This can be a much longer conversation, so talking directly with someone at Splunk (I'm one of them) would be a good idea. Here's a concise answer to help you understand the core problem each is solving. UBA is complementary to ES. Think of it as an analysis layer that looks at the data stored in Splunk and finds threats hidden within it. That's the key. It looks for the threats itself, mostly unsupervised. When looking, it does what a skilled human analyst would do - look for instances of unusual behavior, and try to identify longer, well-defined patterns of unusual behavior that strongly suggest a security threat. This is driven by machine learning and relies on the ability to look at very large numbers of events at the same time.
When you're using ES, you're looking for threats as well, but this is done by correlation rules you (or Splunk) writes. A person does it. Think of a pattern, write a query to describe it, let Splunk find it. You have a ton of great tools at your disposal to describe things in SPL, and ES comes with a lot of content out of the box as well. You can't look for everything since you don't have enough time and there aren't enough of you, so you enlist UBA to help you look at things.
ES is more than just that, however. It's the place you run everything from, and where you come back to once you've found something in UBA. You'll always need to write specific rules yourself, so you do that in ES. You enlist UBA to look at the data alongside you, and when it finds something, you tell it to send the findings to ES too, so you can triage them alongside everything else. And the triaging is a big part of it. ES lets you manage the IR workflow as well. Create incidents, assign them to analysts, check them off, send them to other ticketing systems. And, critically, dig down to the raw data as well. When a correlation rule you wrote found something, or UBA did, you want to dig down to the raw data in and examine the actual events to build a full picture. That comes from all the raw data stored in Splunk, and everything you can do with it using SPL and visualizations. UBA, remember, doesn't store the original data. It finds something, remembers all the pieces it used to make its finding, then pushes that to ES so you can really dig into that story using Splunk.
... View more