I’ve successfully installed on premises Elasticsearch, Logstash, Kibana, and Elastic Agent/Fleet Server on my Ubuntu server. I’m now exploring the SIEM features in the Elastic Stack free tier, but I’m a bit unclear about what capabilities are available and what’s limited compared to the paid (Standard/Enterprise) licenses.
Specifically, I’d like to know:
What core SIEM functionalities are included in the free tier?
Which features (like detections, cases, threat intelligence, or rule automation) are restricted?
Are there any practical use cases I can still implement using the free tier for learning or small-scale monitoring?
Any insights or official documentation links would be really helpful. Thanks in advance!
It is better to start with the subscription page where you have a list of features that are available with the free license and the ones that requires a paid license.
You can do a lot with the free license, but some of the main limitations is that you cannot send your alerts elsewhere, all Kibana Connectors that send alerts to email, webhook or other external destinations requires a paid license.
But there are workarounds, you can use logstash to read your alerts index and send it to any place you want for example.
Also, AI and machine learning tools requires a Platinum and some cases an Enterprise license.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.