Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Possibility of Multitenancy with ES

PickleRick
SplunkTrust
SplunkTrust
‎05-15-2022 10:21 PM

I'm wondering about possibilities to set up a separate ES's for different teams.

Due to some mergers and acquisitions one of our customers is beginning to be in a positions where single ES covering whole enterprise is not a good model.

I already found that ES on its own does not support multitenancy and I would need a separate instance for each team/suborganization/whatever. But I don't think it's that easy.

Of course we can set up a separate SH cluster for separate teams and install separate ES instances but if they operated on the same indexer cluster they would share notable index and all datamodels. If we wanted, we could define separate datamodels for them to use but then we would have to edit all the security content that by default uses CIM, right?

Any other possibilities?

Split notable index? (Multiple indexers holding "own" version of this index) Seems possible but very very ugly and hard to maintain.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-15-2022 11:38 PM

Hi @PickleRick,

I already implemented a multitenency ES installation but it was a very hard work and required the support of Splunk Professional Services.

You could segregate data using different indexes for each tenant, the problem is that you have also to manually modify all Correlations Searches, all DataModels and all Threat Intelligence components to manage multitenancy, and it isn't a very easy work, especially Threat Intelligence.

In conclusion: it's possible but you need an help of an ES expert Splunk Architect and maybe also of Splunk PS, and anyway consider many days to make this job (we worked for around 90 days without take in consideration the time of the customer paople).

Make your considerations if it's less expensive ho manage two ES infrastructures or one multitenancy.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-15-2022 11:38 PM

Hi @PickleRick,

I already implemented a multitenency ES installation but it was a very hard work and required the support of Splunk Professional Services.

You could segregate data using different indexes for each tenant, the problem is that you have also to manually modify all Correlations Searches, all DataModels and all Threat Intelligence components to manage multitenancy, and it isn't a very easy work, especially Threat Intelligence.

In conclusion: it's possible but you need an help of an ES expert Splunk Architect and maybe also of Splunk PS, and anyway consider many days to make this job (we worked for around 90 days without take in consideration the time of the customer paople).

Make your considerations if it's less expensive ho manage two ES infrastructures or one multitenancy.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-16-2022 12:02 AM

That's exactly what I thought - considering all the TI and security content which is standardized to the CIM datamodels it would be a huge PITA.

Setting up two separate infrastructures does seem tempting but we still have some need of "oversight" which means that we probably effectively end up with two separate indexer clusters, two searchhead clusters (each with own instance of ES)... and one searchhead cluster searching from both indexer cluster. Seems... a bit overcomplicated.

And I didn't even mention UBA yet... *facepalm*.

Anyway, thanks for confirmation of my suspicions.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...