📊 SIEM & log management
Elastic Security
SIEM and EDR built on the Elastic Stack with strong free-tier rules.
Why use it
The free Basic tier of Elastic Security gives you a polished SIEM with hundreds of pre-built detection rules, an EDR via the Elastic Agent, and the same search experience as paid commercial SIEMs.
What you get
- Pre-built detection rules mapped to MITRE ATT&CK
- Elastic Agent for endpoint logs and EDR features
- Timelines for analyst investigation
- Cases and notes per investigation
- Anomaly detection (machine learning is paid only)
System requirements
| Cpu | 4 cores |
|---|---|
| Ram | 8 GB minimum, 16 GB recommended |
| Disk | 50 GB+ |
| Os | Linux (Ubuntu, RHEL, Debian) |
| Docker | Yes |
Installation
Use the official Docker Compose example or the package manager: add the Elastic APT/YUM repo, install elasticsearch, kibana, and fleet-server. Enrol Elastic Agents via Fleet for endpoint visibility — the policy templates ("Security default") configure host data, file integrity, and EDR features automatically.
Suggested configuration
Enable the prebuilt rules in batches by tactic — Initial Access first, then Persistence, then Defence Evasion. Tune false positives via exception lists rather than disabling rules. Lock the Kibana admin to a non-internet-routable VLAN; the default is too permissive for an exposed host.
Integration ideas
- Ingest Suricata EVE JSON via Filebeat
- Forward alerts to TheHive via the webhook connector
- Pull threat intel from MISP via the Elastic threat-intel filebeat module
Alternatives
- Wazuh — Better agent ecosystem; rougher search UX.
- Graylog — Simpler, less detection content out of the box.
Cyentrix verdict
If you want to learn what an enterprise SIEM looks and feels like, this is the closest free analogue. ML/anomaly detection sit behind a paywall, but the free detection ruleset is excellent.