NET Splunk Community User Group We will start
- Slides: 28
NET+ Splunk Community User Group We will start at 5 min. after the hour to allow others time to join
Agenda • Introductions • Emily Harris and Jerome Bailie from Vassar College to talk about their experience using the Splunk Remote Work Dashboard monitoring Zoom [2]
Future NET+ Splunk User Group calls • Monthly call on the 2 nd Thursday of each month at 2 pm ET / 1 pm CT / 12 pm MT / 11 am PT • Registration for future calls for the calendar invite and call in details can be found at: –https: //internet 2. zoom. us/webinar/register/3015669127723/WN_a. Nbz. Ax. Bg. QOOj. Nz. ZLX 4 Vv. EQ • Recordings posted to: –https: //spaces. at. internet 2. edu/pages/viewpage. action? page. Id=154764174 [3]
Splunk Remote Work Insights DB Emily Harris, Information Security Officer Jerry Bailie, Information Security Systems Administrator
Defining the Problem
● Everyone is remote ○ ○ ○ ● Defining the Problem Zoom is scary ○ ○ ○ ● Hello from New York! 2000+ students 800+ employees 500 licenses to unlimited Media is relentless Everyone is a security expert! No Zoom App in Splunkbase
Solving the Problem ● ● ● Splunkbase - search for Zoom App or Add-On A call for help ○ REN-ISAC ○ CLAC Info. Sec ○ Security Slack Turn towards Zoom - API ○ Worked! ○ Okay not really ○ Use integration tool? ○ Too much work
Solving the Problem ● ● Splunkbase - search for Zoom App or Add-On A call for help ○ REN-ISAC ○ CLAC Info. Sec ○ Security Slack Turn towards Zoom - API ○ Worked! ○ Okay not really ○ Use integration tool? ○ Too much work Friends to the rescue!
Splunk’s Announcement https: //www. splunk. com/en_us/blog/leadership/introducing-splunk-remote-work-insights-our-solution-for-the-new-work-from-homereality. html
What comes next?
● Pressure Zoom ○ ● Video Conferencing ○ What comes next? ● Google Meet Communications ○ ○ ● Admin console has more data (IP, datacenter) Cisco Jabber Google Hangouts Authentication ○ ○ ○ Duo Stats OS / Browser Revisions On vs. Off-campus
Thank you! emharris@vassar. edu
Splunk RWI Dashboard Install (Remote Work Insights)
VC : splunk arch
Splunk RWI : Dashboard Apps & Installation ○ ○ ‘Official’ Splunk github repository Instructions: ■ https: //github. com/splunk/rwi_executive_dashboard/blob/master/RUNBOOK. md#remote-work-insights--executive-dashboard ■ Web search : splunk rwi OR github rwi Apps that are covered: ○ ○ ○ Palo Alto VPN (Cisco ASA) Okta (One. Login) Zoom
Grab git repo https: //github. com/splunk/rwi_executive_dash board
Cisco ASA VPN config (on search head): Ex of VPN dashboard panel mod (source on left, mod on right): | tstats summariesonly=f values(log. src_ip) as log. src_ip values(log. description) as log. description FROM datamodel="pan_firewall" WHERE nodename="log. system. globalprotect" log. event_id="globalprotectportal-auth-succ" OR log. event_id="globalprotectportal-auth-fail" groupby _time log. event_id log. user span=1 s | rename log. * as * | replace "globalprotectportal-auth-fail" with "failure" in event_id | replace "globalprotectportal-auth-succ" with "success" in event_id | rex field=description "(? <failure_reason>(? <= Reason: s)([^, ]+))" </snip> | search index=ciscosecuritysuite eventtype="cisco_vpn_start" src_ip="*" user="*" | table src_ip user </snip>
One. Login Authorization config: Ex of authorization dashboard panel mod (source on left, mod on right): `rw_auth_indexes` sourcetype="Okta. IM 2: log" TERM(SUCCESS) TERM(outcome) TERM(result) "outcome. result"=SUCCESS TERM(client) (TERM(device) client. device=*) OR (TERM(user. Agent) TERM(browser) client. user. Agent. browser=*) OR (TERM(user. Agent) TERM(os) client. user. Agent. os=*) OR (TERM(geographical. Context) client. geographical. Context. city=* client. geographical. Context. state=* client. geographical. Context. country=*) </snip> | search index=onelogin sourcetype="onelogin: event" ipaddr != null | dedup id | iplocation ipaddr | stats dc(actor_user_name) by City
Zoom config: Installation (on Indexer) ● ● ● Create index = “zoom” Install JWT Webhook in /etc/apps ○ git clone https: //github. com/splunk/jwt_webhook. git Add data input in JWT Webhook ○ Configure https input port (4443 default) Open Firewall ! ○ 3. 211. 241. 114, 3. 211. 241. 115, 3. 211. 241. 116, 3. 211. 241. 119, 3. 235. 69. 90, 3. 235. 69. 91, 3. 235. 69. 92, 3. 235. 69. 93, 3. 235. 96. 106, 3. 235. 96. 107, 3. 235. 96. 108, 3. 235. 96. 109 Zoom admin account: create webhook → splunk
more zoom. . . Data input configuration
Thank you ! Jerry Bailie jebailie@vassar. edu
Future NET+ Splunk User Group calls continued • Future calls will have NET+ Splunk campus submitted questions • Future topics could include based on community interest –Research engagement –ML/AI toolkit –Higher Ed Splunk Apps - Shib, Canvas, Duo, others [ 27 ]
Closing and Thank you! • Thank you to Emily Harris and Jerome Bailie from Vassar College! • Monthly call on the 2 nd Thursday of each month at 2 pm ET / 1 pm CT / 12 pm MT / 11 am PT – next call on May 14 th • Recordings posted to: • https: //spaces. at. internet 2. edu/pages/viewpage. action? page. Id=154764174 • Submit your questions for the next call! • If you have any questions, please the advisory board at splunkadvisory@internet 2. edu or Nick Lewis (nlewis@internet 2. edu)
- It's gotta start somewhere it's gotta start sometime
- Start disaster
- Single user and multiple user operating system
- Multi user operating system
- Utah community action head start
- How to start a group discussion
- Incident response technologies
- Splunk log management
- Splunk taiwan
- Buttercup splunk
- Splunk infrastructure overview
- Splunk elite partners
- Splunk analytics for hadoop
- Splunk manifest file
- Schema on the fly splunk
- Big data splunk
- Splun
- Bernie zillow
- Jerry tsai tutor
- Stealthwatch splunk
- Splunk pivot table
- "splunk"
- Crm user group
- Ug ugbo
- Power bi user group
- London power bi user group
- Remedy user group
- Infor user group
- Bastrop isd skyward