NET+ Splunk User Group call

Date: 5/14/2020

Please register for the user group to get the call-in information and a calendar invite at:

https://internet2.zoom.us/webinar/register/7615688226058/WN_aNbzAxBgQOOjNzZLX4VvEQ

Agenda:

  1. Introductions and reminder about the format of this call.
  2. Any follow-ups from last month on the Splunk Remote Work dashboard?
  3. General COVID-19 impacts on your Splunk implementations and plans
  4. Open discussion and questions


Chat:

Hi everyone! We’ll get started at 5 min after the hour. I’ll unmute everyone then. Please feel free to put questions in chat or ask them as we get going.


Attendees: 20


Recording: GMT20200514-180613_NET--Splun_1680x1050.mp4


Auto-generate transcript from Zoom:


Chat transcript: (No chat this month)


Notes:

We implemented it pretty shortly

Difference in data sources

Cisco webex

Splunkbase vs Git repo

Some customization per data source

Who’s on campus vs off campus


COVID19 impact on SIEM

MUSC – remote work, quite a bit of monitoring of things because people using split-tunnel VPN

Make those adjustments

Change how VPN

Attack against workstation and gave some insight into watching traffic

Searches based on endpoint over a VPN connection

Students on split-tunnel

Logging who using IP

IP/DHCP leases changing faster and how to track the endpoints

Hurricane drove some initial change for split-tunnel

We’ve handled that by populating index with the user details

Look-up or manual?

            Searches that populate every 15 minutes

DHCP/vpn sessions for time-based look-up with IP as the look-up field

So, you can then find the user

Log enrichment

Not automatic lookup, but when search executes


Manual process for alerts being processed and then sending something off to HD for the HD to investigate

How to remediate endpoint

Have to do evaluation step for any IR


Other impacts?


Q: Tracking people on-campus vs off-campus


Anyone thinking about using their campus SIEM?

We do, based on SRC IP and wireless IP and correlate with other data on user

Match again a look-up list of essential employees

Location data has been useful

Tying to lost stolen devices process from before on finding these devices


Open discussion


Anyone using the machine learning toolkit?

            We’ve tried to use it and keep running into memory limits

            What kind of resources

            SPL performance app to look at the analysis?

            Just finished data science class, but haven’t looked at it yet

            Splunk is not SAS/SPSS

            Taking ML to the data

            Can be very resource intensive

            600k events

            Test server with 16GB of RAM

            Purpose specific box might be

            Jay to send link to the tool

            Perf tool might be built-in the future

            ML/AI for future call?


More information on the ML/AI toolkit:

https://docs.splunk.com/Documentation/MLApp/5.1.0/User/InstallPerfApp

https://splunkbase.splunk.com/app/3289/

https://docs.splunk.com





  • No labels