NET Splunk Community User Group We will start
- Slides: 28
NET+ Splunk Community User Group We will start at 5 min. after the hour to allow others time to join
Agenda • Introductions • Emily Harris and Jerome Bailie from Vassar College to talk about their experience using the Splunk Remote Work Dashboard monitoring Zoom [2]
Future NET+ Splunk User Group calls • Monthly call on the 2 nd Thursday of each month at 2 pm ET / 1 pm CT / 12 pm MT / 11 am PT • Registration for future calls for the calendar invite and call in details can be found at: –https: //internet 2. zoom. us/webinar/register/3015669127723/WN_a. Nbz. Ax. Bg. QOOj. Nz. ZLX 4 Vv. EQ • Recordings posted to: –https: //spaces. at. internet 2. edu/pages/viewpage. action? page. Id=154764174 [3]
Splunk Remote Work Insights DB Emily Harris, Information Security Officer Jerry Bailie, Information Security Systems Administrator
Defining the Problem
● Everyone is remote ○ ○ ○ ● Defining the Problem Zoom is scary ○ ○ ○ ● Hello from New York! 2000+ students 800+ employees 500 licenses to unlimited Media is relentless Everyone is a security expert! No Zoom App in Splunkbase
Solving the Problem ● ● ● Splunkbase - search for Zoom App or Add-On A call for help ○ REN-ISAC ○ CLAC Info. Sec ○ Security Slack Turn towards Zoom - API ○ Worked! ○ Okay not really ○ Use integration tool? ○ Too much work
Solving the Problem ● ● Splunkbase - search for Zoom App or Add-On A call for help ○ REN-ISAC ○ CLAC Info. Sec ○ Security Slack Turn towards Zoom - API ○ Worked! ○ Okay not really ○ Use integration tool? ○ Too much work Friends to the rescue!
Splunk’s Announcement https: //www. splunk. com/en_us/blog/leadership/introducing-splunk-remote-work-insights-our-solution-for-the-new-work-from-homereality. html
What comes next?
● Pressure Zoom ○ ● Video Conferencing ○ What comes next? ● Google Meet Communications ○ ○ ● Admin console has more data (IP, datacenter) Cisco Jabber Google Hangouts Authentication ○ ○ ○ Duo Stats OS / Browser Revisions On vs. Off-campus
Thank you! emharris@vassar. edu
Splunk RWI Dashboard Install (Remote Work Insights)
VC : splunk arch
Splunk RWI : Dashboard Apps & Installation ○ ○ ‘Official’ Splunk github repository Instructions: ■ https: //github. com/splunk/rwi_executive_dashboard/blob/master/RUNBOOK. md#remote-work-insights--executive-dashboard ■ Web search : splunk rwi OR github rwi Apps that are covered: ○ ○ ○ Palo Alto VPN (Cisco ASA) Okta (One. Login) Zoom
Grab git repo https: //github. com/splunk/rwi_executive_dash board
Cisco ASA VPN config (on search head): Ex of VPN dashboard panel mod (source on left, mod on right): | tstats summariesonly=f values(log. src_ip) as log. src_ip values(log. description) as log. description FROM datamodel="pan_firewall" WHERE nodename="log. system. globalprotect" log. event_id="globalprotectportal-auth-succ" OR log. event_id="globalprotectportal-auth-fail" groupby _time log. event_id log. user span=1 s | rename log. * as * | replace "globalprotectportal-auth-fail" with "failure" in event_id | replace "globalprotectportal-auth-succ" with "success" in event_id | rex field=description "(? <failure_reason>(? <= Reason: s)([^, ]+))" </snip> | search index=ciscosecuritysuite eventtype="cisco_vpn_start" src_ip="*" user="*" | table src_ip user </snip>
One. Login Authorization config: Ex of authorization dashboard panel mod (source on left, mod on right): `rw_auth_indexes` sourcetype="Okta. IM 2: log" TERM(SUCCESS) TERM(outcome) TERM(result) "outcome. result"=SUCCESS TERM(client) (TERM(device) client. device=*) OR (TERM(user. Agent) TERM(browser) client. user. Agent. browser=*) OR (TERM(user. Agent) TERM(os) client. user. Agent. os=*) OR (TERM(geographical. Context) client. geographical. Context. city=* client. geographical. Context. state=* client. geographical. Context. country=*) </snip> | search index=onelogin sourcetype="onelogin: event" ipaddr != null | dedup id | iplocation ipaddr | stats dc(actor_user_name) by City
Zoom config: Installation (on Indexer) ● ● ● Create index = “zoom” Install JWT Webhook in /etc/apps ○ git clone https: //github. com/splunk/jwt_webhook. git Add data input in JWT Webhook ○ Configure https input port (4443 default) Open Firewall ! ○ 3. 211. 241. 114, 3. 211. 241. 115, 3. 211. 241. 116, 3. 211. 241. 119, 3. 235. 69. 90, 3. 235. 69. 91, 3. 235. 69. 92, 3. 235. 69. 93, 3. 235. 96. 106, 3. 235. 96. 107, 3. 235. 96. 108, 3. 235. 96. 109 Zoom admin account: create webhook → splunk
more zoom. . . Data input configuration
Thank you ! Jerry Bailie jebailie@vassar. edu
Future NET+ Splunk User Group calls continued • Future calls will have NET+ Splunk campus submitted questions • Future topics could include based on community interest –Research engagement –ML/AI toolkit –Higher Ed Splunk Apps - Shib, Canvas, Duo, others [ 27 ]
Closing and Thank you! • Thank you to Emily Harris and Jerome Bailie from Vassar College! • Monthly call on the 2 nd Thursday of each month at 2 pm ET / 1 pm CT / 12 pm MT / 11 am PT – next call on May 14 th • Recordings posted to: • https: //spaces. at. internet 2. edu/pages/viewpage. action? page. Id=154764174 • Submit your questions for the next call! • If you have any questions, please the advisory board at splunkadvisory@internet 2. edu or Nick Lewis (nlewis@internet 2. edu)
It's gotta start somewhere it's gotta start sometime
Start disaster
Single user and multiple user operating system
Multi user operating system
Utah community action head start
How to start a group discussion
Incident response technologies
Splunk log management
Splunk taiwan
Buttercup splunk
Splunk infrastructure overview
Splunk elite partners
Splunk analytics for hadoop
Splunk manifest file
Schema on the fly splunk
Big data splunk
Splun
Bernie zillow
Jerry tsai tutor
Stealthwatch splunk
Splunk pivot table
"splunk"
Crm user group
Ug ugbo
Power bi user group
London power bi user group
Remedy user group
Infor user group
Bastrop isd skyward
