WEBVTT

1
00:00:03.750 --> 00:00:09.990
Nick Lewis - Internet2: hi everyone, my name is Nick Lewis thanks for joining us for the necklace punk Community call for August 2021.

2
00:00:10.559 --> 00:00:15.929
Nick Lewis - Internet2: will get kicked off now on the call is recorded i'll post the recording and net plus spunk wiki.

3
00:00:16.440 --> 00:00:25.200
Nick Lewis - Internet2: And so that anybody who couldn't make the call can go back and listen to this discussion, because i've heard from a couple of campuses about this, these.

4
00:00:25.710 --> 00:00:33.240
Nick Lewis - Internet2: Actually, these both these specific topics that they're curious and what they're what other people are doing and so i'll send them the recording when we're done.

5
00:00:33.660 --> 00:00:41.220
Nick Lewis - Internet2: But they want to know, basically, what others are doing around managing my data getting this bunker cripple and then spelunking.

6
00:00:41.640 --> 00:01:02.310
Nick Lewis - Internet2: Using in your cmc research environments into aws we've talked to quite a bit on previous calls about using cripple and brad I know you, you should you're interested in that so i'm we'll start with using crypto and using that to manage log data getting into spunk.

7
00:01:04.530 --> 00:01:20.430
Brad Maloney - Duquesne University: Yes, Cynthia the last time we all talked here we we do go into a bit of a cripple endeavor at Duquesne and sort of since then I guess what it's been about two months, we are funneling about 90% of our traffic through credible so it's been pretty helpful.

8
00:01:24.870 --> 00:01:34.650
Brad Maloney - Duquesne University: I did see that there was also an announcement to I was just trying to dig that up in my email crypto has some kind of announcement on Thursday August 26 at 2pm Eastern.

9
00:01:35.670 --> 00:01:40.110
Brad Maloney - Duquesne University: Caribbean next level is the announcement so i'm curious to see what that is.

10
00:01:42.150 --> 00:01:47.850
Darren Fallis - NC State: So what was what problem is that solving for you and or what did you do before you scribble.

11
00:01:48.540 --> 00:01:54.120
Brad Maloney - Duquesne University: So so really it helps us Dee doop lot of events you know we ingest a lot of firewall data.

12
00:01:55.230 --> 00:02:08.730
Brad Maloney - Duquesne University: And some of it, you know it's kind of low value, but you know we still want to retain it, for whatever reason, so either now we've forward that off to an s3 bucket that just kind of is out there and can be replayed and if we need to.

13
00:02:09.810 --> 00:02:15.270
Brad Maloney - Duquesne University: or it could be numeric fine feel like one event happens 10 times within 60 seconds span.

14
00:02:15.870 --> 00:02:23.190
Brad Maloney - Duquesne University: It can actually just throw in like a quantified buyer you know, feel that just says this happened 10 times you know, and then the one event, rather than 10 copies of the.

15
00:02:23.730 --> 00:02:30.720
Brad Maloney - Duquesne University: Of the one event, so I hope this event, just in some of our you know statistical dashboards and things like that, I mean some of those firewall lines are.

16
00:02:31.260 --> 00:02:34.890
Brad Maloney - Duquesne University: Pretty lengthy, we were getting a lot of fields in from our Palo Alto firewall so.

17
00:02:35.820 --> 00:02:42.510
Brad Maloney - Duquesne University: it's definitely helped us out a lot there and there's also just besides, like the volume, the data volume, you know reduction with that.

18
00:02:43.380 --> 00:02:47.910
Brad Maloney - Duquesne University: It also acts as kind of a heavy folder in some cases, so we're actually using it to pull.

19
00:02:48.690 --> 00:02:55.020
Brad Maloney - Duquesne University: office 365 events now right, so I don't have to rely on ahead before or another spunk instance to fetch that data.

20
00:02:55.800 --> 00:03:02.130
Brad Maloney - Duquesne University: gribble goes out and gets that as part of the pre packaged to you know set of API calls that are built into it.

21
00:03:02.760 --> 00:03:15.750
Brad Maloney - Duquesne University: And some chips it off the spunk as well, or you know send it to an archive so that was a nice added feature there too, as well, something I didn't expect would really use off the BAT because really we were looking to reduce the on the data volume but that's been very helpful.

22
00:03:17.070 --> 00:03:26.970
RuthAnne Bevier - Caltech: And brad for the office 365 data have you noticed any difference in the timeliness of the log data that you get using crippled rather than grabbing it directly from the API.

23
00:03:27.660 --> 00:03:36.510
Brad Maloney - Duquesne University: yeah that's a good question um it's it's a few minutes too late, I mean it's not instant right so again, as we get some data, maybe it'll be five, maybe even up to like 10 minutes delayed.

24
00:03:37.080 --> 00:03:47.460
Brad Maloney - Duquesne University: Because it does run on an interval timer and you have to hope that the events were written to your instance, you know and Microsoft that the thing it's called the surface hub, you know word swag there and everything so.

25
00:03:48.000 --> 00:04:00.060
Brad Maloney - Duquesne University: There is some delay, but um but it's just been nice having that there where we can we actually were able to shut down a spunk instance that was doing some of that work for us now we're just kind of unifying it more in one spot, which has been been good.

26
00:04:02.040 --> 00:04:06.960
Darren Fallis - NC State: So, you said you were D duping some of your firewall data like from the Palo Alto and there are a lot of fields.

27
00:04:07.320 --> 00:04:16.350
Darren Fallis - NC State: Are you duplicating or summarizing only if the every field in the entire message is the same, or are you only focusing on some fields like ignoring source port for tonight connection.

28
00:04:17.160 --> 00:04:23.190
Brad Maloney - Duquesne University: Right, so it depends on what the firewall rules and which is kind of neat how granular you can get in trouble.

29
00:04:24.090 --> 00:04:34.650
Brad Maloney - Duquesne University: If it's a certain rule like say like netflix traffic if it's just you know the APP has netflix you know the Palo Alto detects netflix and it's from a source IP we just count that don't really log anything.

30
00:04:35.250 --> 00:04:51.990
Brad Maloney - Duquesne University: else right like if if it's more of like a data Center communication, you know event we do get the entire field, or you know all fields non you know condensed or anything like that, and on summarized just put that quantify and say how many times it happened so.

31
00:04:53.460 --> 00:04:59.010
Brad Maloney - Duquesne University: I guess it depends in like kind of a context of the traffic because because we're doing a lot of different things there.

32
00:05:00.810 --> 00:05:05.070
Darren Fallis - NC State: So is that REG ex kind of thing, or is there some other, how do you configure that.

33
00:05:05.460 --> 00:05:07.770
Brad Maloney - Duquesne University: yeah so REG ex and.

34
00:05:08.790 --> 00:05:14.250
Brad Maloney - Duquesne University: really just the the ui for cripple is pretty intuitive there's you know you build these workflows and.

35
00:05:15.420 --> 00:05:19.620
Brad Maloney - Duquesne University: You know data sources and it kind of you can drag and drop things in order you know so.

36
00:05:20.790 --> 00:05:29.730
Brad Maloney - Duquesne University: So, will you do you do and that part is dropping in numero fi part of a data route and you just say like if anything matches this source IP.

37
00:05:30.930 --> 00:05:44.490
Brad Maloney - Duquesne University: Know REG ex needed there you know if the source IP equals, you know, whatever you know you can filter out that way, so you can do REG ex as well, but I try to avoid that as much as possible if there's something out of the box that I can do that as well, so.

38
00:05:45.630 --> 00:05:52.740
Brad Maloney - Duquesne University: It was kind of neat did, there was a lot of field operators, you can play around with their if you didn't want to just REG ex for for matches.

39
00:05:56.370 --> 00:06:04.620
Brad Maloney - Duquesne University: we're looking at we're still just running on a single instance so which has been pretty pretty good for the amount of data we're throwing out at about 200 gigs a day.

40
00:06:05.520 --> 00:06:18.840
Brad Maloney - Duquesne University: So one of the next steps now is to growing that out into a cluster now that we're out of our VOC phase and we like it we're going to keep it in production now we're going to you know throw a little bit more resources at it just so it's more resilient.

41
00:06:20.190 --> 00:06:28.980
Darren Fallis - NC State: we're starting to get DNS query logs in thankfully, but there is of course a lot of duplication in that you know clients asked the same name of some cdn it's you know tiny.

42
00:06:29.490 --> 00:06:40.410
Darren Fallis - NC State: detail and so we're going to have to do some sort of duplication duplication at some level i'm just not sure where we're going to do that sounds like or what might be a good option, but the cost is.

