Splunk conf2014 - Splunk Monitoring - New Native Tools for Monitoring your Splunk Deployment
Remote Work Insights | Splunk...Remote Work Insights 3 SOLUTO UDE Splunk created a list of key...
Transcript of Remote Work Insights | Splunk...Remote Work Insights 3 SOLUTO UDE Splunk created a list of key...
SOLUTION GUIDE
Real-time Analysis of Remote Work Operational and Security Data in the Cloud
Remote Work Insights
1Remote Work Insights
SOLUTION GUIDE
Empowering the Remote WorkforceAs more organizations empower their employees to work
from home, remote systems are becoming increasingly
mission critical. Optimizing performance and mitigating
security risks are more critical than ever before.
Splunk offers a free program, Remote Work Insights
for existing and new customers looking to monitor and
secure their remote workforce. This program delivers
the foundation to deploy and deliver meaningful insights
in a rapid, scalable way across the entire organization.
With Remote Work Insights, customers that participate
receive a free Splunk Cloud1 instance for a defined
Use Cases Supported With Remote Work Insights
Remote Access VPN Monitoring
With an increasing number of remote workers, organizations are experiencing increasing performance demands.
Remote access VPN monitoring enables users to better monitor, secure and troubleshoot their work environments
with insights ranging from performance issues to application usage.
Sample dashboard showing real-time visibility into VPN activity
1. For more information on Splunk Cloud generally, see this webpage.
period (usually 90 days). Together with Splunk, you will
onboard your data and implement best practices on
select use cases. Additionally, Splunk will enable you to
monitor key performance indicators, identify emerging
issues and perform deep root cause analysis across
a representative subset of your full environment — all
from a single platform.
Remote Work Insights is a program that:
• Understands and quantifies your business
challenges
• Identifies key use cases relevant to your business
• Curates Splunkbase apps and add-ons needed
to satisfy the selected use cases
Remote Access: Collaboration Monitoring With Microsoft 365
As employees shift to working from home, companies are experiencing increased load and even outages across their
remote access and collaboration tools. And with the growing reliance on communication and collaboration solutions
like Microsoft 365, the dreaded outage is more painful than ever. Companies who want to maintain employee
productivity and consistent service delivery against committed SLAs must be able to monitor service performance,
investigate incidents and correlate that data to cloud service data. Remote Work Insights makes this easy with
Microsoft 365 collaboration monitoring.
2Remote Work Insights
SOLUTION GUIDE
Sample dashboard showing real-time visibility into Microsoft 365 activity.
Sample dashboard showing real-time visibility into Zoom video conferencing activity.
Sample dashboard showing real-time visibility into Authentication activity.
Video Conferencing
Use of video conferencing solutions has increased dramatically with the shift to remote work — potentially adding
strain to already busy IT operations teams. IT teams now have to increasingly troubleshoot issues related to third-
party provided video conferencing solutions as a result. Remote Work Insights provides visibility into issues impacting
audio and video performance and quality for Zoom meetings, webinars and Rooms.
Authentication
Similar to Remote Access VPN Monitoring, viewing authentication data can provide visibility into key IT operations
issues such as concurrent connections or user counts, active users in the system, bandwidth utilization, and service
problems reflected in failed or dropped logins and sessions. Remote Work Insights’ supported authentication services
include Okta, Duo, Sailpoint, and Windows.
3Remote Work Insights
SOLUTION GUIDE
Splunk created a list of key operations and security use cases that can be demonstrated during the engagement. Please
check off the areas of specific interest to you and your organization. Organizations may select more than one use case
but no more than three use cases to begin. You’ll work with your account team to determine the best path forward.
Use Case #1Remote Access VPN Monitoring
Target Devices Data Sources (choose up to 2)
VPN Gateways or Clients Cisco AnyConnect
Palo Alto Networks GlobalProtect
Fortinet Forticlient
Check Point SecuRemote, SecuClient, Endpoint Security, SSL VPN
Zscaler ZPA, ZPI
Technical Success Criteria How many people are connected to VPN? Over time? Total User Count?
Origin — where are people connecting from?
Errors
Concurrent users at any given time
Device types connected to VPN
Who can’t connect to VPN? (i.e. failed attempts or no attempt)
Are connections dropped?
What applications are being accessed?
Use Case #2Remote Access VPN Security Posture
Target Devices Data Sources (choose up to 2)
VPN Gateways or Clients Cisco AnyConnect
Palo Alto Networks GlobalProtect
Fortinet Forticlient
Check Point SecuRemote, SecuClient, Endpoint Security, SSL VPN
Zscaler ZPA, ZPI
Security Detection and Response Use Case
Successful Logins from Rare/Unexpected Countries
Geographically Improbable Access
Password Spraying
Multiple Simultaneous Logins
VPN Connection from Unsupported Device
Authentication from TOR or Suspicious Domain
SMB/UPnP/Bonjour Devices Visible/Available on VPN Subnet
4Remote Work Insights
SOLUTION GUIDE
Use Case #3Remote Access: Collaboration Monitoring with Microsoft 365
Microsoft 365 App provides several out of the box dashboards, please select those of interest.
