Please share with the community what you think needs improvement with Elastic SIEM.
What are its weaknesses? What would you like to see changed in a future version?
There should be a simulation environment to check whether my Elastic implementation is functioning perfectly fine. Other competitors provide a simulation environment so that I can simulate an IT attack and see how my solution is reacting or giving me alerts. I have not found any such feature in Elastic. Other solutions have their own Android and iOS applications that I can install on my mobile so that I am continuously connected to the SIEM. This is something missing in Elastic. There is no mobile app. Its documentation should be a bit better. I have to spend at least a couple of hours to find the solution for a simple thing. The documentation should be more precise and much better than what their counterparts are offering. When we buy Elastic, training is not included for free with Elastic. We have to pay extra for the training. They should include training in the price.
The biggest challenge has been related to the implementation. It's a very complex product which, without a lot of knowledge or a lot of training, it's very difficult to get into and make use of. They try and make a lot of the general features very simple to access; a lot of the dashboards are very simple to use and so forth, but a lot of the refined capabilities take serious skills. They're not necessarily the easiest to implement.
There are sensors called beats that have to be installed on all of the client machines, and there are seven or eight of them. As it is now, each beat needs to be configured separately, which can be quite hectic if my client has 1000+ machines. It would take a considerable period of time for us to complete the installation. They have begun working on this in the form of agents, which is a centralized management tool wherein all beats will be installed in a single stroke. The training that is offered for Elastic is in need of improvement because there is no depth to it. It hardly takes 15 or 20 minutes to complete a training session that they say will take two hours to finish. Clearly, something is missing. If a new engineer wants to work with Elastic then it is really very hard for them to understand the technology.
The signature security needs improvement. If you compare this with CrowdStrike or Carbon Black, they can improve.
The interface could be more user friendly because it is sometimes hard to deal with. The initial setup can be made easier.
This solution is very hard to implement. It is not a simple product but rather, it has many features and we need to understand all of them. For example, there is the analytics, the parser, and the visualizer, and setting them all up is a little bit complex. In the next release of this product, I would like to see SOAR automation features, similar to what Splunk Phantom has.
We all know it's really hard to get good pricing and cost information.
Please share what you can so you can help your peers.
I am the technical director of a science and technology division for the government.
Which SIEM solution would deliver the best ability to identify, protect, detect, respond and recover from a cyber attack?
Thanks! I appreciate your help.