Elastic Certified SIEM Analyst Course Review

My review of the Elastic Certified SIEM Analyst course
- Introduction
- Modules
- Conclusion
Introduction Permalink
I recently took advantage of Elastic.co’s generous free training offer for their newly released course / certification, the Elastic Certified SIEM Analyst. The offer is still available over here at the time of writing this blog post and will continue to be free up to the end of October 2025. I’ve worked with the Elastic Stack in the past and posted about it in the previous blog posts including:
- Building a Threat Hunting Lab Using Elastic Stack and Vagrant
- Threat Hunting with Elastic Stack - In-Depth Book Review
but I’ll try to look at the course from the perspective of someone with little or no previous Elastic Stack experience as this course is aimed primarily at new Elastic Stack security analysts. This blog post will cover some of the areas I believe can be improved in the course in future iterations. The course material I used was v1.02 (July 2025). Overall, I found the course to be beneficial for new Elastic Stack security analysts but I believe that there are areas where it can be improved and this will be the focus on this blog post.
The course is composed of the following:
- seven modules covering the following topics:
- Stack Overview
- Elastic Common Schema (ECS)
- Discover
- Visualizations
- Lens
- Dashboards
- Security App / SIEM
- Hunt Capstone (although this is mentioned in the official documentation, I couldn’t find this in the free On-Demand version)
- course slides
- each module comes with one or more videos that cover the corresponding slides in addition to including a demo
- a lab for you to get some hands-on
- challenge questions.
You also get access to a virtual lab with a Windows VM (where you will install the Elastic Agent with the Elastic Defend integration) and two other boxes, one of which runs the Elastic Stack that you will then access. You get a total of 60 hours of lab access time and can pause and resume at any time (it also auto-pauses if you are inactive for a period of time). The lab access expires after 3 months.
Before going into more details on the various modules and what I believe can be improved in each of them, there are a number of areas for improvement that impact multiple modules including:
- there is no clear overall scenario or goal or threat hunt or investigation. Instead, the tasks in most modules and sections are largely unrelated to other modules and sections. Instead of focusing on how to run an end-to-end investigation using the various components (as partially illustrated in this example), the course focuses more on highlighting the features of Elastic Stack / Elastic Security. I would have much preferred one or more investigations that are built on throughout the course
- while most labs had links to the official documentation, I think that adding additional links to videos, demos, and other material would have been beneficial as the official documentation can sometimes be a little dry
- the majority of the logs used throughout the lab are Zeek and Suricata logs. An overview of each of these would have been useful for anyone following along and not familiar with them (or hasn’t used them for some time)
- adding one-page cheat sheets for the various query languages covered in the course and which could be quickly referenced by analysts would have been useful
- the challenge questions would be improved (more on this later on).
I’ll start by commenting on some of the various modules before adding some additional comments. Finally, this blog post does not cover the actual exam, which I haven’t taken.
Modules Permalink
Module 1: Stack Overview Permalink
This section covers the Elastic Stack’s components. Overall, I felt the section was well-structured. However, I had the following comments:
- it felt odd that we installed the Elastic Agent with the Elastic Defend module in this module and then not touch on it again except for briefly in the Security App module
- the data collection capabilities of Elastic Defend were not touched on. This could have been looked at it in greater detail in addition to a comparison of doing so versus using something like Sysmon
- the response capabilities were not touched on. A lab showing might have been interesting
- an example of using the OSQuery Manager integration during an investigation.
Module 2: Elastic Common Schema (ECS) Permalink
This section covers the Elastic Common Schema (ECS). However, I felt that it didn’t cover enough. At the very least, I think the following should have been added:
- a look at the various types of events that can be stored in Elasticsearch
- full sample events and a look at the most important fields that security analysts will likely use in an investigation (as there are thousands of ECS fields).
- more on fields covering where data comes such as:
- more on fields covering what the data is:
- more on
event.action
.
I also think that Ingest Pipelines should have been covered including at the least a simple example of taking a log format that has no corresponding Integration and showing how to add support for it and convert it to be ECS compliant. This could then have been complemented with a look at doing this using Automatic Import.
Finally, in the Normalizing Data section, the instructor says: “Beats are lightweight data shippers like Filebeat or Metricbeat. They often has built-in support for ECS and they can format the data according to ECS before even sending it to Elasticsearch”. This was on the slide related to “ECS Normalized Data” (pg. 51). However, this is incorrect. The Beats and Elastic Agent are responsible for extracting the event, adding some metadata and then sending it to the corresponding Ingest Pipeline (default) or Logstash which then do the heavy lifting of normalizing the event and extracting the various key-value pairs.
Module 3: Discover Permalink
This section nicely covers the Discover app in addition to using KQL and Lucene to query our data. One small addition would be highlight how to create custom Time Picker options using labels from Kibana - Stack Management -Advanced Settings - Time Picker to get entries such as Day 0
, Day 1
, BLISTER
, etc. that are used in the lab. Additionally, the Lucene fuzzy example that looks for all terms similar to Mozilla
but not exactly Mozilla
is given as:
user_agent.original.text: Mozilla~ AND NOT user_agent.original.text: Mozilla*
while it should not have the additional *
if we are interested in an exact match:
user_agent.original.text: Mozilla~ AND NOT user_agent.original.text: Mozilla
The additional *
would match any user agent that starts with Mozilla
.
Module 4: Visualizations Permalink
This module provides a short introduction to visualizations in Kibana using Aggregation Based visualizations. One enhancement was to point out what terms means in this context (terms refers to creating a bucket for each unique value for a given field).