43
00:06:41.370 --> 00:06:47.370
Brad Maloney - Duquesne University: yeah well so yeah that that's what we're worried about too is the price of criminal but it's free up to two terabytes a day.

44
00:06:47.940 --> 00:06:51.180
Brad Maloney - Duquesne University: With a few as or if you're higher than that then yeah then more power to you.

45
00:06:52.110 --> 00:07:01.020
Brad Maloney - Duquesne University: But outside yeah it's Community based support right so you're not I don't think you can really call in for like you know production down issue or maybe you'd have to pay some kind of fees so.

46
00:07:01.470 --> 00:07:11.940
Brad Maloney - Duquesne University: I mean, there is a little bit of a Gray area there, but you can you can you know, be a paid subscriber to I forget what the licensing levels are but you know there's a supported and Community supported version.

47
00:07:14.190 --> 00:07:22.290
Brad Maloney - Duquesne University: But yeah for DNS queries for sure if you can like summarize by a source IP if you know if one IP looks up or does a DNS query 10 times.

48
00:07:22.860 --> 00:07:32.040
Brad Maloney - Duquesne University: You know, in a couple minutes or something you can at least reduce it that way, just to have a number of value for how many times it happened, rather than multiple you know copies of it.

49
00:07:34.650 --> 00:07:40.050
Brad Maloney - Duquesne University: You can you can summarize even longer for like, if you want to wait like five minutes before it actually sends the event, you know you can.

50
00:07:40.620 --> 00:07:49.860
Brad Maloney - Duquesne University: Get larger summaries out of it, but then you start to kill your data as it comes into right because it's going to sit there and hold it and wait for more matches guys we've gone is this one minute.

51
00:07:54.360 --> 00:07:54.720
Darren Fallis - NC State: cool.

52
00:07:59.640 --> 00:08:15.450
Nick Lewis - Internet2: Some of the previous discussion has been sort of brad was alluding to around trying to get the 200 gigabyte limit for the license that they're using for spunk and it's to so you can decide how much data goes into spawn so you can manage your spunk license.

53
00:08:16.830 --> 00:08:30.000
Nick Lewis - Internet2: I know that we've had discussions other discussions around Oh, you want to put your ad logs in, and those are super chatty and generate a large volume of logs like the firewall logs or vpn logs or DNS logs and so it's like.

54
00:08:30.780 --> 00:08:47.130
Nick Lewis - Internet2: Are there a lot of these other types of logs that you would want to include in that you may want to do this summarizing your D duping with to keep you to your license because one of the things that the Advisory Board worked on, I don't remember what year it was, I think I think it was.

55
00:08:48.210 --> 00:08:56.640
Nick Lewis - Internet2: I don't remember what I get 2020 and 2019 confused so, but we did the around the there's a special spunk license for.

56
00:08:57.630 --> 00:09:07.440
Nick Lewis - Internet2: Basically firewall logs basically high volume low fidelity logs and we added that to the program but there hasn't been a lot of uptick in it.

57
00:09:07.890 --> 00:09:18.690
Nick Lewis - Internet2: And so i'm trying to understand so like there's there's a couple different ways to try to basically manage to your license or getting the data and then.

58
00:09:21.990 --> 00:09:35.310
Nick Lewis - Internet2: manipulating the data coming in to stay to your license and so that's where I guess the nuance that i'm trying to get to it's like where do you want to put that work in to to manage that what's getting into your spunk.

59
00:09:37.350 --> 00:09:49.440
Darren Fallis - NC State: I think the two types of they offer a discounted like a 66% discount license our DNS queries and flows of various types i'm not sure that firewall logs explicitly count, although.

60
00:09:49.890 --> 00:09:58.320
Darren Fallis - NC State: i'm aware that some firewalls are now actually logging firewall logs as flows of course nickleby nine can just put anything you want so with a template so.

61
00:10:00.210 --> 00:10:05.580
Darren Fallis - NC State: Different licensed for firewall logs if you're using that it's interesting I thought about that, until just now.

62
00:10:07.380 --> 00:10:19.260
Brad Maloney - Duquesne University: And I think there was some discussion in the past, between the Internet to service Advisory Board and spunk about ips and ids data, I think, Dan from cornell.

63
00:10:19.290 --> 00:10:23.460
Brad Maloney - Duquesne University: I think he actually I got them to classify it that way right because he uses correlate.

64
00:10:23.490 --> 00:10:32.520
Brad Maloney - Duquesne University: Which is an appliance that you see on the wire sends events, I think yeah he got that them to count that as a you know reduced cost high volume.

65
00:10:34.020 --> 00:10:34.200
Darren Fallis - NC State: But.

66
00:10:34.230 --> 00:10:39.570
Brad Maloney - Duquesne University: we'll have to check with him yeah i'm just recalling here from always back yeah that volume license.

67
00:10:40.020 --> 00:10:40.530
Darren Fallis - NC State: Who was that.

68
00:10:43.800 --> 00:10:47.730
Nick Lewis - Internet2: that's right and so Darren i'll take a note to send you the details.

69
00:10:48.660 --> 00:10:57.810
Darren Fallis - NC State: yeah if there because i'm you know her bro logs and and Palo Alto ids or ips are hard probably going to be quite large.

70
00:10:59.160 --> 00:10:59.520
So.

71
00:11:01.140 --> 00:11:01.740
Brad Maloney - Duquesne University: Very chatty.

72
00:11:06.000 --> 00:11:19.440
Tyrone Smith-Univ. of Delaware: On so that other quick question of Is it also potentially useful for going through and adding to our augmenting data like inside of the pipelines that get set up, can you go through naturally add information.

73
00:11:20.880 --> 00:11:27.030
Tyrone Smith-Univ. of Delaware: So that you go through and pull in information about your specific MAC addresses and your specific building codes and all that good stuff.

74
00:11:27.210 --> 00:11:30.870
Brad Maloney - Duquesne University: Yes, which is, which was very cool so an example that we did there was.

75
00:11:32.700 --> 00:11:39.720
Brad Maloney - Duquesne University: I think we we just pull in just as you know, we have a lot of threat intelligence, but one of the more basic ones we use is firewall which is.

76
00:11:40.380 --> 00:11:48.690
Brad Maloney - Duquesne University: kind of an open source, you know blacklist IP West so on the critical you know Linux box box boxes, because we have a master node to but.

77
00:11:49.440 --> 00:11:59.970
Brad Maloney - Duquesne University: we've we fetch that you know that list of ips on a schedule and crystal stores that has kind of like a lookup table so as firewall data, for example, comes in.

78
00:12:00.480 --> 00:12:06.960
Brad Maloney - Duquesne University: that's one of the one of those kind of step items I was talking about how you can drag and drop these things in order to these functions that happened as data comes in.

79
00:12:07.830 --> 00:12:14.430
Brad Maloney - Duquesne University: And you can have a look at that lookup table and say if anything that you know if this source IP matches you know this firewall IP.

80
00:12:15.570 --> 00:12:20.610
Brad Maloney - Duquesne University: You know market market far as a new field that says fire hose is true, you know, otherwise we'd be false.

81
00:12:21.210 --> 00:12:26.940
Brad Maloney - Duquesne University: When if you have another kind of threat intelligence list you can do the same thing right so then later on when you do searches or dashboards.

82
00:12:27.330 --> 00:12:32.520
Brad Maloney - Duquesne University: You can see you know if that field is true across like three different events you know you know why you have a pretty hot.

83
00:12:33.240 --> 00:12:39.120
Brad Maloney - Duquesne University: IP there that's talking to three different Dino are different ips that are on three different intelligence list so.

84
00:12:39.600 --> 00:12:49.170
Brad Maloney - Duquesne University: that's been kind of Nice in and remove some of that burden out of spunk to as far as look up tables and you know playing around with that it just does it automatically there and throws it in you know so it's there and index time.

85
00:12:52.680 --> 00:12:53.940
Brad Maloney - Duquesne University: Is that kind of what you're getting at like.

86
00:12:53.940 --> 00:12:59.670
Tyrone Smith-Univ. of Delaware: That was what I was getting that and also the biggest what I was thinking is it's it sounds like it's.

87
00:13:00.300 --> 00:13:10.590
Tyrone Smith-Univ. of Delaware: Almost doing places I think these called a petty cash or some some other item that was going through and doing pipelines and allowed you to go through and make a generic modifications to the pipeline.

88
00:13:11.280 --> 00:13:24.390
Tyrone Smith-Univ. of Delaware: Without having all the ugliness of setting that up so that actually sounds great, the only thing i'm thinking through is trying to figure out if we have like internal databases and internal you know not just you know.

