Feedback on the Security Solution Dashboard Experience

Elastic Security SIEM
1

Hello,

I would like to share some feedback regarding the Security Solution dashboard experience in Kibana. While I appreciate the effort to provide a dedicated Security-focused dashboard experience, many users in our environment find the current implementation less efficient than the classic Dashboard interface.

A few examples:

  1. Forced "Security Solution" filtering

Every time we access the dashboard overview, we need to remove the "Security Solution" filter before we can find our own dashboards. This happens dozens of times per day and creates unnecessary friction.

Many organizations primarily use custom dashboards tailored to their own SOC workflows and have little or no need for the built-in Security dashboards. It would be helpful if users could configure their own default tag or disable the automatic filtering entirely.

  1. Dashboard management inconsistencies

We have encountered several issues when working with dashboards from the Security Solution interface compared to the classic Dashboard application.

For example, we have observed situations where editing a visualization and selecting "Save as" unexpectedly modified the original visualization instead of creating a new one. Whether this is a bug or unintended behavior, it creates uncertainty and discourages users from managing dashboards through the Security interface.

  1. Inefficient use of screen space

The dashboard title is displayed prominently within the page, despite already being visible in the standard page header. The result is a significant amount of vertical space being consumed by duplicate information.

For analysts working on laptops or smaller displays, every line of available dashboard space matters. The current layout feels unnecessarily large and reduces the amount of information visible without scrolling.

  1. Limited customization of the Security landing page

The Security dashboard landing page prominently promotes Elastic-provided Security views. In practice, most SOC teams I interact with rarely use these dashboards and instead rely on their own custom-built content.

It would be much more valuable if users could choose which dashboards appear on the landing page, pin their favorites, or define a custom default dashboard experience.

  1. Navigation challenges

Many of our users end up searching for the classic Dashboard application and working from there instead. However, navigating back and forth between the Security dashboard experience and the classic Dashboard experience feels disconnected and unintuitive.

Overall, the current Security dashboard workflow feels more restrictive and less efficient than the classic Dashboard application.

I have raised these concerns through various channels over the past year, but so far I have not seen significant improvements. After discussing this with multiple Elastic Security users from different organizations, I have heard similar feedback.

Is there any roadmap to improve the dashboard experience within Security, provide more customization options, or bring it closer to the flexibility of the classic Dashboard application?

I would be interested to hear whether other users have experienced the same challenges.

Kind regards,

Willem D'Haese

2

Hi @willemdh,

Thank you so much for taking the time to give feedback on the solution. We really appreciate you taking the time to write such a detailed response. Can you confirm which version of Elastic Security you're using?

In the meantime I've passed the feedback and forum link onto the team.

Hope that helps!

Carly

3

@willemdh , thank you as always for the detailed feedback.

Your concerns are well heard and are top of mind for us. It's taken us longer than we hoped to revisit these experiences, but they are well overdue.

I do have a question though. Do you see yourself gravitating to these views more and more still, or have you started to perhaps supplement with things like Agent Builder and the views that can be built there?

Thanks again,

James

4

Atm different self-managed cluster, ECE deployments and Elastic Security Serverless between 9.3.1 and 9.4.2.

5

Well, it depends... :wink:

It's kind of difficult to generalize, as it depends of what Elastic enironment I work in. Most of them have no LLM integrations due to compliance regulations.

Unfortunately I have not yet found the time to work with Agent Builder.

Personally I mostly start analysis from Classic dashboards tbh. A few times a week I try the Security dashboards, get annoyed and go back to Classic dashboards. :sweat_smile:

I can understand it's kind of impossible for Elastic to make dashboard and views which work for every customer. How a dashboard looks often also depends on the screen resolution.

Imho, every customer has a different focus and needs, use different products and have or have not access to data sources which you'd expect. Lots use data sources for which there is no integration at all, so we create dashboards for them.

Building custom dashboard is the cherry on the cake for me personally and I've build a lot of them, which integrate nicely mostly thanks to the Links panel.

I try redirect analists to a custom made global dashboard and explain them to drill down from there.

6

Thanks for those details. It is indeed a delicate balance for us between what will work well for users out of the box, whilst always providing you the ability to create whatever you want/need.

I'll make sure the right teams see this feedback.

Thanks again.