Azure Active Directory
User Audit dashboard
Exchange
SharePoint
OneDrive
Microsoft Teams
Power BI
The data source for this use case will be supported by deployment of the Microsoft 365 Technology Add-On. A full step-by-step data onboarding guide is included.
Use Case #4Remote Access: Security Posture Monitoring for Microsoft 365 Environments
Target Microsoft 365 Data Sources
Security Detection and Response Use Case
Management Data New Org BCC Rules Added
Email Forwarding Rule Created
Exporting of PSTs
Adding Permissions to Mailboxes
New Admin Account Created
Sharing of OneDrive Files
Downloads from One Drive
Azure Active Directory Successful Logins from Rare/Unexpected Countries
Geographically Improbable Access
Password Spraying
Multiple Simultaneous Logins
External Org User Logins
Attempted Logins from Expired/Disabled Account
Message Trace Logs Spike in Password Reset Emails
Emails with Pandemic-Related subjects
Emails from known-malicious domains
Emails from lookalike Domains
Emails from outside the org with Company Domains
5Remote Work Insights
SOLUTION GUIDE
Use Case #5Security Monitoring and Response for Authentication Logs
Target: Authentication Data Source
Security Detection and Response Use Case
Any with geographical mapping (IP address or similar)
Geographically Improbable Access Detected
Logins from unusual countries/regions
Multiple Logins from single location/IP
Login attempts to multiple accounts from single source (password spray)
Any (common ones include Okta, Duo, Ping, Windows Security, Azure AD, classic AD)
New Interactive Logon from a Service Account
Unauthorized User Logged Into In-Scope System
Excessive User Account Lockouts
Activity from Expired User Identity
Activity from Long-Dormant Identity
New User Taking Privileged Actions
Audit user creations/modifications/add to privileged group
Default Account Activity Detected
Unusual Application Access for User/Role
Excessive Failed Logins
Concurrent Login Attempts Detected
Successful Logins from New Device
First Time Login to New Server
First Time Login to Jump Server
Increase in hosts logged into from user
Any (common ones include Okta, Duo, Ping, Windows Security, Azure AD, classic AD) + endpoint/malware data
Watchlisted/Priority User logging into Infected System
Use Case #6Security Monitoring and Response for Zoom
Target: Zoom Data Source Security Detection and Response Use Case
Zoom Events via TCP Webhook
Reuse of personal IDs/meeting IDs
Audit client versions
Audit profile settings surrounding passwords and meeting IDs
Audit new user accounts or other changes
Abnormal Zoom Meeting duration
Zoom Events via TCP Webhook + REST API calls
Zoom logins from unusual countries/regions
Zoombombing Prevention2
2. Requires Phantom license not included in the Remote Work Insights offering but can be done by the customer on their own. More details on Phantom available and information on getting started with the free Community Edition of Phantom available here.
6Remote Work Insights
SOLUTION GUIDE
Use Case #7Zoom Service Performance and Quality Monitoring
Target: Zoom Data Source Security Detection and Response Use Case
Zoom ‘Meeting Alerts’ via TCP Webhook
Unstable audio or video (meeting)
Poor screen share quality (meeting)
High CPU utilization (meeting)
Call reconnection problems (meeting)
Zoom ‘Webinar Alert’ via TCP Webhook
Unstable audio or video (webinar)
Poor screen share quality (webinar)
High CPU utilization (webinar)
Call reconnection problems (webinar)
Use Case #8Zoom Utilization Measurement
Target: Zoom Data Source Service Utilization
Zoom ‘Meeting Created’, ‘Meeting Started’, and ‘Participant Joined’ via TCP Webhook
Meeting Created
Meeting Started
Participant Joined
Zoom ‘Webinar Created’, ‘Webinar Started’, and ‘Participant Joined’ via TCP Webhook
Meeting Created
Meeting Started
Participant Joined
Use Case #9Zoom Cloud Recording Monitoring
Target: Zoom Data Source Service Utilization
Zoom ‘Recording Completed’ via TCP Webhook
Recording Completed
Use Case #10Zoom Room Alert Monitoring
Target: Zoom Data Source Service Utilization
Zoom ‘Zoom Room Alert’ via TCP Webhook
High CPU Usage
Low Battery, Charging and/or Connection Issues in a Zoom
Room Device (Computer, Controller or Scheduling Display)
Room Controller Disconnections/Reconnections
Camera Disconnections/Reconnections
Missing Camera/Microphone
Speaker Disconnections/Reconnections
Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. 20-13222-Splunk-RET-Remote Work Insights-106-SG
www.splunk.comLearn more: www.splunk.com/asksales
SOLUTION GUIDE
Insights for Success: Help Us Help YouWe want to support you through this process and set
you up for success with Remote Work Insights. Please
gather the information listed in the sections below and
return to your Splunk account team. We will schedule
a call to review your desired outcomes and to discuss
what is needed to onboard your data. We’ll also give you
information on the data types required for success and
begin the discussion on best practices for beginning
this foundational deployment.
ContactsPoints of contact for the Splunk team to engage:
Sponsor (Primary Contact):
Technical Lead:
End User #1:
End User #2:
Recommended Training and TrialsIf not a current user, please register for a splunk.com
account and also sign up for FREE Splunk eLearning
at splunk.com/training and get a handle on the
Fundamentals.