89
00:13:25.740 --> 00:13:30.660
Tyrone Smith-Univ. of Delaware: What is this coming from a data feed, but things that are are really inside the House.

90
00:13:32.070 --> 00:13:38.310
Tyrone Smith-Univ. of Delaware: trying to figure out what might be the best way to get through in integrator add that data in or had that be separate look ups yeah.

91
00:13:38.340 --> 00:13:51.120
Brad Maloney - Duquesne University: yeah that's that's like a great idea i'm not sure if they do they're not we've only you know play around with like csv file, so far, but I do love that thought that that would be nice, especially if you can query you know, a database on the finer as an event comes in.

92
00:13:52.680 --> 00:14:01.320
Christopher Caldwell: there's an issue that, where you can increase the size of the events are running response that when you're doing look ups if you're adding fields in criminal.

93
00:14:02.370 --> 00:14:19.980
Christopher Caldwell: So what you know that's one value to doing search time look up since blank you know, but you can also do looked at youth, the data from the looked at, to make decisions or you know route, the data certain way from their pipelines and then not actually add the fields this long.

94
00:14:20.700 --> 00:14:37.530
Christopher Caldwell: If you if the new packs that they've released the one for Palo Alto does you know something kind of similar where it does field extraction and reduces the size of the Palo Alto events and by stripping out unnecessary fields, so you can do something in order to that.

95
00:14:38.160 --> 00:14:38.400
Okay.

96
00:14:40.440 --> 00:14:41.070
Brad Maloney - Duquesne University: Good sorry.

97
00:14:41.580 --> 00:14:47.700
Tyrone Smith-Univ. of Delaware: i'm just saying that sounds like a I have to look the Palo Alto APP and see how they actually do that that actually is good information, thank you.

98
00:14:49.110 --> 00:14:57.960
Darren Fallis - NC State: yeah we've done some of that in a few instances using like the said said transforms within this phone call the next frontier to strip out some information.

99
00:14:59.340 --> 00:15:04.410
Darren Fallis - NC State: But that seems like, but that is a that is a not for beginner you know interface to go do that as opposed to.

100
00:15:05.460 --> 00:15:07.350
Darren Fallis - NC State: click yeah works so.

101
00:15:07.920 --> 00:15:11.700
Nick Lewis - Internet2: said, and then rejects that's not yet not for beginner.

102
00:15:15.150 --> 00:15:25.920
Nick Lewis - Internet2: heads anyone so thinking about the threat intelligence like anyone used the red ice access putting it in like to help with that was that enrichment.

103
00:15:29.610 --> 00:15:31.320
Brad Maloney - Duquesne University: yeah I haven't done it through criminal now.

104
00:15:46.230 --> 00:15:46.650
Darren Fallis - NC State: link.

105
00:15:46.980 --> 00:15:50.850
Nick Lewis - Internet2: yeah I put that thanks Chris for put that in the notes.

106
00:15:52.380 --> 00:15:57.240
Christopher Caldwell: The one caveat is if you're then putting sending discipline further down the pipeline with that.

107
00:15:57.990 --> 00:16:08.340
Christopher Caldwell: you're going to need to put new extractions in spunk for the shortened events that it's writing by stripping out those future use fields and things like that.

108
00:16:08.970 --> 00:16:25.620
Christopher Caldwell: And then you also may want to modify that, and you know there's additional fields that you know might not be useful for how you use Talat too long, so you can just kind of model their pattern of you know, throwing up anything in the raw event that you don't use and rewriting the raw.

109
00:16:26.760 --> 00:16:31.950
Christopher Caldwell: So we're sending you know full copy of the original raw of everything to s3.

110
00:16:33.420 --> 00:16:40.170
Christopher Caldwell: But then, you know really reducing only what's security relevant data in what gets sent this Funk.

111
00:16:51.330 --> 00:16:52.740
Nick Lewis - Internet2: So thanks Chris for.

112
00:16:53.790 --> 00:17:00.840
Nick Lewis - Internet2: Any other comments or discussions around club level or even the more general managing data into spunk.

113
00:17:02.100 --> 00:17:02.790
Nick Lewis - Internet2: While we're getting.

114
00:17:03.150 --> 00:17:09.780
Gretchen Corey - University of Minnesota: Criminal I have a question on the architecture i'm just wondering brad what you have set up on Prem and how that spect.

115
00:17:11.280 --> 00:17:18.480
Brad Maloney - Duquesne University: So we're just running it as a vm and belief around red hat and eight on that and critical just comes down as an rpm.

116
00:17:20.670 --> 00:17:31.260
Brad Maloney - Duquesne University: there's to set up one kind of primary node and then you have these worker nodes that attached to it and any users get under the hood it's still manageable through the interface but.

117
00:17:32.160 --> 00:17:38.040
Brad Maloney - Duquesne University: You know, as configs changed, and you commit it I get spread out using get you know internally there and.

118
00:17:38.640 --> 00:17:54.870
Brad Maloney - Duquesne University: We actually do go through an upgrade there as well, and they're releasing a new version that fixed the bug that we thought we were encountering for office 365 and went very smooth just you know your typical rpm upgrader and it came back up fun, but as far as like the specs of it.

119
00:17:56.040 --> 00:18:03.630
Brad Maloney - Duquesne University: I don't know the top of my head, but it's nothing crazy, I think we did about about 16 gigs of memory and eight cpus which.

120
00:18:04.140 --> 00:18:13.350
Brad Maloney - Duquesne University: Was that single vm is handled, you know 200 gigs a day, and you know some of the some of that pipeline processing that we've been doing to I mean it's been keeping along.

121
00:18:13.830 --> 00:18:20.820
Brad Maloney - Duquesne University: very nicely, but we still want to add, you know just more capacity for resiliency we want to you know SAP expand data centers that kind of stuff.

122
00:18:25.950 --> 00:18:29.160
Christopher Caldwell: You share anything on like what the licensing the pricing looks.

123
00:18:29.160 --> 00:18:29.520
Like.

124
00:18:31.110 --> 00:18:35.370
Christopher Caldwell: How many workers can you have and what what's your daily volume.

125
00:18:35.910 --> 00:18:39.720
Brad Maloney - Duquesne University: So yeah we're on that that free tier Community supported.

126
00:18:40.770 --> 00:18:46.830
Brad Maloney - Duquesne University: So, which does include I think you can have like 10 workers and as part of a cluster.

127
00:18:47.850 --> 00:18:49.590
Brad Maloney - Duquesne University: So that covers us, you know for our volume.

128
00:18:50.130 --> 00:19:00.210
Christopher Caldwell: Some of the functionality wasn't supported in the free tier like the get remote and the having war that a single node is that not true that.

129
00:19:01.410 --> 00:19:11.010
Brad Maloney - Duquesne University: that's how we're running right now so we're ready to scale up because we have we have the one master node that you know, has that good repository and one worker so now we're just going to add more workers but.

130
00:19:11.910 --> 00:19:23.040
Brad Maloney - Duquesne University: we're running in that mode right now, without any license violations a double check I always assumed that was allowed because it was on the website, it said, you know 10 worker nodes for the free version.

131
00:19:29.760 --> 00:19:30.660
Of the double check.

132
00:19:40.410 --> 00:19:43.680
Nick Lewis - Internet2: Any other questions or discussion around cripple.

133
00:19:52.710 --> 00:19:53.340
RuthAnne Bevier - Caltech: Thanks brad.

134
00:19:55.890 --> 00:19:59.130
Darren Fallis - NC State: Thank you Brendan we're already today for me.

135
00:20:01.140 --> 00:20:04.080
Nick Lewis - Internet2: Ray it looks like you've got your hand up Jeff question.

136
00:20:08.670 --> 00:20:09.780
Nick Lewis - Internet2: Maybe that's just Jim.

137
00:20:09.780 --> 00:20:10.350
Nick Lewis - Internet2: Say hi.

138
00:20:10.620 --> 00:20:17.670
Ray G - University of Washington: Yes, sorry guys, this is Ray Glenn and from the University of Washington, thank you very much for this presentation this is very helpful just to.

139
00:20:18.120 --> 00:20:34.170
Ray G - University of Washington: Make sure I had your numbers right did I hear correctly that you're ingesting 250 gigs per day into your instance 200 200 Okay, and then what is actually being ingested by spunk after you're doing your processing.

140
00:20:35.310 --> 00:20:39.360
Brad Maloney - Duquesne University: hmm that is a good question I couldn't give you that to you right now.

141
00:20:40.620 --> 00:20:48.510
Brad Maloney - Duquesne University: we've reduced it about you know just kind of looking back at our licensing charts we saw at least a 25% drop after D duping.

