You are correct that correlation searches utilize the same saved searches that core Splunk does. If you were simply populating dashboards with the results, then correlation searches would not offer a great deal of benefit over simple saved searches.
Within the Enterprise Security product, when a correlation search triggers, the result is a "notable event", which can be tracked and managed via workflow, by a security operations team. So, there are the interactive components, useful to a security operations team, that ES offers. Notes can be added to the notable events, ownership can be assigned, as well as status.
Of course, this makes no mention of the other features of Enterprise Security, such as integration of threat lists and integration of an environments assets and identities information.
... View more