Module 5: Lens Permalink
This module provides a short introduction to visualization in Kibana using Lens visualizations.
Module 6: Dashboards Permalink
This module provides an introduction to building and using dashboards in Kibana. One detail that would have been nice to add is how to add custom Link Panels as this is a task that analysts would typically do when building dashboards. I also think that having a section on Compliance Dashboards would be beneficial.
Module 7: Security App Permalink
We finally reach the crux of the course, the Security App. While previous modules touched on useful components in Kibana that users need to know, this focuses on the SIEM side of things. As this module is covers a lot of ground, I split it up into sections.
Elastic AI Assistant for Security & Attack Discovery Permalink
While the course has a solid overview of both Elastic AI Assistant and Attack Discovery, there is no practical aspect in this section which is a shame. Including optional hands-on labs where even if users have to bring their own LLM credentials, etc. would have shown how useful this feature is. Furthermore, as these features are available only on the Enterprise subscription, it may have made more sense to add this as the last section as not all environments will have this option.
ES|QL Permalink
This sub-section was fine overall. I just had the following comments:
- there was no mention of using the
ENRICH
command to allow you to combine data from multiple indices. There was also no mention of the even better option:LOOKUP_JOIN
(but I think that the later is a constraint asLOOKUP_JOIN
was only added in 8.18 while the lab uses an older version). - as many analysts are probably familiar with SPL, examples of converting SPL queries to the equivalent ES|QL queries may have been useful.
- the instructor mentioned that ES|QL replaces all other query languages. This is incorrect as ES|QL as it is still missing some features found in other query languages (such as sequences in EQL).
Detection Engine Permalink
While the section does cover the basics, I felt that there were a few things missing including:
- a discussion of how to approach the task of selecting which rules / rulesets to enable in your environment. For example, when working with a Windows environment, which rulesets should an analyst enable? Should they search for tags based on OS? Is that sufficient? Should they just enable all rules? What are the drawbacks of enabling all rules?
- there was no labs related to building or using rules based on the following types of rules:
- machine learning
- indicator match
- new terms.
Alerts Permalink
Some areas I feel that were not touched on include:
- adding the
kibana.alert.orginal_time
field to give you a sequential timeline of events (as rules run at different times and the default@timestamp
shown in alerts is the one associated with when the rule ran, not when the event actually took place) - a discussion of enabling the generic External Alerts rule to convert alerts from external systems such as Suricata, Zeek and others to Elastic SIEM alerts (as a side note, this rule is disabled in the lab environment).
Timelines Permalink
This section was covered well. However, it would have been preferable to see how to use a Timeline in an end-to-end incident response. Furthermore, a quick tip on how to grab the indices corresponding to the Security Default Data View when running Correlation and ES|QL queries would have been useful.
Missing Sections Permalink
Threat Intelligence Permalink
An example of using threat intelligence feeds was unfortunately not covered.
Report Generation Permalink
There was no mention of how to generate reports in the course.
UEBA Permalink
UEBA (referred to as Advanced Entity Analytics in Elastic) is not covered in the course. As this feature is not only useful but also a feature that does not require an additional license (it requires either a Platinum or Enterprise license), I’m unsure as to why this was not covered.
SOAR Permalink
While SOAR (Security Orchestration, Automation and Response) is one area where the Elastic solution lacks solid native capabilities, Elastic does support integrating with workflow automation solutions such as n8n or Shuffle and Tines. As this is something that a typical Elastic SIEM deployment would use, an example of using one of these would have been beneficial. A local installation of either n8n or Shuffle on one of the nodes in the lab could have been used.
Other Issues Permalink
Challenges Permalink
After most sections, you have:
- a lab
- some challenge questions.
You should always check to see if there is a lab related to the section you are on before moving forward to the next section or module. After completing the labs related to the section, you should check to see if there are any challenge questions.
Some issues that I ran into related to the challenges include:
- the context of given challenges aren’t always specific. For example, you might find a challenge question such as:
How many results exist for originating ports greater than 1024?
While the start of the section specified which time-range we are looking at, do we keep the filter we applied in the previous question or remove it? It would be preferable if the context was included in every question. - some questions have a Hint button while others don’t. Due to the above limitation, it would be useful if more questions had hints. However, if the above issue was resolved, you probably wouldn’t need this except rarely.
- no model answers are provided. I think this would be useful as there are multiple ways to solve a given challenge and this would reinforce the training.
- one you complete a challenge, there is no way to retake it. Being able to do so as you re-run through the challenges to check to see if you are ready for the exam.
- the challenges are relatively basic and again, there is no scenario that you are investigating. Instead, as I mentioned previously, it feels as if you the course is highlighting features instead of applying these features to some real-world use cases.
There were also a few challenges that I’m confident have issues with them including:
- 3.2.9 and 3.2.10
- 7.4.1 (refers to the 7.3 labs while it meant to refer to the 7.4 lab).
Exam Permalink
While this blog post doesn’t cover the exam, I was disappointed to discover that the related exam is not performance-based like other Elastic exams. Instead, as Elastic states here: “The Elastic Certified SIEM Analyst exam is a timed cognitive-based exam. This exam requires answering multiple choice, select all that apply, fill in the blanks, and true or false questions centered around the Elastic Security solution”. I believe the certification would have been much more beneficial if the exam was performance-based instead.
Conclusion Permalink
Overall, I believe the Elastic Certified SIEM Analyst is useful for analysts new to the platform. Although I mentioned a number of improvements I believe can make the course more comprehensive, I still think that the course as it currently is is useful for security analysts.