142
00:20:49.380 --> 00:21:01.620
Brad Maloney - Duquesne University: Especially the Palo Alto you know logs and stripping fields we removed a lot of redundant data that we get from other data sources so that helped a lot there, but I can get a more phone number for next time.

143
00:21:02.280 --> 00:21:06.450
Ray G - University of Washington: know that that's 25% is pretty good benchmark, thank you very much.

144
00:21:13.830 --> 00:21:15.810
Brad Maloney - Duquesne University: You know when we've been putting critical, it was an overall.

145
00:21:16.860 --> 00:21:27.810
Brad Maloney - Duquesne University: Part of a project, where we upgraded to new to eight, you know as far as spunk too, so it was a whole overall improvement thing we you know went went back to our data sources clean some things up.

146
00:21:28.710 --> 00:21:37.680
Brad Maloney - Duquesne University: You know and re pointed everything to crumble, so now that we're kind of been running solid for the past month in this new environment will get some better stats stats out there for next time.

147
00:21:40.110 --> 00:21:40.890
Ray G - University of Washington: right on Thank you.

148
00:21:53.010 --> 00:21:56.310
Nick Lewis - Internet2: Okay, one last call for questions.

149
00:21:57.630 --> 00:22:02.640
Nick Lewis - Internet2: If there's no additional gribble question to go to the next thing and then any open questions.

150
00:22:10.350 --> 00:22:19.410
Nick Lewis - Internet2: Okay sounds like no additional questions, and so the one person that the person that asked about using spunk in their cmc research environments in aws.

151
00:22:19.680 --> 00:22:26.520
Nick Lewis - Internet2: Unfortunately they couldn't be here today, and so we'll definitely hold probably both these topics over for the next month next month call.

152
00:22:27.210 --> 00:22:36.630
Nick Lewis - Internet2: Just to keep the discussion going, but I, so I thought i'd bring up, so the general issue of Is anyone looking at using.

153
00:22:37.200 --> 00:22:56.370
Nick Lewis - Internet2: or looking at or actively using spunk in their cmc environments and even even if you're running in that environment in aws getting that log data into spunk or you're doing it natively in aws anybody working on those types of things right now.

154
00:23:00.030 --> 00:23:00.450
Yes.

155
00:23:02.010 --> 00:23:05.100
Darren Fallis - NC State: It looks like Ray also stand up or is he just still have it up.

156
00:23:05.550 --> 00:23:06.540
Nick Lewis - Internet2: It may still be up.

157
00:23:07.230 --> 00:23:09.150
Ray G - University of Washington: Hello i'm sorry that's still up i'll put it down.

158
00:23:11.940 --> 00:23:19.590
Darren Fallis - NC State: So we have a secure research environment that is it's been around for a couple years ball had been working on.

159
00:23:20.790 --> 00:23:27.570
Darren Fallis - NC State: On its compliance and recently sort of got refactoring and audited by an outside agency Deloitte.

160
00:23:28.860 --> 00:23:40.200
Darren Fallis - NC State: For not cmc yet that's on the horizon, but nist 801 71 so they can accept certain grants from you know department of places.

161
00:23:41.340 --> 00:23:54.570
Darren Fallis - NC State: And so they've architected it into aws gov cloud, and then the various things are using like okta or crowd strike etc they're allocating into the the Fed ramp version or gov cloud version of those tools.

162
00:23:55.650 --> 00:24:06.960
Darren Fallis - NC State: They were going to do, like roll your own and ally and like an Amazon elastic offering for logging and this and that and delight came in and said what part of centralized logging did you miss.

163
00:24:08.400 --> 00:24:13.890
Darren Fallis - NC State: And so they said well great let's get spunk up and like you know four weeks.

164
00:24:15.120 --> 00:24:16.890
Darren Fallis - NC State: To our spunk team and.

165
00:24:18.390 --> 00:24:22.230
Darren Fallis - NC State: They wanted to use the spunk cloud option and.

166
00:24:23.280 --> 00:24:30.120
Darren Fallis - NC State: Then realize they need to get the gov cloud version of that as well, they also wanted to get enterprise security because the Deloitte said yeah where's your Sim.

167
00:24:31.740 --> 00:24:36.330
Darren Fallis - NC State: And turns out swamp doesn't license the enterprise security Sim for less than 50 gigs a day.

168
00:24:36.600 --> 00:24:48.630
Darren Fallis - NC State: And that has to match your enterprise license That means that they're split cloud version had to be 50 gigs a day and suddenly they were into a you know high five or low six figure amount and that got kind of nuts.

169
00:24:50.190 --> 00:24:57.450
Darren Fallis - NC State: They had they have very tight Deloitte basically has very strong restrictions on any data connection or interchange between that environment and.

170
00:24:57.780 --> 00:25:03.990
Darren Fallis - NC State: On Prem or any other part of our infrastructure think the only exception they've made so far is for licensing because.

171
00:25:04.320 --> 00:25:12.120
Darren Fallis - NC State: The research is the environment, using software that they also use on campus and there's only one license server allowed and they said well licensing calls are not to.

172
00:25:12.630 --> 00:25:16.980
Darren Fallis - NC State: You know, sensitive so will allow that so I raised my hand and said so.

173
00:25:17.550 --> 00:25:23.370
Darren Fallis - NC State: We already have a splint license server on campus and it's got a 600 gigabyte license and we have enterprise security license for that.

174
00:25:23.820 --> 00:25:33.930
Darren Fallis - NC State: i'm not aware that you have to pay extra to run another spunk enterprise security search head anywhere, you could run multiple usually you don't kind of want to see everything, but you could.

175
00:25:34.650 --> 00:25:44.790
Darren Fallis - NC State: And that, in fact, what we're doing we've built on some Linux boxes a standalone spunk index or and a standalone search had against it running yes and.

176
00:25:45.360 --> 00:25:59.700
Darren Fallis - NC State: we've been adding T a's and configuring things to get aws info in and crowd strike and tenable and okta and and and and manage de de logs you know a lot of a lot of learning very quick.

177
00:26:01.320 --> 00:26:10.320
Darren Fallis - NC State: we're not done yet we still have more work to do, but it's it's kind of a good learning environment that's not terribly critical person there's not you know, thousands of people using it.

178
00:26:11.160 --> 00:26:17.220
Darren Fallis - NC State: So and we're already using some of the things that we've learned there to go mirror onto our production on Prem.

179
00:26:18.240 --> 00:26:29.760
Darren Fallis - NC State: To get like we have some other aws vpc and control tower platform group is starting to run a native ios control tower to bring in campus vcs under it's sort of umbrella.

180
00:26:30.930 --> 00:26:35.010
Darren Fallis - NC State: So we're reading some of that although control tower is not available, and God cloud.

181
00:26:36.420 --> 00:26:53.250
Darren Fallis - NC State: But it's sort of just a bunch of pre packaged settings and things anyway so setting up the logging for aws without control tower is not too dissimilar so all the guys that spunk has for spunk data from aws control tower and spunk fairly apply in terms of PPC floats etc.

182
00:26:54.690 --> 00:26:56.730
Darren Fallis - NC State: But we're baby steps on a lot of that.

183
00:26:59.910 --> 00:27:01.620
Darren Fallis - NC State: If anybody else has experienced i'd love to hear it.

184
00:27:12.450 --> 00:27:23.520
Nick Lewis - Internet2: So UCLA did a presentation around hipaa in aws where they mentioned where they mentioned using spunk, and this was their Medical School that was talking about it, not central it.

185
00:27:24.570 --> 00:27:39.270
Nick Lewis - Internet2: And they did that on a Internet to Community voices webinar a couple weeks ago and so it's similar but not not quite exactly the same, but very close to what you're just talking about so that I can put the the.

186
00:27:40.290 --> 00:27:46.170
Nick Lewis - Internet2: The let me track the notes of the recording down i'll try to put that in the chat while other people are talking.

187
00:27:46.590 --> 00:27:47.910
Darren Fallis - NC State: In the meeting notes for this.

188
00:27:47.940 --> 00:27:49.590
Nick Lewis - Internet2: Meeting that's right that would.

189
00:27:49.680 --> 00:27:50.430
appreciate that.

190
00:27:53.100 --> 00:27:59.850
RuthAnne Bevier - Caltech: You could they're using spunk cloud, are they using just a splint instance that they run that it's on aws.

191
00:28:03.990 --> 00:28:04.380
Nick Lewis - Internet2: and

192
00:28:06.690 --> 00:28:08.130
RuthAnne Bevier - Caltech: Now we can find out from the link.

193
00:28:08.280 --> 00:28:10.980
Nick Lewis - Internet2: that's that's what i'm going to track down real quick.

