NET+ Splunk User Group call
Date: 6/11/2020
Please register for the user group to get the call-in information and a calendar invite at:
https://internet2.zoom.us/webinar/register/7615688226058/WN_aNbzAxBgQOOjNzZLX4VvEQ
Agenda:
- Introductions and reminder about the format of this call.
- Next call on July 9th 2pm ET – updated invite and Zoom registration
- Any follow-ups from the previous month on the Splunk Remote Work dashboard or using your Splunk implementation for COVID19 response?
- How is your Splunk implementation being used for Fall 2020 planning?
- How well is your SIEM working with everyone remote? Do you still have sufficient visibility?
- Using Splunk at small campuses discussion follow-up to SPC2020 panel on small campuses SIEM and centralized logging
- Open discussion and questions
Chat:
Hi everyone! We’ll get started at 5 min after the hour. I’ll unmute everyone then. Please feel free to put questions in chat or ask them as we get going.
Attendees: 23
Recording:
Auto-generate transcript from Zoom:
Chat transcript:
Notes:
In house app for contact disclosure and potentially querying Splunk via the API for wireless logs
Following the Splunk discussion around the Splunk app for contact tracing. Interested in trying as proof of concept. Should be released in July. Using wireless data.
We’re looking at that as well
Splunk leading cohort calls on contact tracing
Several interested
Splunk app is wireless AP centric or badging or POS
Using common information model
Rich – Tuesday next week for the app to published on Splunk base
Wireless data – already using that
Website asking for location – GPS device from browser on mobile?
Users consenting to sharing
Topic: Contract Tracing and COVID-19 Response Splunk Cohort #1 Date: May 21, 2020 12:55 PM Eastern Time (US and Canada Share recording with viewers: https://splunk.zoom.us/rec/share/xYt5EZeqxGRJQJXEuWWcQbwsGqXjaaa80yZLqKVczRqqOvjGefmS87dyawIQG7iF Password: 0v%?*N@t
Topic: Splunk Contract Tracing Higher Ed Cohort Session #2 Date: May 28, 2020 12:50 PM Eastern Time (US and Canada) Share recording with viewers: https://splunk.zoom.us/rec/share/v-hKHpDp51tJY4nS9mzBev5_HIr5eaa8hyJI-KIEmDijxTZwBGTbxu0l1PL5118 Password: 8y.29b23
Topic: Contact Tracing Cohort Session #3 Date: Jun 4, 2020 12:49 PM Eastern Time (US and Canada) Share recording with viewers: https://splunk.zoom.us/rec/share/z8NxAbv1r0hOYJGUtU2Od_EiN5i7T6a82nRK-aAKy00tagrAH2aZ2U-VTqTJCizG Password: 3z!4x7D=
Wireless APs, Bluetooth,
Interested in supporting what campuses are looking for?
GPS coordinates from Apps for contact tracing?
Don’t have an app that we’re using, so that might be difficult
Rely on records where the Aps are located?
Any CMDB data?
For wired network connections could use CMDB?
What about people that can’t come back to the physical community? How can we support those people? Is there something we should be monitoring around that?
Splunk has been thinking about this around the student success toolkit
Remote work insights app to look at key apps
Workplace insights to bring together key points for re-opening campuses
How to do alerting about when a student has an issue?
Issue with Canvas and Splunk?
Splunk already had interface for Canvas
On-prem blackboard or on-prem blackboard
Usually on-prem implementations
Difficult to get cloud log data
Specific is data ingestion
Clemson doing a lot on Canvas and intermediate reporting system
There is a NET+ Canvas SAB that could help with that
How to make the connection between student and faculty person help better support the remote learner?
UNCG was asking about Canvas
What you look at AP data – getting in a building or floor. How precise are you trying to get the location?
We’re not using for contract tracing. Found accurate to floor.
We’re not doing yet. Do have dense AP population to get location within 15 ft. Never used location data for this before. In combination with a disclosure app/form for self-reporting. Use wireless data to supplement the self-reporting.
Real-time position data out of Aps?
Have all of the logs from Aps, but don’t have in splunk of physical space to graph of physical space.
Do you have building maps with Aps on them?
Most of Aps have a name that helps with location
We’re pulling that data in Cisco Prime – wrote an app in Splunk to do lookup with lat and long of buildings in campus to do visualizations
Real-time visualization tracker in Splunkbase
Not much being done of mapping of building
We’re looking to do maps
To get to 10ft location, you need to have maps in wireless system to do the wireless tracking based on power signals. Wireless management controller doing the mapping.
How to handle privacy with all of this potential tracking?
Lot of consumers only need aggregated de-identified data that need to know the number of people
When need to know about an individual, much more challenging
Maybe de-identified label?
Might be a challenge?
Are there plans for an I2 license program for Phantom?
Yes
Nick to update webpages
Augment what people are doing rather than replacing people
While Phantom would be great (!), speaking of SOAR, has anyone integrated Splunk with any other SOAR platforms—The Hive/Cortex, other?
Panopticon
SOAR as a future topic
As Splunk formalizes a vCPU pricing SKU, does I2 have any plans to add that as an option on Net+?
Rich – having discussion on institution by institution level. Not at NET+ level. Just individually. Don’t think it fits will in NET+. Still have limited number of campuses. Interest level is high.
At the present time, vCPU is still very new and has limited adoption... There is no plan to have it added to Net+. We can revisit once we have more data on the success.
Maybe we can get Penn State to talk about their use of Phantom! Can you reach out?
4 campuses interested in vCPU
Put vCPU on a future call? Need to know more details. CPU for AI/ML is high. Not sure how that affects?
We are interested but right now don’t have the budget due to less revenues
Rich – could do a preso on vCPU for this group?
Doing it targeted individual level to help optimize and limit vCPU count as possible
Talking with logging on CIO
We’ve gone through the sizing with sales person
Smallest model is still too much and uplift in how much we pay
All vCPUs.
Sizing exercise is much improved from the last time we did it
4TB at 250 vCPU
Ran into both issues
Provisioning of resources caused bump in price and increase in data volume to see the cost savings
Logs with poor signal to noise data
vCPU to have more tiers
smallest tier still sizable
More granular choices
Automation vs vCPU
Automation - +++
- How well is your SIEM working with everyone remote? Do you still have sufficient visibility?
- Using Splunk at small campuses discussion follow-up to SPC2020 panel on small campuses SIEM and centralized logging