NET+ Splunk User Group call
Date: 5/14/2020
Please register for the user group to get the call-in information and a calendar invite at:
https://internet2.zoom.us/webinar/register/7615688226058/WN_aNbzAxBgQOOjNzZLX4VvEQ
Agenda:
- Introductions and reminder about the format of this call.
- Any follow-ups from last month on the Splunk Remote Work dashboard?
- General COVID-19 impacts on your Splunk implementations and plans
- Open discussion and questions
Chat:
Hi everyone! We’ll get started at 5 min after the hour. I’ll unmute everyone then. Please feel free to put questions in chat or ask them as we get going.
Attendees: 20
Recording:
Auto-generate transcript from Zoom:
Chat transcript: (No chat this month)
Notes:
We implemented it pretty shortly
Difference in data sources
Cisco webex
Splunkbase vs Git repo
Some customization per data source
Who’s on campus vs off campus
COVID19 impact on SIEM
MUSC – remote work, quite a bit of monitoring of things because people using split-tunnel VPN
Make those adjustments
Change how VPN
Attack against workstation and gave some insight into watching traffic
Searches based on endpoint over a VPN connection
Students on split-tunnel
Logging who using IP
IP/DHCP leases changing faster and how to track the endpoints
Hurricane drove some initial change for split-tunnel
We’ve handled that by populating index with the user details
Look-up or manual?
Searches that populate every 15 minutes
DHCP/vpn sessions for time-based look-up with IP as the look-up field
So, you can then find the user
Log enrichment
Not automatic lookup, but when search executes
Manual process for alerts being processed and then sending something off to HD for the HD to investigate
How to remediate endpoint
Have to do evaluation step for any IR
Other impacts?
Q: Tracking people on-campus vs off-campus
Anyone thinking about using their campus SIEM?
We do, based on SRC IP and wireless IP and correlate with other data on user
Match again a look-up list of essential employees
Location data has been useful
Tying to lost stolen devices process from before on finding these devices
Open discussion
Anyone using the machine learning toolkit?
We’ve tried to use it and keep running into memory limits
What kind of resources
SPL performance app to look at the analysis?
Just finished data science class, but haven’t looked at it yet
Splunk is not SAS/SPSS
Taking ML to the data
Can be very resource intensive
600k events
Test server with 16GB of RAM
Purpose specific box might be
Jay to send link to the tool
Perf tool might be built-in the future
ML/AI for future call?
More information on the ML/AI toolkit:
https://docs.splunk.com/Documentation/MLApp/5.1.0/User/InstallPerfApp
https://splunkbase.splunk.com/app/3289/