Security billing dimensions
editSecurity billing dimensions
editElastic Security serverless projects provide you with all the capabilities of Elastic Security to perform SIEM, security analytics, endpoint security, and cloud security workflows. Projects are provided using a Software as a Service (SaaS) model, and pricing is entirely consumption based. Security Analytics/SIEM is available in two tiers of carefully selected features to enable common security operations:
- Security Analytics Essentials — Includes everything you need to operationalize traditional SIEM in most organizations.
- Security Analytics Complete — Adds advanced security analytics and AI-driven features that many organizations will require when upgrading or replacing legacy SIEM systems.
Your monthly bill is based on the capabilities you use. When you use Security Analytics/SIEM, your bill is calculated based on data volume, which has these components:
- Ingest — Measured by the number of GB of log/event/info data that you send to your Security project over the course of a month.
- Retention — Measured by the total amount of ingested data stored in your Security project.
Data volumes for both ingest and retention are based on the uncompressed data size at the point of ingest, before Elasticsearch compression is performed, and will be higher than the volumes traditionally reported by Elasticsearch index size. In addition, these volumes might be larger than the volumes reported by cloud provider proxy logs for data going into Elasticsearch.
Endpoint Protection
editEndpoint Protection is an optional add-on to Security Analytics that provides endpoint protection and threat prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations:
- Endpoint Protection Essentials — Includes robust protection against malware, ransomware, and other malicious behaviors.
- Endpoint Protection Complete — Adds endpoint response actions and advanced policy management.
You pay based on the number of protected endpoints you configure with the Elastic Defend integration. Note that logs, events, and alerts ingested into your Security project from endpoints running Elastic Defend are billed using the Ingest and Retention pricing described above.
Cloud Protection
editCloud Protection is an optional add-on to Security Analytics that provides value-added protection capabilities for cloud assets. Cloud Protection is available in two tiers of carefully selected features to enable common cloud security operations:
- Cloud Protection Essentials — Protects your cloud workloads, continuously tracks posture of your cloud assets, and helps you manage risks by detecting configuration issues per CIS benchmarks.
- Cloud Protection Complete — Adds response capabilities and configuration drift prevention for Cloud Workloads.
Your total cost depends on the number of protected cloud workloads and other billable cloud assets you configure for use with Elastic Cloud Security.
For CSPM, billing is based on how many billable resources (resource.id
s) you monitor. The following types of assets are considered billable:
-
VMs:
- AWS: EC2 instances
- Azure: Virtual machines
- GCP: Compute engine instances
-
Storage resources:
- AWS: S3, S3 Glacier, EBS
- Azure: Archive, Blob, Managed disk
- GCP: Cloud storage, Persistent disk, Coldline storage
-
SQL databases and servers:
- AWS: RDS, DynamoDB, Redshift
- Azure: SQL database, Cosmos DB, Synapse Analytics
- GCP: Cloud SQL, Firestore, BigQuery
For KSPM, billing is based on how many Kubernetes nodes (agent.id
s) you monitor.
For CNVM, billing is based on how many cloud assets (cloud.instance.id
s) you monitor.
For D4C, billing is based on how many agents (agent.id
s) you use.
Logs, events, alerts, and configuration data ingested into your security project are billed using the Ingest and Retention pricing described above.
For more details about Elastic Security serverless project rates and billable assets, refer to Cloud Protection in the Elastic Cloud pricing table.