194
00:28:12.090 --> 00:28:14.940
Nick Lewis - Internet2: Because I don't remember exactly what they said I was listening and.

195
00:28:17.820 --> 00:28:27.600
Darren Fallis - NC State: I went to another wrinkle the folks who are running this environment are mainly windows folks they don't know a lot about Linux administration, we are not running spunk on windows server.

196
00:28:29.100 --> 00:28:33.810
Darren Fallis - NC State: I advocated well if we if you don't want to sort of worry about running the security for the Linux box underneath.

197
00:28:34.170 --> 00:28:48.210
Darren Fallis - NC State: You can run spawn conduct containers, they did not want to also learn that, at the same time, so they just provision Amazon easy to Linux instances that they now have to care take and update and which does not mean logging in and running yum update every week.

198
00:28:49.290 --> 00:28:49.620
But.

199
00:28:51.240 --> 00:28:57.360
Darren Fallis - NC State: So I don't know has anyone done spunk enterprise like distributed off of docker containers.

200
00:28:59.610 --> 00:29:00.750
Darren Fallis - NC State: we've only done it for testing.

201
00:29:05.430 --> 00:29:06.180
Brad Maloney - Duquesne University: i've been here.

202
00:29:09.840 --> 00:29:22.050
Christopher Caldwell: yeah I do APP development in a docker container and we've done some testing of look forward earth but i'd be really interested to see every folders or other infrastructure in docker.

203
00:29:23.910 --> 00:29:24.810
Darren Fallis - NC State: We were looking at.

204
00:29:25.320 --> 00:29:26.490
Darren Fallis - NC State: Doing this Alan index are.

205
00:29:26.490 --> 00:29:31.230
Darren Fallis - NC State: doing the search at you just It appears that, basically, you allocate.

206
00:29:32.430 --> 00:29:38.820
Darren Fallis - NC State: Persistent storage volumes underneath the container and spin it up all the config and data goes into the persistent storage.

207
00:29:39.300 --> 00:29:50.250
Darren Fallis - NC State: And the container is your version of swamp when I read spunk you destroy the container instantiate a new version, you know and it mounts the person storage and says oh look i've been upgraded, you know when it starts.

208
00:29:51.660 --> 00:30:00.510
Darren Fallis - NC State: It appears to be the way, but I have not done it at this level i've only used it like you like you were saying just for sort of standalone playing around on my machine.

209
00:30:06.990 --> 00:30:14.730
Darren Fallis - NC State: I think originally wasn't supported for enterprise enterprise, you know distributed environments, but I assume it is now.

210
00:30:19.980 --> 00:30:28.560
Darren Fallis - NC State: sure it necessarily fits the you know, in terms of spunk indexers and search ads that it necessarily fits the idea of i'm going to run a container and then you know kill it when I want and sanjay 10 more.

211
00:30:29.310 --> 00:30:34.440
Darren Fallis - NC State: But, for you know for orders or you know heck boxes or things like that it seems to make a lot more sense.

212
00:30:46.530 --> 00:30:52.740
Darren Fallis - NC State: We have some folks who are moving their infrastructure into container containerizing in preparatory to move into Cooper daddy's.

213
00:30:53.460 --> 00:31:06.120
Darren Fallis - NC State: managed infrastructure on aws or Google and they'll probably be adding the universe of forward or in a container into those environments and then publishing you know log directories out of that over to that.

214
00:31:06.840 --> 00:31:11.010
Darren Fallis - NC State: That container as opposed to trying to install swelling inside their own container when they build it.

215
00:31:12.990 --> 00:31:17.130
Darren Fallis - NC State: But that'll be a sort of our first toe into folders as docker containers.

216
00:31:18.990 --> 00:31:19.500
Darren Fallis - NC State: New new new.

217
00:31:24.270 --> 00:31:33.720
Nick Lewis - Internet2: That so it seems a lot lots of new things coming in, obviously the world changes quickly, we need to keep up and get the data and try to understand what's going on.

218
00:31:37.950 --> 00:31:39.030
Nick Lewis - Internet2: In the other.

219
00:31:40.140 --> 00:31:41.370
Nick Lewis - Internet2: Comments around.

220
00:31:43.140 --> 00:31:49.320
Nick Lewis - Internet2: Using spunk in the cmc research environment in aws or the or docker.

221
00:32:03.390 --> 00:32:14.100
Nick Lewis - Internet2: Okay looks like no additional questions so that's the that's the agenda that we had any open questions now we've got time for open questions anything else you want to ask the Group.

222
00:32:17.370 --> 00:32:27.360
Edward Wade (UCSD): A question this is Edward ucsd I unfortunately was late to the meeting, so I missed the critical section, which was kind of what I was curious about had some questions on.

223
00:32:28.530 --> 00:32:42.300
Edward Wade (UCSD): That people say that they were able to do a PSC maybe just be like the the free version and then scale up or I was just curious any any like insight on commercial versus non commercial option of credible.

224
00:32:43.860 --> 00:32:55.110
Brad Maloney - Duquesne University: So yeah we did we poct with with the clustering in mind, so we have you know one master server and then just one worker node you know doing all the work.

225
00:32:55.950 --> 00:33:04.920
Brad Maloney - Duquesne University: With our 200 gig license and that has served as well, for the past month anyway and we're still remaining on that you know Community supported addition.

226
00:33:05.820 --> 00:33:18.630
Brad Maloney - Duquesne University: it's actually gotten pretty good Community support, to be honest, from like you know spunk slack channels there's some some cripple you know forums and things like that out there, or you know even spunk you know forums so.

227
00:33:19.830 --> 00:33:32.310
Brad Maloney - Duquesne University: So far, so good there, but if you know you're running a lot of data through it, I would probably suggest you know you get some production level support, because if cripples down, then I mean yeah you're losing quite a bit along Sir.

228
00:33:34.080 --> 00:33:46.260
Edward Wade (UCSD): Okay yeah that makes sense and my understanding is it's built on top of logstash had to do for anyone else, look into an alternative for streaming like Kafka or using logstash on its own.

229
00:33:49.350 --> 00:33:58.080
Brad Maloney - Duquesne University: yeah we just straight criminal there and and we we used that to send everything s3 and then you know move on to discipline okay.

230
00:33:58.380 --> 00:33:58.740
yeah.

231
00:33:59.880 --> 00:34:08.940
Edward Wade (UCSD): yeah it's become kind of a hot topic for us over ucsd using some kind of a tool, you know first we thought the heavy forward but cripple is much more sophisticated.

232
00:34:09.660 --> 00:34:18.690
Edward Wade (UCSD): To do long term storage short term storage, maybe even like summations one use case I thought was interesting was you know you get a lot of like DNS or connection log data that's.

233
00:34:19.050 --> 00:34:28.920
Edward Wade (UCSD): Relatively the same every single time stuff you can do it seems like people have the option to do parsing and then like aggregation you maybe like do like a summary log once a minute say like hey.

234
00:34:29.490 --> 00:34:38.010
Edward Wade (UCSD): This connection happens, maybe once an hour, you know happen this way times, as opposed to actually passing along those events individually so.

235
00:34:38.340 --> 00:34:39.930
Brad Maloney - Duquesne University: And that's exactly what we didn't have as.

236
00:34:39.930 --> 00:34:40.560
Edward Wade (UCSD): Well cool.

237
00:34:40.680 --> 00:34:46.980
Brad Maloney - Duquesne University: First, on the agenda for why were you know, putting crumbling was for well besides tripping fields out for noisy events.

238
00:34:47.370 --> 00:34:51.870
Brad Maloney - Duquesne University: yeah us quantifying some of those events, just so we can get a.

239
00:34:52.590 --> 00:35:01.710
Brad Maloney - Duquesne University: feel of how many times it happened, not a copy of every single time it happened, and then, on the other side is that we're still sending all of that to a long term, you know archive anyway that's not spunk.

240
00:35:02.070 --> 00:35:06.090
Brad Maloney - Duquesne University: So if we ever do need to go back and replay the events you know we can do it that way.

241
00:35:07.080 --> 00:35:11.670
Edward Wade (UCSD): For a while really sorry for missing all that apparently you guys probably hashed over it already but.

242
00:35:12.690 --> 00:35:17.670
Edward Wade (UCSD): yeah it was it was a you brad was working on it or anyone else in the team was working on quibble.

243
00:35:18.660 --> 00:35:18.930
here.

244
00:35:20.130 --> 00:35:30.300
Brad Maloney - Duquesne University: Christopher I think was using criminal there as well, but yeah we were the pmc do came, we were pure seen it a color to go in there, so yeah just reporting back a little bit.

