Loading

Elastic Security overview

Serverless Security Stack

Elastic Security is a unified security solution that unifies SIEM (Security Information and Event Management), XDR, (Extended Detection and Response), endpoint security, and cloud security into a single platform so you can detect, prevent, and respond to cyber threats across your entire environment in near real time. Elastic Security leverages Elasticsearch's powerful search and analytics capabilities, and Kibana's visualization and collaboration features. By combining prevention, detection, and response capabilities, Elastic Security helps your organization reduce its security risk.

Install Elastic Security on one of our Elastic Cloud deployments or your own self-managed infrastructure.

Use Elastic Security to protect your systems from security threats.

Use cases
  • SIEM: Elastic Security's modern SIEM provides a centralized platform for ingesting, analyzing, and managing security data from various sources.
  • Third-party integration support: Ingest data from a various tools and data sources so you can centralize your security data.
  • Threat detection and analytics: Identify threats by using prebuilt rules with the ability to customize or create custom detection rules, automatically detect anomalous activity with built-in machine learning jobs, or proactively search for threats using our powerful threat hunting and interactive visualization tools.
  • Automatic migration: Migrate SIEM rules from other platforms to Elastic Security.
  • Endpoint protection and threat prevention: Automatically stop cybersecurity attacks—such as malware and ransomware—before damage and loss can occur.
  • AI-powered features: Leverage generative AI to help enhance threat detection, assist with incident response, and improve day-to-day security operations.
  • Custom dashboards and visualizations: Create custom dashboards and visualizations to gain insights into security events.
  • Cloud Security: Elastic Security provides the following cloud features:
    • Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM): Check cloud service configurations against security benchmarks to identify and resolve misconfigurations that can be exploited.
    • Cloud Workload Protection: Get visibility and runtime protection for cloud workloads.
    • Vulnerability Management: Uncover vulnerabilities within your cloud infrastructure.

If you're new to Elastic Security and want to try it out, go to Get started with Elastic Security and Elastic Security quickstarts.

Before diving into setup and configuration, familiarize yourself with the foundational terms and core concepts that power Elastic Security.

Concepts
  • Elastic Agent: A single, unified way to collect logs, metrics, and other types of data from a host. Elastic Agent can also protect hosts from security threats, query data from operating systems, and forward data from remote services or hardware.
  • Elastic Defend: Elastic Security's Endpoint Detection and Response (EDR) tool that protects endpoints from malicious activity. Elastic Defend uses a combination of techniques like machine learning, behavioral analysis, and prebuilt rules to detect, prevent, and respond to threats in real-time.
  • Elastic Endpoint: The security component, enabled by Elastic Agent, that performs Elastic Defend's threat monitoring and prevention capabilities.
  • Detection engine: The framework that detects threats by using rules to search for suspicious events in your data, and generates alerts when events meet a rule's criteria.
  • Detection rules: Sets of conditions that identify potential threats and malicious activities. Rules analyze various data sources, including logs and network traffic, to detect anomalies, suspicious behaviors, or known attack patterns. Elastic Security ships out-of-the-box prebuilt rules, and you can create your own custom rules.
  • Alerts: Notifications that are generated when rule conditions are met. Alerts include a wide range of information about potential threats, including host, user, network, and other contextual data to assist your investigation.
  • Machine learning and anomaly detection: Anomaly detection jobs identify anomalous events or patterns in your data. Use these with machine learning detection rules to generate alerts when behavior deviates from normal activity.
  • Entity analytics: A threat detection feature that combines the power of Elastic’s detection engine and machine learning capabilities to identify unusual behavior for hosts, users, and services.
  • Cases: Allows you to collect and share information about security issues. Opening a case lets you track key investigation details and collect alerts in a central location. You can also send cases to external systems.
  • Timeline: Investigate security events so you can gather and analyze data related to alerts or suspicious activity. You can add events to Timeline from various sources, build custom queries, and import/export a Timeline to collaborate and share.
  • Security posture management: Includes native cloud security features, such as Cloud Security Posture Management (CSPM) and Cloud Native Vulnerability Management (CNVM), that help you evaluate your cloud infrastructure's configuration against security best practices and identify vulnerabilities. You can use Elastic's native tools or ingest third-party cloud security data and incorporate it into Elastic Security's workflows.
  • AI Assistant: Helps with tasks like alert investigation, incident response, and query generation. It utilizes natural language processing and knowledge retrieval to provide context-aware assistance, summarize threats, suggest next steps, and automate workflows. Use AI Assistant to better understand and respond to security incidents.
  • Attack Discovery: Uses large language models (LLMs) to analyze security alerts, identify coordinated attack patterns, and provide actionable intelligence to security operations teams. It improves alert triage efficiency by automatically correlating related alerts into comprehensive, simplified threat summaries, allowing you to quickly understand and respond to the most impactful attacks.
  • Elastic AI SOC Engine (EASE): Integrates Elastic's AI-powered security tools into existing SIEM and EDR/XDR platforms to help mitigate alert fatigue, accelerate threat investigations, and improve response efficiency (Serverless only).
  • Get started: Learn about system requirements, workspaces, configuration, and data ingestion.
  • Elastic Security UI overview: Navigate Elastic Security's various tools and interfaces.
  • Detection rules: Use Elastic Security's detection engine with custom and prebuilt rules.
  • Cloud security: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs.
  • Install Elastic Defend: Enable key endpoint protection capabilities like event collection and malicious activity prevention.
  • Machine learning: Enable built-in machine learning tools to help you identify malicious behavior.
  • Advanced entity analytics: Leverage Elastic Security's detection engine and machine learning capabilities to generate comprehensive risk analytics for hosts and users.
  • Elastic AI assistant: Ask AI Assistant questions about how to use Elastic Security, how to understand particular alerts and other documents, and how to write ES|QL queries.
  • Elastic Security fields and object schemas: Learn how to structure data for use with Elastic Security.

Elastic Security uses Elasticsearch for data storage, management, and search, and Kibana is its main user interface. Learn more:

  • Elasticsearch: A real-time, distributed storage, search, and analytics engine. Elastic Security stores your data using Elasticsearch.
  • Kibana: An open-source analytics and visualization platform designed to work with Elasticsearch and Elastic Security. Kibana allows you to search, view, analyze and visualize data stored in Elasticsearch indices.

For information about Elastic Endpoint's tamper-protection features, refer to Elastic Endpoint self-protection.