Splunk Enterprise

What is the difference? (between Splunk Enterprise, ITSI, SOAR, UBA, and Enterprise Security)

thos13
Explorer

Hello, 

I'm just having a bit of difficulty differentiating between Splunk Enterprise, ITSI, SOAR, UBA, and Enterprise Security. It seems like they all do similar things.  Do they all work together? or would it be redundant to have all of these at the same time?

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's a lot to digest and those are just a few of the products Splunk offers!

Splunk Enterprise is the core product most of us use when we use "Splunk".  It's the tool that indexes your machine data and helps you search it and draw value from it.

ITSI (IT Service Intelligence) is an app that plugs into Splunk Enterprise.  It helps companies monitor the services they offer and know when problems are about to occur.  Since it's a plug-in, you must first have Splunk Enterprise before you can install and run ITSI.

Splunk Enterprise Security (ES) is like ITSI in that it's an add-on to Splunk Enterprise.  This add-on is intended for a company's SOC (Security Operations Center) team and is often billed as a SIEM (Security Information and Event Management) tool.  It identifies security incidents as they happen so the SOC and take action to correct them.  ES includes features that allow SOC members to track the incidents they investigate and record their findings.  Because it's an add-on like ITSI, ES works very closely with Splunk Enterprise.

SOAR (Security Orchestration, Automation and Response; originally called Phantom) is an independent product.  SOAR allows a company to respond to events.  For example, if ES detects an authorized access, SOAR might be configured to tell the network to block that access.  Since SOAR is a separate product it does not require Splunk Enterprise, but the two can work together.

UBA (User Behavior Analytics) is another independent product.  It monitors activity on a network and alerts when it notices "unusual" activity.  An activity is considered "unusual" if it breaks the pattern UBA has noticed in the past (using machine learning).  It, too, can work with Splunk Enterprise, but does not require it.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It's a lot to digest and those are just a few of the products Splunk offers!

Splunk Enterprise is the core product most of us use when we use "Splunk".  It's the tool that indexes your machine data and helps you search it and draw value from it.

ITSI (IT Service Intelligence) is an app that plugs into Splunk Enterprise.  It helps companies monitor the services they offer and know when problems are about to occur.  Since it's a plug-in, you must first have Splunk Enterprise before you can install and run ITSI.

Splunk Enterprise Security (ES) is like ITSI in that it's an add-on to Splunk Enterprise.  This add-on is intended for a company's SOC (Security Operations Center) team and is often billed as a SIEM (Security Information and Event Management) tool.  It identifies security incidents as they happen so the SOC and take action to correct them.  ES includes features that allow SOC members to track the incidents they investigate and record their findings.  Because it's an add-on like ITSI, ES works very closely with Splunk Enterprise.

SOAR (Security Orchestration, Automation and Response; originally called Phantom) is an independent product.  SOAR allows a company to respond to events.  For example, if ES detects an authorized access, SOAR might be configured to tell the network to block that access.  Since SOAR is a separate product it does not require Splunk Enterprise, but the two can work together.

UBA (User Behavior Analytics) is another independent product.  It monitors activity on a network and alerts when it notices "unusual" activity.  An activity is considered "unusual" if it breaks the pattern UBA has noticed in the past (using machine learning).  It, too, can work with Splunk Enterprise, but does not require it.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...