245
00:35:30.750 --> 00:35:31.770
Edward Wade (UCSD): Okay cool awesome.

246
00:35:33.120 --> 00:35:33.510
Christopher Caldwell: yeah we've.

247
00:35:33.690 --> 00:35:43.140
Christopher Caldwell: been saying that metrics was really valuable because we have management, they wanted us to report on a lot of that traffic hitting the exterior of the firewall that we didn't want to.

248
00:35:43.620 --> 00:35:53.550
Christopher Caldwell: log spawn that being able to generate your metrics off of the logs and then not send them to spawn really kind of fill that need.

249
00:35:56.730 --> 00:36:01.830
RuthAnne Bevier - Caltech: And brad did I hear you say that even if you're on your feature, you can still pay for support.

250
00:36:03.270 --> 00:36:10.440
Brad Maloney - Duquesne University: I know I just kind of threw that out, there is almost like how the Microsoft model is like you know if you don't have like premier support contracts or something.

251
00:36:10.860 --> 00:36:19.710
Brad Maloney - Duquesne University: You can call you know there's one line and it's like 250 bucks or 500 bucks so from maybe they have something like that otherwise yeah you're gonna have to get a support contract.

252
00:36:20.520 --> 00:36:30.480
Brad Maloney - Duquesne University: But so far Community based support has been great I haven't even really had to use it much you know either asked most much questions because it just kind of works out of the box, you know so far, so good.

253
00:36:31.170 --> 00:36:31.380
well.

254
00:36:33.060 --> 00:36:36.960
RuthAnne Bevier - Caltech: And what is the spunk slack channel.

255
00:36:38.070 --> 00:36:39.180
RuthAnne Bevier - Caltech: I don't think I knew about that.

256
00:36:39.750 --> 00:36:44.460
Brad Maloney - Duquesne University: So actually looks like Christopher here and threw it in the chat, which is very helpful so.

257
00:36:45.540 --> 00:36:46.290
slack channel.

258
00:36:47.640 --> 00:36:49.680
RuthAnne Bevier - Caltech: I didn't see it's blank chance it's like oh.

259
00:36:51.540 --> 00:36:51.810
Nick Lewis - Internet2: yeah.

260
00:36:52.920 --> 00:37:01.170
Nick Lewis - Internet2: frank has a slack instance where they've invited customers and like somehow I got on it.

261
00:37:02.250 --> 00:37:03.060
Nick Lewis - Internet2: And they've got.

262
00:37:04.290 --> 00:37:10.500
Nick Lewis - Internet2: it's pretty active well I don't follow it terribly closely, but i'll track down the link to it and put it in the.

263
00:37:11.250 --> 00:37:11.730
Darren Fallis - NC State: zoom chat.

264
00:37:12.900 --> 00:37:14.130
Darren Fallis - NC State: there's a page on spotify.

265
00:37:14.130 --> 00:37:16.170
Nick Lewis - Internet2: Good Thank you perfect.

266
00:37:16.470 --> 00:37:16.770
RuthAnne Bevier - Caltech: Thank you.

267
00:37:18.720 --> 00:37:27.870
Darren Fallis - NC State: It is active there's a lot of good folks there a lot of the spunk fez folks and there's a lot of folks from around the world, so you can get answers at any time of the day.

268
00:37:29.580 --> 00:37:31.500
Brad Maloney - Duquesne University: 24 seven support there you go for free.

269
00:37:31.590 --> 00:37:38.070
Darren Fallis - NC State: i've absolutely gotten answers from people in on in both Asia and Europe it strange times, I was not expecting.

270
00:37:39.360 --> 00:37:49.320
Christopher Caldwell: yeah it's a good place for support on Community Apps and add on to and I get requests for you know people asking questions there for my items as well.

271
00:37:50.820 --> 00:37:56.400
Christopher Caldwell: yeah there's definitely probably nothing that plane bottles can't that answer.

272
00:37:56.880 --> 00:37:58.830
Darren Fallis - NC State: yeah absolutely.

273
00:38:00.000 --> 00:38:05.190
Brad Maloney - Duquesne University: yeah i'd say that's the highest concentration of spunk fences on the Internet it's right there in that slack channel so.

274
00:38:05.430 --> 00:38:06.960
Brad Maloney - Duquesne University: Absolutely could please.

275
00:38:08.760 --> 00:38:10.470
Darren Fallis - NC State: I need to use it more, and sooner.

276
00:38:16.260 --> 00:38:30.360
Darren Fallis - NC State: A question bred in terms of the summarization is that you're doing so, then when you're competing stats on the on the logs and spunk are you just turning your account into some of the summarization count and then maybe doing a coalesced to make it that field to a one.

277
00:38:30.750 --> 00:38:31.500
Brad Maloney - Duquesne University: yeah I think you.

278
00:38:31.650 --> 00:38:40.350
Brad Maloney - Duquesne University: You can pick by a field right So if you, you know there's only just one field of the event, you want a new member of Phi you could say you know this source IP if it occurs.

279
00:38:40.890 --> 00:38:45.900
Brad Maloney - Duquesne University: You know, whatever to this destination, you know you can pick and choose these fields right there's so much criteria, you could set.

280
00:38:46.440 --> 00:39:00.120
Brad Maloney - Duquesne University: But you can have account over a set period of time and then it just adds, you know that field that has that number of how many times it happened just throws it right in there with the event and and that's a you know CNN spunk dashboard.

281
00:39:00.960 --> 00:39:02.730
Darren Fallis - NC State: Right and i'm talking about in the spunk side on the.

282
00:39:02.730 --> 00:39:03.270
Brad Maloney - Duquesne University: dashboard.

283
00:39:03.630 --> 00:39:07.560
Darren Fallis - NC State: As opposed to like a stats count you're able to do just some on that.

284
00:39:07.920 --> 00:39:14.310
Brad Maloney - Duquesne University: Right or even T stats, which is another kind of improvement, we threw in here, and this whole overall spunk improvement, and we were doing.

285
00:39:15.300 --> 00:39:24.090
Brad Maloney - Duquesne University: So T stats on stats dashboards and things like that switched over some to tease out some some of them and saw like a more than half time improvement, I mean.

286
00:39:24.810 --> 00:39:26.310
Brad Maloney - Duquesne University: So radio fast accounts.

287
00:39:26.400 --> 00:39:40.350
Darren Fallis - NC State: For using T stats, though, and if the summarization count field, you know if it says, all I found this event, you know seven times in this one minute if you're not extracting that an index time you can't use it at stats correct like to do some on those.

288
00:39:42.150 --> 00:39:44.340
Brad Maloney - Duquesne University: As probably correct yeah I.

289
00:39:45.540 --> 00:39:54.870
Brad Maloney - Duquesne University: couldn't tell you i'll top my head, I noticed, no, we did switch to T stats on a lot of your searches and stuff from kind of speed increases out of their va right Maybe you can.

290
00:39:55.320 --> 00:39:58.800
Christopher Caldwell: You can be that so for the metrics source type.

291
00:39:59.910 --> 00:40:00.180
Darren Fallis - NC State: Oh.

292
00:40:00.360 --> 00:40:03.180
Christopher Caldwell: yeah a few metrics index was and.

293
00:40:03.540 --> 00:40:06.780
Christopher Caldwell: you send the data as metrics from crippled and he can use instead.

294
00:40:07.350 --> 00:40:12.810
Darren Fallis - NC State: Oh yeah yeah if you're using metrics index source type instead of the normal.

295
00:40:14.400 --> 00:40:25.290
Darren Fallis - NC State: yeah we're looking at we're not really doing a lot of with metrics or indexes yet we're looking at converting some of the data sources type into the into metrics instead just for better reporting.

296
00:40:26.460 --> 00:40:27.810
Darren Fallis - NC State: Are you doing a lot with metrics Chris.

297
00:40:30.570 --> 00:40:46.710
Christopher Caldwell: We just started doing it and it's you know, one of the advantages seems to be that it's you know, like we were saying earlier, you know they use a lower interest rate for the licensing assumption for metrics events, I think it will set data size per metric event.

298
00:40:47.250 --> 00:40:48.450
Darren Fallis - NC State: he's 150 Bytes.

299
00:40:48.750 --> 00:40:54.510
Christopher Caldwell: yeah so we were trying to look and see you know where we could use that to say long license overhead and.

300
00:40:55.680 --> 00:41:05.490
Christopher Caldwell: But it's just not big priority right now we're also moving from on premise to aws for our spunk environment so that's consuming a lot of time.

301
00:41:07.860 --> 00:41:16.320
Darren Fallis - NC State: Now that is actually a future topic i'd be interested in is your success or you know use of metrics indexes or anybody's on in fact.

