricbeat, Auditbeat, Winlogbeat, Packetbeat), with dedicated integrations for over 100 sources. Correlation unifies logs and endpoint telemetry.

In the Italian context

Elastic Security is adopted by banks, telcos, industrial groups as an integrated SIEM+EDR platform. In many scenarios it coexists with Wazuh or Suricata on the detection side, and with external SOCs consuming API and alerts. Careful evaluation of the licence is part of the procurement process for public administration and regulated sectors.

References: Elastic SIEM introduced in Elastic 7.2 (June 2019). Detection engine and prebuilt rules in Elastic 7.7 (13 May 2020). Endgame acquisition: October 2019. Apache 2.0 + Elastic License (source-available). Website: https://www.elastic.co/security

Need support? Under attack? Service Status
Need support? Under attack? Service Status