Share your experience using IBM StoredIQ InstaScan [EOL]

I have implemented Elastic Search in my organization. My experience has been really good with Elastic Search regarding the dashboards and alerts. They have integrated AI/ML capabilities in it. The Attack Discovery feature helps to dig into incidents from where they occurred to determine how the incident originated and its source. It gives an entire path of attack propagation, showing when it started, what happened, and all events that took place to connect the entire cyber incident.

Another feature is image vector analysis, which can authenticate images to prevent impersonation frauds in the ecosystem. This is a major use case in personal information and identifiable information portfolio.

I'm using Elastic Search as an observability tool and a SIEM tool. The indexing, searching, fast indexing, alert mechanisms, and BCDR compatibility are pretty smooth with Elastic Search.

On the resourcing part, I have cut off a good amount. While I don't have a concrete percentage to mention precisely, it has reduced resources to some extent.

Attack Discovery is the first feature that I appreciate. It is truly an amazing feature for any SIEM to have inbuilt. The image vector analysis is another feature that identifies any manipulation done to images. It can authenticate and identify authenticated images. If there are 10 duplicate and forged images, it can identify them through vector-based searching capabilities. These two features are prominent in terms of SIEM capabilities that Elastic Search has.

I can share feedback from the SIEM perspective about Elastic Search, as I had evaluated Elastic Search, LogRhythm, QRadar, and Microsoft.

More AI would be beneficial. I would also appreciate more simplicity in dashboards. A comprehensive dashboard is something I could expect.

I have been using Elastic Search for a year now.

There are no limited parameters to search from the events perspective. When you put one keyword, everything related to that keyword in your ecosystem will showcase all the results. This helps to get into the granularity of any events happening across the system.

It has gained significant visibility. Comparing alert statistics from other SIEMs where they could trigger 50 alerts on average weekly, Elastic Search has given me alerting statistics of roughly 90 plus for a week's time. All those alerts are mapped to MITRE ATT&CK framework. Though it could result in false positives in the earlier stage until you fine-tune and streamline the use cases in your SIEM, which is common with all SIEM tools, the visibility that Elastic Search has given us is amazing.

It was a direct purchase.

Positive

We previously used an on-premises solution.

The setup complexity depends upon the engineering team doing the implementation and the kind of infrastructure you have where logs will be ingested into the solution. For us, it was time-consuming in the earlier stages, but it was manageable and not overly complex.

We have seen moderate returns on investment.

As a CISO, I review and do the governance part. I receive alert notifications, but I don't work directly with the tool. None of my team members have complained or proposed any feature changes or modifications to the existing solution.

It totally depends upon the nature of business you are in. For my organization, it was imperative to have image scanning in place and identifying frauds happening with PII. From that perspective, Elastic Search has played a vital role. It has good inbuilt EDR capabilities as well, making it a good-to-go tool.

I rate Elastic Search eight out of ten.

On-premises

Other

My usual use cases for Elastic Search are that we are using APM, Application Performance Monitoring. We are using Real User Monitoring, as a RUM. We mostly are using it for application performance monitoring and troubleshooting in that regard. I think that's the main thing we're using Elastic Search observability for right now. We are considering expanding it also to have some Metric Beats and some other features. When we have more data, we will probably start to try to activate AI within Elastic Search. That's a possibility. The Elastic Search platform that we are using is an on-prem installation. It's not a cloud solution we have. This is because of the criticality and confidentiality of the data we have in Elastic Search.

I don't think there's a specific feature within Elastic Search that I have found the most valuable so far. We are more or less using all the features in one way or the other. Elastic Search has impacted my organization positively as we use it for logging and APM. It's not all systems which are using it yet, but it's gathering momentum because they have more use cases to present to other parts of the organization. They explain how different departments are using it, and then people see that they could also benefit from using it. More departments and their systems start to use Elastic Search as a result.

The documentation for Elastic Search can be challenging if you're not already familiar with the platform. The approach to Elastic Search can be difficult if you haven't been working with it previously. Within the product itself, some features could be more intuitive, where currently you need to know specifically where to find them and how to use them.

I have been working with Elastic Search for more than four years now.

From my perspective, Elastic Search has been very stable. The only thing I'm probably missing is what we call the session replay, some kind of tool within Elastic Search based on the data collected that can make some kind of session replay.

Elastic Search is very scalable. The only issue is some features use a huge amount of storage. You need to be in the forefront to make sure that you have the necessary storage to obtain all the data that you're collecting. They probably have surveillance indicating when storage is running low. The engineering department ensures we have sufficient storage. So far, we don't have any scalability issues regarding hosts sending data or the amount of data we are collecting. The engineering department might say we are over-consuming data, but we haven't received any message saying we have reached the ceiling yet.

I do not often communicate with the technical support of Elastic Search. That's the engineering department's responsibility. If I have an issue, I go to the engineering department, and they have the responsibility to communicate with the supplier of Elastic Search or the producer.

Positive

I work with many technical solutions compared to Elastic Search, specifically on observability. We are also looking into AI, which is in an experimental phase in my area. We haven't chosen any specific technology regarding AI. For Elastic Search as it is now, we are not looking into other technology to replace it. I am a chief consultant in my department, but in this regard, I'm mostly a user. The ones who are responsible for the platform are in another department. My experience with configuring relevant searches within the Elastic Search platform is limited as I don't search much within the platform. If I have specific needs, I reach out to get assistance from specialists because they are more familiarized with the system and know exactly how to search for things. For implementation configuration of the system, they are more capable than I am, as I'm more of a user than an engineer on the platform. I would rate Elastic Search an eight out of ten because there's always room for improvement, though from a functionality and price perspective, it could be considered a ten.

On-premises

Other