302
00:41:24.990 --> 00:41:31.050
Christopher Caldwell: yeah we kind of started a while ago, and then they will seems like there was a lot of instability around.

303
00:41:31.860 --> 00:41:38.280
Christopher Caldwell: The spunk APP for infrastructure and then moving to the it work essentials and like as soon as you start.

304
00:41:38.790 --> 00:41:49.140
Christopher Caldwell: dabbling with adopting something, it would be deprecating and there was a new replacement APP for it, so that kind of put us in a pause situation and we just haven't gotten back to it.

305
00:42:01.980 --> 00:42:20.640
Edward Wade (UCSD): topic that may be outside the scope of this call, so if it is please feel free to shut down no big deal, but one thing that we've considered over time, usually around the renewal term is you know doing an rfp proof of concept of spunk versus an open source solution like elastic.

306
00:42:22.260 --> 00:42:28.320
Edward Wade (UCSD): And I was just wondering if that's something that other people have reviewed, done a bake off proof of concept.

307
00:42:29.550 --> 00:42:47.790
Edward Wade (UCSD): I haven't done the actual proof of concept but i've done some some review and it seems like getting by with purely free elastic is not the same as having spunk you need to have, I think it's like gold, the first year to get even just alerting.

308
00:42:49.320 --> 00:42:53.790
Edward Wade (UCSD): So yeah that's the thing but we're always interested in we're very much going to be interested in next year.

309
00:42:54.390 --> 00:42:57.150
Edward Wade (UCSD): So if that's if that's in scope of this call to be really interesting to me.

310
00:42:59.490 --> 00:43:08.970
Christopher Caldwell: We did it maybe four years ago, just kind of like a justification, as part of a multi year term lessons first one and.

311
00:43:09.870 --> 00:43:32.280
Christopher Caldwell: But we didn't do it, it wasn't very formal and in it pretty soon became self evident just the amount of staff we need for developing reporting and dashboards and reinventing all the crop patterns that that add to that the fragility of like doing upgrades on the elastic stack and.

312
00:43:33.930 --> 00:43:38.970
Christopher Caldwell: We quickly stopped doing the work on the reporting and just not much luck.

313
00:43:42.930 --> 00:43:48.180
Edward Wade (UCSD): yeah that's kind of the the idea that we've had as well, I think we're going to have to put some pen to paper, this time.

314
00:43:49.650 --> 00:43:55.620
Edward Wade (UCSD): So yeah we're going to do that, but yeah if anybody that's it that's helpful for us, you know just to hear it's kind of hard thing to Google.

315
00:43:56.910 --> 00:44:03.930
Edward Wade (UCSD): A lot a lot of people don't have love that information publicly, you know, a lasting versus flunk, but I feel like it's something that people Google all the time.

316
00:44:05.490 --> 00:44:14.220
Christopher Caldwell: It comes up frequently on the slack channel and anytime someone post a job on the job board that mentioned to logstash.

317
00:44:17.520 --> 00:44:18.750
Ray G - University of Washington: yeah I feel like i'm for.

318
00:44:18.960 --> 00:44:27.690
Darren Fallis - NC State: Four years now they're just really apples and oranges like spunk adds a lot of visualization and Dave transformation tools and extra Apps and things and things that.

319
00:44:28.140 --> 00:44:37.980
Darren Fallis - NC State: Just don't exist and elastic they're just different things at this point, and they work in very different ways, but the people I know running elastic are folks who are licensed constrained.

320
00:44:38.910 --> 00:44:48.900
Darren Fallis - NC State: In terms of money, like just can't afford the you know, three terabyte license they need for spunk, and so they put a crap ton of that and elastic and then so like part of that and send it over to long.

321
00:44:50.070 --> 00:45:01.440
Darren Fallis - NC State: And yet the people I know running elastic if they're running a very small install they're happy if they're running a very large install like seven elastic clusters of 100 nodes apiece.

322
00:45:02.280 --> 00:45:09.180
Darren Fallis - NC State: They have a team to run it and in between, where they have 20 or 30 nodes etc they're cursing it on a regular basis.

323
00:45:10.380 --> 00:45:11.730
Edward Wade (UCSD): that's kind of my experience as well.

324
00:45:12.960 --> 00:45:13.200
Edward Wade (UCSD): yeah.

325
00:45:13.260 --> 00:45:14.130
Ray G - University of Washington: yeah for.

326
00:45:14.190 --> 00:45:21.690
Ray G - University of Washington: For what it's worth you guys, this is Ray from i'm from the University of Washington applied physics lab i'm sorry, this is my first time.

327
00:45:21.750 --> 00:45:24.000
Christopher Caldwell: joining this meeting go well.

328
00:45:24.960 --> 00:45:26.820
Ray G - University of Washington: Except for whoever's barking at me.

329
00:45:28.740 --> 00:45:31.800
Ray G - University of Washington: I just, I just wanted to say, we did sort of a bake off we had.

330
00:45:33.450 --> 00:45:57.600
Ray G - University of Washington: An opportunity to sort of demonstrate sort of a tabletop exercise of an incident response, where we're using spunk to review the logs versus when we were using Gray log which is like the cheapest sort of elastic search web interface that you can sort of come up with.

331
00:45:58.980 --> 00:46:02.040
Ray G - University of Washington: As sort of a demonstration of the.

332
00:46:03.270 --> 00:46:11.160
Ray G - University of Washington: challenges that an actual responder would engage with when they're trying to react to an incident in real time.

333
00:46:11.880 --> 00:46:18.510
Ray G - University of Washington: We found that that was very valuable and demonstrating the value of spunk over the value of elastic search.

334
00:46:19.470 --> 00:46:28.590
Ray G - University of Washington: We could demonstrate very quickly that you know any user who is even rudimentary at least to know your with spunk was able to.

335
00:46:29.130 --> 00:46:39.120
Ray G - University of Washington: gather more actionable data out of it, whereas you know even Gray log or kibana you would really have to know the interface very, very well.

336
00:46:39.510 --> 00:46:54.510
Ray G - University of Washington: In order to pull out those sort of immediate indicators of compromise in a way that made immediate actionable sense we didn't actually come up with a report out of that that we could share publicly, but just Incidentally, I wanted to throw that out there.

337
00:46:57.900 --> 00:46:58.200
Edward Wade (UCSD): For sure.

338
00:47:01.020 --> 00:47:03.120
Nick Lewis - Internet2: yeah that's really interesting to hear and I.

339
00:47:03.780 --> 00:47:18.210
Nick Lewis - Internet2: Going what Darren was saying i've heard from a number of campuses where they'll have spunk and elastic because of licensing reasons there's five or six very large campuses I know that are doing that and they'll put the.

340
00:47:19.650 --> 00:47:23.460
Nick Lewis - Internet2: it'll sometimes depend on who's going to be using the data.

341
00:47:23.910 --> 00:47:31.410
Nick Lewis - Internet2: And that's kind of to what Ray what you're saying it may be easier to get the data out of spunk or do the visual aid visualizations of reporting out of spunk.

342
00:47:31.740 --> 00:47:41.220
Nick Lewis - Internet2: And then maybe the security team that has maybe more advanced users run the get the stuff or use the elastic environments, but the.

343
00:47:41.250 --> 00:47:43.560
Ray G - University of Washington: Yes, that was precisely our experience.

344
00:47:47.820 --> 00:47:50.160
Darren Fallis - NC State: I would actually like to suggest another topic on that.

345
00:47:51.300 --> 00:47:55.320
Darren Fallis - NC State: So, with respect to elastic or versus flunk and you know the apples and oranges, I think.

346
00:47:55.710 --> 00:48:03.420
Darren Fallis - NC State: The way that a lot of our users use spunk is just Google for logs and they'd be fine served by elastic because they're not doing anything fancy at all.

347
00:48:04.050 --> 00:48:08.340
Darren Fallis - NC State: But the topic i'd like to talk about is like education programs for your users.

348
00:48:09.210 --> 00:48:13.500
Darren Fallis - NC State: And how successful or what successes, you may have had or failures and trying to get them to.

349
00:48:13.860 --> 00:48:25.650
Darren Fallis - NC State: You know, be more advanced power users make their own dashboards etc, or whether you've you know pursuit of a different strategy of employing employees or interns or whatever to just write things for them, or how that's working out.

350
00:48:27.690 --> 00:48:27.960
Edward Wade (UCSD): yeah.

351
00:48:29.670 --> 00:48:33.390
Edward Wade (UCSD): Have you guys, have you guys ever saw or have you received a welcome APP.

