NET+ Splunk User Group call

Date: 6/11/2020


Please register for the user group to get the call-in information and a calendar invite at:

https://internet2.zoom.us/webinar/register/7615688226058/WN_aNbzAxBgQOOjNzZLX4VvEQ

Agenda:

  1. Introductions and reminder about the format of this call.
  2. Next call on July 9th 2pm ET – updated invite and Zoom registration
  3. Any follow-ups from the previous month on the Splunk Remote Work dashboard or using your Splunk implementation for COVID19 response?
  4. How is your Splunk implementation being used for Fall 2020 planning?
  5. How well is your SIEM working with everyone remote? Do you still have sufficient visibility?
  6. Using Splunk at small campuses discussion follow-up to SPC2020 panel on small campuses SIEM and centralized logging
    1. https://events.educause.edu/special-topic-events/security-professionals-conference/2020/agenda/siem-and-centralized-logging-in-higher-education
  7. Open discussion and questions

Chat:

Hi everyone! We’ll get started at 5 min after the hour. I’ll unmute everyone then. Please feel free to put questions in chat or ask them as we get going.


Attendees: 23


Recording: GMT20200611-180101_NET--Splun.m4a


Auto-generate transcript from Zoom:


Chat transcript:


Notes:


In house app for contact disclosure and potentially querying Splunk via the API for wireless logs

Following the Splunk discussion around the Splunk app for contact tracing. Interested in trying as proof of concept. Should be released in July. Using wireless data.

We’re looking at that as well

Splunk leading cohort calls on contact tracing

Several interested

Splunk app is wireless AP centric or badging or POS

Using common information model

Rich – Tuesday next week for the app to published on Splunk base

Wireless data – already using that

Website asking for location – GPS device from browser on mobile?

Users consenting to sharing



Topic: Contract Tracing and COVID-19 Response Splunk Cohort #1
Date: May 21, 2020 12:55 PM Eastern Time (US and Canada
Share recording with viewers:
https://splunk.zoom.us/rec/share/xYt5EZeqxGRJQJXEuWWcQbwsGqXjaaa80yZLqKVczRqqOvjGefmS87dyawIQG7iF Password: 0v%?*N@t 
 
 


Topic: Splunk Contract Tracing Higher Ed Cohort Session #2
Date: May 28, 2020 12:50 PM Eastern Time (US and Canada) 
Share recording with viewers:
https://splunk.zoom.us/rec/share/v-hKHpDp51tJY4nS9mzBev5_HIr5eaa8hyJI-KIEmDijxTZwBGTbxu0l1PL5118 Password: 8y.29b23 
 


Topic: Contact Tracing Cohort Session #3
Date: Jun 4, 2020 12:49 PM Eastern Time (US and Canada) 
Share recording with viewers:
https://splunk.zoom.us/rec/share/z8NxAbv1r0hOYJGUtU2Od_EiN5i7T6a82nRK-aAKy00tagrAH2aZ2U-VTqTJCizG Password: 3z!4x7D=



Wireless APs, Bluetooth,


Interested in supporting what campuses are looking for?


GPS coordinates from Apps for contact tracing?


Don’t have an app that we’re using, so that might be difficult

Rely on records where the Aps are located?


Any CMDB data?

For wired network connections could use CMDB?


What about people that can’t come back to the physical community? How can we support those people? Is there something we should be monitoring around that?


            Splunk has been thinking about this around the student success toolkit

            Remote work insights app to look at key apps

            Workplace insights to bring together key points for re-opening campuses

            How to do alerting about when a student has an issue?

Issue with Canvas and Splunk?

            Splunk already had interface for Canvas

            On-prem blackboard or on-prem blackboard

            Usually on-prem implementations

            Difficult to get cloud log data

            Specific is data ingestion

            Clemson doing a lot on Canvas and intermediate reporting system


There is a NET+ Canvas SAB that could help with that

How to make the connection between student and faculty person help better support the remote learner?

UNCG was asking about Canvas


What you look at AP data – getting in a building or floor. How precise are you trying to get the location?

            We’re not using for contract tracing. Found accurate to floor.

            We’re not doing yet. Do have dense AP population to get location within 15 ft. Never used location data for this before. In combination with a disclosure app/form for self-reporting.           Use wireless data to supplement the self-reporting.

            Real-time position data out of Aps?

            Have all of the logs from Aps, but don’t have in splunk of physical space to graph of physical space.

            Do you have building maps with Aps on them?

            Most of Aps have a name that helps with location

            We’re pulling that data in Cisco Prime – wrote an app in Splunk to do lookup with lat and long of buildings in campus to do visualizations

            Real-time visualization tracker in Splunkbase

            Not much being done of mapping of building

            We’re looking to do maps

            To get to 10ft location, you need to have maps in wireless system to do the wireless tracking based on power signals. Wireless management controller doing the mapping.

           

How to handle privacy with all of this potential tracking?

            Lot of consumers only need aggregated de-identified data that need to know the number of people

            When need to know about an individual, much more challenging

            Maybe de-identified label?

            Might be a challenge?



Are there plans for an I2 license program for Phantom?


      Yes

      Nick to update webpages

      Augment what people are doing rather than replacing people


While Phantom would be great (!), speaking of SOAR, has anyone integrated Splunk with any other SOAR platforms—The Hive/Cortex, other?

Panopticon


SOAR as a future topic


As Splunk formalizes a vCPU pricing SKU, does I2 have any plans to add that as an option on Net+?

            Rich – having discussion on institution by institution level. Not at NET+ level. Just individually. Don’t think it fits will in NET+. Still have limited number of campuses. Interest level is high.

            At the present time, vCPU is still very new and has limited adoption...  There is no plan to have it added to Net+.  We can revisit once we have more data on the success.


Maybe we can get Penn State to talk about their use of Phantom!  Can you reach out?


4 campuses interested in vCPU

Put vCPU on a future call? Need to know more details. CPU for AI/ML is high. Not sure how that affects?


We are interested but right now don’t have the budget due to less revenues


Rich – could do a preso on vCPU for this group?


Doing it targeted individual level to help optimize and limit vCPU count as possible

Talking with logging on CIO

We’ve gone through the sizing with sales person

Smallest model is still too much and uplift in how much we pay

All vCPUs.

Sizing exercise is much improved from the last time we did it

4TB at 250 vCPU

Ran into both issues

Provisioning of resources caused bump in price and increase in data volume to see the cost savings

Logs with poor signal to noise data

vCPU to have more tiers

smallest tier still sizable

More granular choices


Automation vs vCPU

Automation - +++





  1. How well is your SIEM working with everyone remote? Do you still have sufficient visibility?
  2. Using Splunk at small campuses discussion follow-up to SPC2020 panel on small campuses SIEM and centralized logging
    1. https://events.educause.edu/special-topic-events/security-professionals-conference/2020/agenda/siem-and-centralized-logging-in-higher-education


           

  • No labels