Elastic Security Reviews & Product Details

What I like best about Elastic Security is the flexibility and depth it gives across SIEM, endpoint, and observability in a single platform. I can ingest almost any data source, normalize it to ECS, and build detections that actually reflect how our environment works—rather than forcing our workflows to fit a rigid tool. The visibility, correlation, and customisation make it especially powerful for real-world SOC operations and complex environments. Review collected by and hosted on G2.com.

What I dislike about Elastic Security is the learning curve and operational overhead, especially for teams new to the Elastic Stack. Getting the most value requires strong knowledge of ECS, ingest pipelines, and cluster tuning, and some advanced use cases still involve a fair amount of manual configuration. The flexibility is powerful, but it can be overwhelming without experienced resources or good upfront design. Review collected by and hosted on G2.com.

Elastic Security stands out for its powerful detection capabilities and deep visibility across endpoints and logs, while still being relatively easy to use once the workflows are understood. Implementation is smooth in environments already using the Elastic stack, and integrations with existing tools are flexible and well-documented. The platform offers a rich set of features for threat detection, hunting, and response that scales well for SOC operations. Customer support and community resources are strong, making troubleshooting manageable. Overall, it’s a feature-dense, frequently used platform that balances advanced capability with practical usability. Review collected by and hosted on G2.com.

The learning curve can be steep at the beginning, especially when tuning detections and managing advanced features without prior Elastic experience. Review collected by and hosted on G2.com.

I think one of the best things about Elastic is the large set of prebuilt rules created by Elastic themselves.

I also like how the parsing and mapping are really easy to follow and implement, especially when you can find an integration that’s already created for the technology you need to monitor. Review collected by and hosted on G2.com.

What I was missing most was a proper SOAR. I haven’t tried the workflows yet, but I have high expectations for them.

In the past, we tested the AI assistant in the first version and were a bit disappointed. Nowadays, I think it has improved quite a lot.

Another thing I’ve noticed lately is that when using and correlating different log sources, especially through the integrations by Elastic, I sometimes find fields that should match but don’t. For example, Source.ip vs client.ip, or user.name vs source.user.name. This inconsistency has made it quite difficult to correlate threat intelligence with the dashboards. Review collected by and hosted on G2.com.

The standout feature of Elastic Security is the speed and flexibility of KQL and ES|QL. In high-stakes threat hunts, being able to pivot through massive datasets with near-instant results is critical. The native integration of Elastic Defend is a close second; having endpoint telemetry and SIEM logs in a single schema (ECS) eliminates the "translation tax" usually required when mapping disparate data sources. While the AI Assistant is a great efficiency booster for generating complex queries, the true value lies in the platform’s customizability. Review collected by and hosted on G2.com.

One of the primary challenges with Elastic Security is the heavy administrative overhead required to maintain a healthy environment. Unlike "set-and-forget" SaaS solutions, Elastic requires constant "care and feeding" of ingest pipelines, index lifecycle management (ILM), and shard mapping. If the mapping isn't perfect, you run into mapping explosions or unparsed fields that can render critical logs invisible during a hunt. This complexity often turns a Threat Analyst into a part-time Data Engineer just to ensure the data is searchable.

Another significant pain point is the steep learning curve of the newer query languages. While ES|QL is powerful, the transition from KQL or Lucene creates a temporary efficiency gap for the team. Additionally, the licensing and resource consumption can be unpredictable; since pricing is based on compute and storage (RAM/CPU) rather than just data volume or seats, a poorly written query by a junior analyst or a sudden spike in log volume can lead to performance degradation or unexpected scaling costs that are difficult to budget for in a large-scale SOC.

Finally, the native SOAR capabilities still feel somewhat immature compared to dedicated platforms. While basic automated actions exist, building complex, multi-step response playbooks—especially those involving third-party integrations outside the Elastic ecosystem—can be clunky and often requires external tools to achieve true automation. For a high-tier DFIR workflow, the built-in case management also lacks some of the deeper forensic documentation features needed for evidence chain-of-custody, forcing us to rely on external platforms for formal reporting. Review collected by and hosted on G2.com.

I really appreciate that Elastic Security provides great insight into our system. We can perform good analyses because we run a SOC without direct access to the machines, and for that, the defend function is very useful. Also, the initial installation of Elastic Security was very simple and straightforward. All in all, I am very satisfied and would definitely give Elastic Security a score of 10 as a recommendation to a friend or colleague. Review collected by and hosted on G2.com.

Inventory of the machine which patches are installed Review collected by and hosted on G2.com.

I appreciate the ability to visualize data and turn it into actionable intelligence with Elastic Security. We use it to create dashboards that monitor our security posture, attack surface, and threat landscape. The integration with our incident management system is seamless, and the setup was simple and straightforward. Elastic Security has allowed our team to conduct investigations more efficiently. Review collected by and hosted on G2.com.

I find building sequencing rules where multiple events must occur in order over a given time challenging. Review collected by and hosted on G2.com.

You can manage the alerts in an easy way. From alerts panel you can have all the information needed for a security investigation. Also, with the cases feature, you can create your own database of alerts Review collected by and hosted on G2.com.

Sometimes, charging is slow, and it's difficult to copy fileds and values from timelines Review collected by and hosted on G2.com.

I like its flexibility, the preconfigured rules, and the integrated case management for sharing information. Review collected by and hosted on G2.com.

It feels a bit complex at first. It’s a large, heavy, and fairly complex infrastructure to maintain on-prem. Review collected by and hosted on G2.com.

Elastic xpack secqurity is great for connecting with multipule domain controller or various authentication methord Review collected by and hosted on G2.com.

its still have some drawback like anonymous login ,sepratly need to disable otherwise it will be vernable Review collected by and hosted on G2.com.

EDR Capability and K8 support along with SIEM Review collected by and hosted on G2.com.

Elastic agent issues, some times seems unhealthy or blocking bussiness actions Review collected by and hosted on G2.com.