Hello,
I'm just having a bit of difficulty differentiating between Splunk Enterprise, ITSI, SOAR, UBA, and Enterprise Security. It seems like they all do similar things. Do they all work together? or would it be redundant to have all of these at the same time?
It's a lot to digest and those are just a few of the products Splunk offers!
Splunk Enterprise is the core product most of us use when we use "Splunk". It's the tool that indexes your machine data and helps you search it and draw value from it.
ITSI (IT Service Intelligence) is an app that plugs into Splunk Enterprise. It helps companies monitor the services they offer and know when problems are about to occur. Since it's a plug-in, you must first have Splunk Enterprise before you can install and run ITSI.
Splunk Enterprise Security (ES) is like ITSI in that it's an add-on to Splunk Enterprise. This add-on is intended for a company's SOC (Security Operations Center) team and is often billed as a SIEM (Security Information and Event Management) tool. It identifies security incidents as they happen so the SOC and take action to correct them. ES includes features that allow SOC members to track the incidents they investigate and record their findings. Because it's an add-on like ITSI, ES works very closely with Splunk Enterprise.
SOAR (Security Orchestration, Automation and Response; originally called Phantom) is an independent product. SOAR allows a company to respond to events. For example, if ES detects an authorized access, SOAR might be configured to tell the network to block that access. Since SOAR is a separate product it does not require Splunk Enterprise, but the two can work together.
UBA (User Behavior Analytics) is another independent product. It monitors activity on a network and alerts when it notices "unusual" activity. An activity is considered "unusual" if it breaks the pattern UBA has noticed in the past (using machine learning). It, too, can work with Splunk Enterprise, but does not require it.
It's a lot to digest and those are just a few of the products Splunk offers!
Splunk Enterprise is the core product most of us use when we use "Splunk". It's the tool that indexes your machine data and helps you search it and draw value from it.
ITSI (IT Service Intelligence) is an app that plugs into Splunk Enterprise. It helps companies monitor the services they offer and know when problems are about to occur. Since it's a plug-in, you must first have Splunk Enterprise before you can install and run ITSI.
Splunk Enterprise Security (ES) is like ITSI in that it's an add-on to Splunk Enterprise. This add-on is intended for a company's SOC (Security Operations Center) team and is often billed as a SIEM (Security Information and Event Management) tool. It identifies security incidents as they happen so the SOC and take action to correct them. ES includes features that allow SOC members to track the incidents they investigate and record their findings. Because it's an add-on like ITSI, ES works very closely with Splunk Enterprise.
SOAR (Security Orchestration, Automation and Response; originally called Phantom) is an independent product. SOAR allows a company to respond to events. For example, if ES detects an authorized access, SOAR might be configured to tell the network to block that access. Since SOAR is a separate product it does not require Splunk Enterprise, but the two can work together.
UBA (User Behavior Analytics) is another independent product. It monitors activity on a network and alerts when it notices "unusual" activity. An activity is considered "unusual" if it breaks the pattern UBA has noticed in the past (using machine learning). It, too, can work with Splunk Enterprise, but does not require it.