352
00:48:35.040 --> 00:48:40.320
Edward Wade (UCSD): it's something that there's a guy named birch at spunk he usually does like a CAFE.

353
00:48:40.890 --> 00:48:42.870
Edward Wade (UCSD): That says yeah yeah so he had.

354
00:48:42.930 --> 00:48:43.200
Darren Fallis - NC State: A.

355
00:48:43.350 --> 00:48:45.420
Darren Fallis - NC State: He pointing standing room only 300 people.

356
00:48:45.570 --> 00:48:57.030
Edward Wade (UCSD): yeah that's great and he pointed me the welcome map and that's we've had a lot of success with that so we've created many, many Apps front end work spaces for different teams and then create a welcome pages with like.

357
00:48:57.510 --> 00:49:02.520
Edward Wade (UCSD): links that go to and that's something that I surprisingly became very dependent on.

358
00:49:03.270 --> 00:49:13.830
Edward Wade (UCSD): So if we were to do a review we'd have to I don't know we'd have to see if if the next product does support something like that, where you can customize a nap bar customize a welcome page.

359
00:49:14.250 --> 00:49:23.580
Edward Wade (UCSD): Different views things like that, because that's it's kind of become the landing zone for all the different teams to even hit links outside of spunk like to go to.

360
00:49:24.060 --> 00:49:32.970
Edward Wade (UCSD): Our ticketing system, you know I just put web links there so it's an interesting thing that if you haven't looked at the welcome page APP and spunk base it's definitely worth looking at.

361
00:49:33.720 --> 00:49:36.000
Darren Fallis - NC State: That link in zoom chat is that the one you're talking about.

362
00:49:39.210 --> 00:49:40.620
Darren Fallis - NC State: What you don't recognize the number.

363
00:49:42.180 --> 00:49:45.240
Edward Wade (UCSD): of workers that ID to 991 yep that's the one yeah.

364
00:49:47.490 --> 00:49:58.200
Edward Wade (UCSD): yeah and there's some good resources, I think it points to you on the spot that page about customizing the nav bar that's also something that's really you've leveraged a lot as well, so.

365
00:49:59.340 --> 00:50:03.600
Edward Wade (UCSD): I don't know if that answered your question, it was on topic, but that's something that we definitely use.

366
00:50:11.550 --> 00:50:13.380
Darren Fallis - NC State: about our end of our time.

367
00:50:14.040 --> 00:50:25.230
Nick Lewis - Internet2: we're getting pretty close a couple more minutes, just a quick comment through we we had in the past few the net plus blank program there is some free training that was discontinued and.

368
00:50:27.630 --> 00:50:31.830
Nick Lewis - Internet2: yeah I know and so that was spunk was.

369
00:50:32.850 --> 00:50:45.450
Nick Lewis - Internet2: there's there's like 4000 plus people that went through that free training through higher ED and so it's been it's been quite a while, since we've done that but it's.

370
00:50:46.860 --> 00:51:02.400
Nick Lewis - Internet2: I keep hearing that there's a desire for that more training for the for the end users for spunk so that so that the spunk advanced users or administrators can focus on the more advanced and complicated things rather than.

371
00:51:03.420 --> 00:51:13.620
Nick Lewis - Internet2: The maybe the the the more run of the mill day to day stuff where maybe it would be best served by the individual who had the question.

372
00:51:14.490 --> 00:51:21.510
Nick Lewis - Internet2: What one of the things I wonder is on this training aspect I know spunk is very interested in expanding out of.

373
00:51:21.930 --> 00:51:29.580
Nick Lewis - Internet2: The advanced users are expanding outside of the information security space and so they've been doing some work and student success.

374
00:51:29.970 --> 00:51:37.380
Nick Lewis - Internet2: And they've had this remote work dashboard where they're trying to target maybe help desks and and things like that, and so i'm wondering.

375
00:51:37.890 --> 00:51:47.310
Nick Lewis - Internet2: Is is there may be a pivot there are ways to talk discipline of saying you know what, if you want to get outside of the IT security group.

376
00:51:47.700 --> 00:52:06.270
Nick Lewis - Internet2: Maybe you need to provide more training to the the audience's that you're trying to engage, do you think that would be do you think that would help your basically your users and drive more value for your spawn command to implementations and then basically drive more value for spunk.

377
00:52:12.120 --> 00:52:16.860
Darren Fallis - NC State: So has anyone registered and to actually go to come in Vegas and October.

378
00:52:18.120 --> 00:52:18.540
Brad Maloney - Duquesne University: i'm.

379
00:52:20.700 --> 00:52:22.260
Edward Wade (UCSD): Not the conference, but slugging university.

380
00:52:25.500 --> 00:52:31.050
Edward Wade (UCSD): passport studio which i'm I think that's something anybody here, Chris dashboards some everyone should look at.

381
00:52:32.520 --> 00:52:34.530
Edward Wade (UCSD): As a class in that first university.

382
00:52:36.840 --> 00:52:37.140
cool.

383
00:52:38.430 --> 00:52:42.090
Darren Fallis - NC State: i'm approved to go, but I haven't made all the bookings and things yet.

384
00:52:45.120 --> 00:52:47.910
Edward Wade (UCSD): Those are expensive, right now, may want to make one, just in case.

385
00:52:52.950 --> 00:52:54.210
Brad Maloney - Duquesne University: it's at the Venetian again right.

386
00:52:55.500 --> 00:53:05.400
Edward Wade (UCSD): yeah i'm not too far, like a five hour drive so it's not a big deal for me to fly, but I do know that the hotels are getting pretty expensive so it's if you can cancel the hotel last minute, it might be worth doing.

387
00:53:10.530 --> 00:53:14.790
Nick Lewis - Internet2: that's a good point I haven't thought that far ahead, yet, so I Maybe I should.

388
00:53:18.120 --> 00:53:21.210
Nick Lewis - Internet2: Okay, any last questions or comments for this month.

389
00:53:21.930 --> 00:53:24.720
Brad Maloney - Duquesne University: Nick just to add real quick to the education piece.

390
00:53:25.890 --> 00:53:31.890
Brad Maloney - Duquesne University: You know, we go way back on the board and everything that's something i've you know talked about we've tried to work out with function in the past.

391
00:53:32.280 --> 00:53:40.980
Brad Maloney - Duquesne University: And you know, maybe here with you know the collective power of this group here as well, we go back to spunk as the Advisory Board and you know kind of make that case again that.

392
00:53:41.700 --> 00:53:50.190
Brad Maloney - Duquesne University: You know, we want maybe education credits or discounts or something, as you know, part of the Internet to you know perks package here.

393
00:53:53.490 --> 00:53:57.600
Darren Fallis - NC State: And the strange thing is that, I mean we I think we have some credits, as part of our license.

394
00:53:58.620 --> 00:54:02.490
Darren Fallis - NC State: But that's going to extend to a few internal spunk you know sort of experts within the.

395
00:54:02.940 --> 00:54:12.990
Darren Fallis - NC State: admin team, here we need but we're so highly distributed at the university that you know we need spunk sort of power user or even dead a dashboard in training, for you know 80 people on campus.

396
00:54:13.530 --> 00:54:21.870
Darren Fallis - NC State: And there's no it's it's not going to happen at X thousands of dollars per so if they expect us to you know have people really make more use of it.

397
00:54:22.200 --> 00:54:33.600
Darren Fallis - NC State: Either they offer the training for free or it's just not going to happen and then we're limited for how much we can write for them, you know if they're not super energized to go teach themselves using the docs.

398
00:54:36.060 --> 00:54:44.820
Brad Maloney - Duquesne University: that's exactly, I think, the more people you put through training, the more successful your your spunk services, and you know it's a win, win situation, I would think for so long, but.

399
00:54:45.870 --> 00:54:47.460
Brad Maloney - Duquesne University: we'll see see what happens there.

400
00:54:49.560 --> 00:54:53.490
Darren Fallis - NC State: I think they seem to be saying it more as a revenue source than enabling.

401
00:54:54.930 --> 00:54:55.290
function.

402
00:55:02.580 --> 00:55:08.190
Nick Lewis - Internet2: Okay looks like we're just about at time thanks everyone for the active discussion engagement.

403
00:55:08.910 --> 00:55:24.120
Nick Lewis - Internet2: will save a couple more of the will save a couple of these topics for next month in case there's any developments or future questions so thanks for your time this month and we'll see you next month, if you have any questions before next month feel free to give me send me an email or.

404
00:55:25.200 --> 00:55:27.870
Nick Lewis - Internet2: And we can figure out a time to talk thanks everyone bye.

405
00:55:28.410 --> 00:55:29.160
Ray G - University of Washington: Thanks guys.