What does the Elastic SIEM Analyst exam cost and how long is the badge valid?

Elastic lists the SIEM Analyst exam at $400 USD per attempt, and Elastic credentials are valid for 2 years from the exam date, after which recertification is required.

What is the passing score and question count?

Elastic does not publicly publish a passing score or an exact number of questions for the SIEM Analyst exam. Based on its cognitive format, candidates typically report roughly 50-60 questions in about 60-90 minutes.

How is this exam different from the Elastic Certified Analyst exam?

The Elastic Certified Analyst exam is performance-based and centered on Kibana data analysis, while the SIEM Analyst exam is a cognitive exam centered on the Elastic Security solution, including detection rules, Timelines, Cases, and threat intelligence.

Which topics carry the most weight?

Detection engineering, including creating and tuning the seven rule types and reducing false positives, is the heaviest area. Data ingestion and ECS normalization is also significant because prebuilt rules depend on ECS fields.

What are the seven Elastic detection rule types I must know?

Custom query, event correlation (EQL), threshold, indicator match, new terms, ES|QL, and machine learning. Knowing when to choose each, plus exceptions, value lists, and alert suppression for tuning, is essential.

All Practice Exams

100+ Free Elastic Certified SIEM Analyst Practice Questions

Elastic Certified SIEM Analyst practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

An analyst wants to add geographic location to events based on their source.ip during ingestion. Which ingest processor accomplishes this enrichment?

split processor

uppercase processor

drop processor

geoip processor

to track

Same family resources

Explore More Elastic Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

2026 Statistics

Key Facts: Elastic Certified SIEM Analyst Exam

$400

Exam Fee per Attempt (USD)

Elastic Certification FAQ

Cognitive (MCQ)

Exam Format

Elastic (knowledge-based, not performance-based)

2 years

Credential Validity

Elastic Certification FAQ

Not published

Passing Score

Elastic does not publish a public passing score

7 rule types

Elastic Security Detection Rule Types

Elastic Security documentation

Honorlock

Remote Proctoring

Elastic Certification FAQ

The Elastic Certified SIEM Analyst is a timed cognitive (knowledge-based) exam from Elastic, costing $400 USD per attempt and remotely proctored via Honorlock, with the badge valid 2 years. Elastic does not publish a passing score or question count, but the exam typically presents about 50-60 questions in 60-90 minutes using multiple choice, select all that apply, fill in the blanks, and true/false items. It covers SIEM fundamentals and Elastic Security architecture, ECS data ingestion and normalization, detection engineering across seven rule types with tuning, alert triage and investigation in Timelines and Cases, event correlation, enrichment and threat intelligence, RBAC, and security visualization.

Sample Elastic Certified SIEM Analyst Practice Questions

Try these sample questions to test your Elastic Certified SIEM Analyst exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In Elastic Security, which component is responsible for evaluating detection rules on a schedule and generating alerts when matching events are found?

A.The detection engine

B.Logstash pipeline

C.Beats modules

D.The Kibana Discover app

Explanation: The detection engine in Elastic Security runs detection rules on a configurable schedule against indices, and when a rule's query matches events it creates alerts in the .alerts-security.alerts index. It is the core SIEM analytics component that turns rules into alerts.

2What does the acronym SIEM stand for in the context of Elastic Security?

A.Security Indexing and Event Mapping

B.Security Information and Event Management

C.System Information and Endpoint Management

D.Signal Intelligence and Event Monitoring

Explanation: SIEM stands for Security Information and Event Management. Elastic Security provides SIEM capabilities by centralizing log and event data, applying detection rules, and supporting investigation and response workflows.

3Within the Elastic Stack, which product provides the user interface where the Elastic Security SIEM app, dashboards, and Timelines are accessed?

A.Elasticsearch

B.Logstash

C.Kibana

D.Beats

Explanation: Kibana is the visualization and management layer of the Elastic Stack, and the Elastic Security app (SIEM) runs inside Kibana. Analysts use Kibana to view alerts, build Timelines, manage detection rules, and open dashboards.

4Which index pattern stores detection alerts generated by Elastic Security detection rules in a given Kibana space?

A..kibana-event-log

B..monitoring-es

C..siem-signals-default

D..alerts-security.alerts-<space-name>

Explanation: Detection alerts are written to the .alerts-security.alerts-<space-name> index pattern, which is space-specific. This replaced the older .siem-signals-* naming and keeps alerts isolated per Kibana space.

5An analyst wants to monitor and respond to host-based threats with endpoint prevention and response. Which Elastic integration provides endpoint protection that feeds telemetry into Elastic Security?

A.Elastic APM

B.Elastic Maps

C.Elastic Defend

D.Elastic Enterprise Search

Explanation: Elastic Defend is the endpoint security integration deployed through Elastic Agent. It collects host telemetry (processes, files, network, registry), provides malware and ransomware prevention, and supports response actions like isolating a host.

6On the Elastic Security Explore page, which prebuilt dashboards are instantly populated with ingested data to give an analyst situational awareness?

A.Uptime, Synthetics, and Logs

B.Fleet, Agents, and Policies

C.Discover, Canvas, and Vega

D.Hosts, Network, and Users

Explanation: The Explore section of Elastic Security includes prebuilt Hosts, Network, and Users pages. These dashboards summarize entity activity, network flows, and authentication events to help analysts triage and pivot during investigations.

7Which statement best describes the purpose of a SIEM such as Elastic Security?

A.To centralize, normalize, and analyze security-relevant data for detection, investigation, and response

B.To replace firewalls and antivirus as the only security control

C.To store backups of production databases

D.To provide CI/CD pipeline automation for developers

Explanation: A SIEM aggregates logs and events from many sources, normalizes them to a common schema, applies detection logic, and supports investigation and response. Elastic Security delivers these capabilities on the Elastic Stack.

8In Elastic Security, where are detection rules, Timelines, Cases, and alerts logically isolated so that one team's data is not visible to another?

A.Index lifecycle policies

B.Kibana spaces

C.Ingest pipelines

D.Runtime fields

Explanation: Each Kibana space represents a separate logical instance of Elastic Security. Detection rules, exceptions, value lists, alerts, Timelines, and Cases are private to the space and accessible only to users with privileges for that space.

9Which of the following is the central workspace in Elastic Security for deep investigation and threat hunting, where an analyst can build complex queries and correlate events?

A.Stack Monitoring

B.Timeline

C.Dev Tools Console

D.Index Management

Explanation: Timeline is the central investigation and threat-hunting workspace in Elastic Security. Analysts add alerts and events from multiple indices, query with KQL, EQL, or ES|QL, and pivot across hosts, users, and network activity to reconstruct an event sequence.

10Elastic Security maps its detection rules to a widely used adversary behavior framework so analysts can identify coverage gaps. Which framework is this?

A.OWASP Top 10

B.NIST CSF

C.MITRE ATT&CK

D.PCI DSS

Explanation: Elastic Security maps prebuilt and custom detection rules to MITRE ATT&CK tactics and techniques. The MITRE ATT&CK coverage page lets analysts visualize which techniques are covered and find detection gaps.

About the Elastic Certified SIEM Analyst Practice Questions

Verified exam format metadata for Elastic Certified SIEM Analyst is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free Elastic Certified SIEM Analyst Practice Questions

Explore More Elastic Certifications

Elastic Certified Engineer

Elastic Certified Analyst

Elastic Certified Engineer

Elastic Certified Observability Engineer

Key Facts: Elastic Certified SIEM Analyst Exam

Sample Elastic Certified SIEM Analyst Practice Questions

About the Elastic Certified SIEM Analyst Practice Questions