topic Re: splunk enterprise security in Alerting

splunk enterprise security

trojan_81 — Tue, 08 Dec 2020 14:12:03 GMT

Hi Splunk Experts,

Suppose I only have splunk cloud. Is it NOT possible to set an alert based on a search that correlates events from multiple systems? Such as correlating an event across endpoint and network activity. Is this where Enterprise Security is needed? Or is the answer that one can technically do it without Enterprise security but it would be tougher?

Would splunk enterprise have more out of the box correlations than just splunk cloud?

Re: splunk enterprise security

richgalloway — Tue, 08 Dec 2020 14:14:42 GMT

You do not need Enterprise Security to correlate events from multiple systems or sources. Using ES would not necessarily make it easier.

Splunk Cloud and Splunk Enterprise have the same set of OOTB correlations.

Re: splunk enterprise security

trojan_81 — Tue, 08 Dec 2020 15:37:33 GMT

That helps greatly thank you. With that in mind, what are a few reasons why you would want to implement ES (assume you had the funds)?

Re: splunk enterprise security

richgalloway — Tue, 08 Dec 2020 22:35:48 GMT

Check out the Splunk Security Essentials and ES Content Update apps for some example use cases that are best (or only) implemented using ES.

Also, ES has built-in features that enrich the assets and identities in your data.

That's not to mention the support for investigations and other SIEM features.