- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Security billing dimensions
editSecurity billing dimensions
editElastic Security serverless projects provide you with all the capabilities of Elastic Security to perform SIEM, security analytics, endpoint security, and cloud security workflows. Projects are provided using a Software as a Service (SaaS) model, and pricing is entirely consumption based. Security Analytics/SIEM is available in two tiers of carefully selected features to enable common security operations:
- Security Analytics Essentials — Includes everything you need to operationalize traditional SIEM in most organizations.
- Security Analytics Complete — Adds advanced security analytics and AI-driven features that many organizations will require when upgrading or replacing legacy SIEM systems.
Your monthly bill is based on the capabilities you use. When you use Security Analytics/SIEM, your bill is calculated based on data volume, which has these components:
- Ingest — Measured by the number of GB of log/event/info data that you send to your Security project over the course of a month.
- Retention — Measured by the total amount of ingested data stored in your Security project.
Data volumes for ingest and retention are based on the fully enriched normalized data size at the end of the ingest pipeline, before Elasticsearch compression is performed, and will be higher than the volumes traditionally reported by Elasticsearch index size. In addition, these volumes might be larger than those reported by cloud provider proxy logs for data going into Elasticsearch. This allows you to have flexibility in choosing your preferred ingest architecture for enrichment, whether it’s through Elastic Agent, Logstash, OpenTelemetry, or collectors — with no impact on the cost.
Endpoint Protection
editEndpoint Protection is an optional add-on to Security Analytics that provides endpoint protection and threat prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations:
- Endpoint Protection Essentials — Includes robust protection against malware, ransomware, and other malicious behaviors.
- Endpoint Protection Complete — Adds endpoint response actions and advanced policy management.
You pay based on the number of protected endpoints you configure with the Elastic Defend integration. Note that logs, events, and alerts ingested into your Security project from endpoints running Elastic Defend are billed using the Ingest and Retention pricing described above.
Cloud Protection
editCloud Protection is an optional add-on to Security Analytics that provides value-added protection capabilities for cloud assets. Cloud Protection is available in two tiers of carefully selected features to enable common cloud security operations:
- Cloud Protection Essentials — Protects your cloud workloads, continuously tracks posture of your cloud assets, and helps you manage risks by detecting configuration issues per CIS benchmarks.
- Cloud Protection Complete — Adds response capabilities.
Your total cost depends on the number of protected cloud workloads and other billable cloud assets you configure for use with Elastic Cloud Security.
For CSPM, billing is based on how many billable resources (resource.id s) you monitor. The following types of assets are considered billable:
-
VMs:
- AWS: EC2 instances
- Azure: Virtual machines
- GCP: Compute engine instances
-
Storage resources:
- AWS: S3, S3 Glacier, EBS
- Azure: Archive, Blob, Managed disk
- GCP: Cloud storage, Persistent disk, Coldline storage
-
SQL databases and servers:
- AWS: RDS, DynamoDB, Redshift
- Azure: SQL database, Cosmos DB, Synapse Analytics
- GCP: Cloud SQL, Firestore, BigQuery
For KSPM, billing is based on how many Kubernetes nodes (agent.id s) you monitor.
For CNVM, billing is based on how many cloud assets (cloud.instance.id s) you monitor.
Logs, events, alerts, and configuration data ingested into your security project are billed using the Ingest and Retention pricing described above.
For more details about Elastic Security serverless project rates and billable assets, refer to Cloud Protection in the Elastic Cloud pricing table.
On this page