[UI copy]: SIEM Readiness #4025
Description
Description
Why we’re introducing SIEM Readiness
SIEM Readiness gives you a clear, data-driven view of your visibility posture. It highlights missing or under-performing log sources so you can quickly understand what’s covered, what’s not, and what needs attention to strengthen your detection capability.
Expected user behaviour
Users can explore their current visibility gaps, understand what’s causing them, and take guided actions—like enabling integrations, improving data quality, or onboarding missing sources—to improve their readiness score over time.
If the issue needs investigation, collaboration, or follow-up, the user can create a case directly from the readiness issue. This captures the context, adds it to case management, and lets teams assign owners, track progress, and document fixes. The user can view all associated (open/In progress) cases from the top bar, or per category.
At the top of the page, four readiness categories summarize the overall state of your SIEM:
• Coverage – Shows whether all enabled detection rules have the required data integrations installed. Flags missing or disabled integrations.
• Quality – Indicates ECS compatibility of the ingested data.
• Continuity – Reflects the health of your ingest pipelines and whether data continues to flow as expected.
• Retention – Displays whether ILM retention policies meet the minimum data requirements for detection and investigation.
Each category is labelled as Healthy, Actions required, or Warning, helping you understand where attention is needed at a glance.
Below the health summary, four tabs—Coverage, Quality, Continuity, and Retention—allow you to focus on a single readiness dimension.
The screenshot displays the Coverage tab.
Tab Navigation
Below the health summary, four tabs—Coverage, Quality, Continuity, and Retention—allow you to focus on a single readiness dimension.
The screenshot displays the Coverage tab.
Warning Callout
A callout appears when some rules cannot run due to missing or disabled integrations.
It includes:
• The number of affected rules
• A link to Create a case to track the issue
• A link to View missing integrations
• Context explaining how missing integrations affect detection visibility
Export and Configuration
At the top-right of the page, two global actions are available:
• Export report – Generate a shareable summary of your SIEM readiness posture
• Configuration – Modify readiness settings or data requirements
These actions support operational reporting and allow teams to tailor readiness expectations to their environment.
Details
Coverage
What it measures:
Whether you have the right data sources required for your enabled detection rules.
Why it matters:
If critical integrations are missing or disabled, some rules can’t run — reducing detection visibility and leaving threats unseen.
Examples of what affects this category:
• Missing endpoint or identity logs
• Disabled or uninstalled integrations
• Newly enabled rules that depend on uncollected data
User actions:
Install missing integrations, enable disabled data sources, or create a case to track onboarding work.
The MITRE ATT&CK tactic diagram visualizes which tactics the users enabled rules cover and whether those rules have the necessary data sources installed.
For each tactic, the tile displays:
• The total number of enabled rules mapped to that tactic
• Whether all rules have the required data integrations
• Or whether one or more rules are missing required integrations
• (If applicable) How many rules are missing integrations or have missing data
Tactics appear in different states:
• Healthy (green) – All enabled rules under this tactic have their required integrations installed.
• Warning (red) – At least one enabled rule under this tactic is missing required integrations or mapped data.
• Grey (no data) – No enabled rules map to this tactic.
Quality
What it measures:
How well your ingested data aligns with ECS (Elastic Common Schema) expectations for field names and structure.
Why it matters:
Detection rules rely on consistent ECS fields. Poor data quality leads to missed matches, broken queries, and unreliable correlations.
Examples of what affects this category:
• Non-ECS fields from custom pipelines
• Vendor logs missing key ECS fields
• Inconsistent data mapping from legacy integrations
User actions:
Fix ECS mapping issues, update pipelines, or use integration packages that provide ECS-aligned output.
Continuity
What it measures:
Whether data is flowing reliably and continuously from your pipelines and agents.
Why it matters:
Gaps in ingestion leave blind spots in detection and investigation windows.
Examples of what affects this category:
• Stalled ingest pipelines
• Agent errors
• Forwarder connectivity issues
• Drops in event volume
User actions:
Investigate ingest interruptions, verify pipeline health, or assign a case if long-running issues require engineering support.
Retention
What it measures:
Whether your Index Lifecycle Management (ILM) retention policies meet the minimum requirements for detection rules, investigations, and compliance.
Why it matters:
Short data retention means you may not have enough historical data to detect long-dwell attacks, run backtesting, or perform full investigations.
Examples of what affects this category:
• ILM policies that delete data too early
• Storage limitations leading to aggressive rollovers
• Mismatch between rule lookback windows and retention duration
Other elements
What this callout is for:
This message introduces users to SIEM Readiness and explains the value of the page. It helps users understand that the page measures the health of their data foundation and how it affects their ability to detect and investigate threats. it is dismissible.
Configuration: Category Applicability
The Category Applicability modal allows users to define which data source categories are relevant to their environment. SIEM Readiness uses these selections to tailor the readiness evaluation and hide categories that do not apply to the deployment.
This ensures the SIEM Readiness overview focuses only on the data types a user expects to collect—avoiding false warnings for categories the organisation does not use (for example, if the user has no SaaS sources or no on-premises network logs).
⸻
What this setting controls
When users select the applicable categories:
• The SIEM Readiness visuals and metrics will only evaluate the chosen categories.
• Unselected categories will be excluded from readiness scoring, coverage checks, and warnings.
• This allows the feature to better reflect the actual architecture and data sources of the user’s environment.
The available categories are:
• Endpoint
• Identity
• Network
• Cloud
• Application / SaaS
⸻
Save behaviour
To prevent invalid configurations:
• At least one category must be selected before the user can save.
• If all categories are deselected, the Save button is disabled (or the user receives a validation message, depending on implementation).
This ensures SIEM Readiness always has at least one data domain to evaluate.
The Create Case view allows users to open a case directly from a SIEM Readiness issue. When launched from a readiness card or visual, Elastic automatically pre-populates several fields to streamline the workflow and ensure consistent documentation across teams.
When users visit SIEM Readiness for the first time — or when their environment has no data, no enabled rules, or no integrations installed — the page displays a dedicated first-use onboarding state. This view helps users understand what the feature is, why it matters, and what they need to set up before readiness scoring can begin.
What users see in the first-use state
- Welcome Callout
A dismissible callout at the top explains the purpose of SIEM Readiness:
• It measures the strength of the user’s data foundation.
• Healthier data leads to more reliable detections and faster investigations.
• A link to documentation helps users learn how readiness works.
This sets expectations before any data is ingested. Alongside the first-use screen, SIEM Readiness includes an 8-step interactive product tour designed to walk users through the main components of the page once data is available.
Related links / assets
Figma link(s): https://www.figma.com/design/0Fy4vbvYQzHHqQm5U8dj5g/SIEM-Readiness?node-id=96-10311&t=zX1UcADIl4aAgOJH-1
Github epic link(s): https://github.com/elastic/security-team/issues/12470
Which documentation set does this change impact?
ESS and serverless
Feature differences
ESS and serverless
Software version
For 9.3
Collaborators
PM: @smriti0321
Designer: @ARWNightingale
Developer: @JordanSh
Timeline / deliverables
9.3 release