Splunk Enterprise Security

Is there documentation comparing the features of Splunk User Behavior Analytics (Splunk UBA) and Splunk Enterprise Security?

Contributor

Is there a document that simply and concisely compares the features of Splunk User Behavior Analytics (Splunk UBA) and Splunk Enterprise Security? I cannot find anything like that except for lengthy marketing texts on the first or the second solution.

1 Solution

Splunk Employee
Splunk Employee

This can be a much longer conversation, so talking directly with someone at Splunk (I'm one of them) would be a good idea. Here's a concise answer to help you understand the core problem each is solving. UBA is complementary to ES. Think of it as an analysis layer that looks at the data stored in Splunk and finds threats hidden within it. That's the key. It looks for the threats itself, mostly unsupervised. When looking, it does what a skilled human analyst would do - look for instances of unusual behavior, and try to identify longer, well-defined patterns of unusual behavior that strongly suggest a security threat. This is driven by machine learning and relies on the ability to look at very large numbers of events at the same time.

When you're using ES, you're looking for threats as well, but this is done by correlation rules you (or Splunk) writes. A person does it. Think of a pattern, write a query to describe it, let Splunk find it. You have a ton of great tools at your disposal to describe things in SPL, and ES comes with a lot of content out of the box as well. You can't look for everything since you don't have enough time and there aren't enough of you, so you enlist UBA to help you look at things.

ES is more than just that, however. It's the place you run everything from, and where you come back to once you've found something in UBA. You'll always need to write specific rules yourself, so you do that in ES. You enlist UBA to look at the data alongside you, and when it finds something, you tell it to send the findings to ES too, so you can triage them alongside everything else. And the triaging is a big part of it. ES lets you manage the IR workflow as well. Create incidents, assign them to analysts, check them off, send them to other ticketing systems. And, critically, dig down to the raw data as well. When a correlation rule you wrote found something, or UBA did, you want to dig down to the raw data in and examine the actual events to build a full picture. That comes from all the raw data stored in Splunk, and everything you can do with it using SPL and visualizations. UBA, remember, doesn't store the original data. It finds something, remembers all the pieces it used to make its finding, then pushes that to ES so you can really dig into that story using Splunk.

View solution in original post

Splunk Employee
Splunk Employee

This can be a much longer conversation, so talking directly with someone at Splunk (I'm one of them) would be a good idea. Here's a concise answer to help you understand the core problem each is solving. UBA is complementary to ES. Think of it as an analysis layer that looks at the data stored in Splunk and finds threats hidden within it. That's the key. It looks for the threats itself, mostly unsupervised. When looking, it does what a skilled human analyst would do - look for instances of unusual behavior, and try to identify longer, well-defined patterns of unusual behavior that strongly suggest a security threat. This is driven by machine learning and relies on the ability to look at very large numbers of events at the same time.

When you're using ES, you're looking for threats as well, but this is done by correlation rules you (or Splunk) writes. A person does it. Think of a pattern, write a query to describe it, let Splunk find it. You have a ton of great tools at your disposal to describe things in SPL, and ES comes with a lot of content out of the box as well. You can't look for everything since you don't have enough time and there aren't enough of you, so you enlist UBA to help you look at things.

ES is more than just that, however. It's the place you run everything from, and where you come back to once you've found something in UBA. You'll always need to write specific rules yourself, so you do that in ES. You enlist UBA to look at the data alongside you, and when it finds something, you tell it to send the findings to ES too, so you can triage them alongside everything else. And the triaging is a big part of it. ES lets you manage the IR workflow as well. Create incidents, assign them to analysts, check them off, send them to other ticketing systems. And, critically, dig down to the raw data as well. When a correlation rule you wrote found something, or UBA did, you want to dig down to the raw data in and examine the actual events to build a full picture. That comes from all the raw data stored in Splunk, and everything you can do with it using SPL and visualizations. UBA, remember, doesn't store the original data. It finds something, remembers all the pieces it used to make its finding, then pushes that to ES so you can really dig into that story using Splunk.

View solution in original post

Splunk Employee
Splunk Employee

The short answer is no, I don't think there is a document like that.

UBA is specifically for anomaly detection based on identifying usage patterns in your data, and Enterprise Security is a broader solution that addresses a variety of security-related threats and lets you correlate among them. UBA is centered more on user/identity threats and exploring the state of user and device security, whereas ES covers more security domains and has capabilities for incident response.

You could contact ubainfo@splunk.com to have a conversation that would focus on your specific questions.