For an organisation that already has Splunk ES - what are the differences between the two products - will installing SE (or inc SE for ransomware) compliment ES and provide additional insights ?
It depends on how active you and your teams use Splunk. ES is a fully fledged application designed around event correlation, management, and response.
The Security Essentials toolkits is more focused on specific use cases.
In my experience they compliment each other very well. In fact, once fully understood, searches out of the SE toolkit can be migrated into ES and adopted.
So use both!
But, dont put them on the same search head / SHC!
It depends on how active you and your teams use Splunk. ES is a fully fledged application designed around event correlation, management, and response.
The Security Essentials toolkits is more focused on specific use cases.
In my experience they compliment each other very well. In fact, once fully understood, searches out of the SE toolkit can be migrated into ES and adopted.
So use both!
But, dont put them on the same search head / SHC!
Thanks for the info looks like a great approach - however having now investigated further - its suggested that they can co-exist on the same SH as they only run searches once a day and they can be scheduled OOH.
Also when only one SH is available (very small deployment of 25GB p\d) ..
+1 to the once per day. Should be an easy win for most of the SSE searches. And you can even save searches from SSE directly as ES correlation searches from the app! 🙂
With that small of a deployment, you should be ok. But just be aware of the searches and resource utilization..