- Introduction
- Checklist
- Runbook Summary
- Zoom Walkthrough
- Configure the Remote Work Insights - Executive Dashboard
- Additional Resources
- Appendix
- Remote Work Insights - Executive Dashboard
The purpose of the Remote Work Insights - Executive Dashboard is to provide the ability to aggregate information across VPN, authentication, and video conferencing services to provide insights into the connectivity, productivity, and engagement across a remote workforce. An example dashboard that synthesizes information across these services is illustrated below:
Dashboard Reference: RWI - Executive Dashboard (rw_exec.xml)
The first row provides real-time information on the number of workers connected via VPN, real-time number of active Zoom video conferencing meetings, and the top application accessed via Okta for the current day. The second row looks at aggregate daily statistics over time for these same mission-critical indicators: number of VPN logins, number of Zoom meetings and average duration, and top 10 apps accessed via Okta. The bottom of the panel shows VPN connectivity counts by geographic location.
This document provides step by step instructions to install and configure your own Remote Work Insights - Executive Dashboard. It will allow you to dynamically create dashboards similar to the image above for a specific set of service providers: Palo Alto Network’s GlobalProtect VPN information, Okta authentication services, and Zoom video conferencing services. The instructions begin by highlighting a visual depiction of the data sources by service, a checklist of necessary Splunk Add-ons (commonly known as TAs) that must be installed, a runbook to ensure the proper Splunk Add-ons are correctly in place and finally a summary of steps required to start sending Zoom data to Splunk.
This section provides you the prerequisites to successfully install the Remote Work Insights - Executive Dashboard.
Download the following apps from Splunkbase and deploy them according to your Splunk Environment. For more information on how to deploy Splunk apps and addons refer to the App Deployment Overview.
- Splunk
- Palo Alto Networks
- Okta
- Zoom
- Standalone Splunk Instance
- Any Splunk Enterprise or Splunk Cloud version 7.3 or higher
- For more information about which Splunk Deployment is right for you see About Splunk Enterprise deployments
- Any Splunk Enterprise or Splunk Cloud version 7.3 or higher
OR
- Distributed Splunk Deployment + Splunk Heavy Forwarder (HF)
- Any full version Splunk Enterprise version 7.3 or higher with a HF that will act as an independent forwarding agent for your Zoom and/or Okta data source
- Network and OS Firewall whitelist permissions
OR
- Splunk Cloud Environment with an Input Data Manager (IDM) instance
- Splunk Cloud version 7.3 or higher with an IDM that will act as an independent forwarding agent for your Okta data source
AND
- Syslog server for Palo Alto TA
- For more information on how to configure syslog
- Splunk Environment
- Splunk admin account with ability to install/configure apps and create indexes
- Splunk CLI (Command Line) access (only required for the JWT Modular Input Add-on)
- HTTP Event Collector (HEC) Token used by Splunk Connect for Syslog
- Zoom Environment
- Zoom administrator or developer account
- Zoom permissions to create and activate a Zoom App
- Network and OS Firewall whitelist permissions
- (Optional) Signed Trusted CA SSL Certificate and Private Key
In this runbook, you need to complete the following items:
- Splunk Search Head
- Remote Work Insights - Executive Dashboard
- Splunk Common Information Model (CIM) Add-on
- Palo Alto Networks
- Okta
- Splunk Heavy Forwarder
- Syslog
- Palo Alto Networks
index=pan
- Okta
index=okta
- Zoom
index=zoom
- Configure the Splunk Common Information Model (CIM) Data Models
- Update the CIM Index Constraints for
Authentication,Network Sessions,Network Trafficdata models.
- Update the CIM Index Constraints for
- Update Palo Alto Networks Firewall Logs Data Model Schema
- Prefix
index=panin the base search
- Prefix
- Enabled Data Model Acceleration (DMA) (Optional)
- Palo Alto Networks Add-on for Splunk
- Palo Alto Networks Firewall Logs
- Palo Alto Networks Add-on for Splunk
- Okta
- Configure Okta Identity Cloud Add-on for Splunk and collecting Okta events
- Zoom
- Configure Splunk JWT Webhook Modular Input Add-on to receive Zoom Webhook events
- Step by step instructions included in this section: Configure Splunk JWT Webhook Modular Input Add-On
- Configure Splunk JWT Webhook Modular Input Add-on to receive Zoom Webhook events
- Create Zoom Webhook Only App
- Enable Webhook event subscriptions
- Activate Zoom App
- Configure the indexes macros to allow the Dashboards to work as per your environment.
| Category | Macro | Definition |
|---|---|---|
| Authentication | rw_auth_indexes | (index=okta) |
| Video Conferencing | rw_vc_indexes | (index=zoom) |
| VPN | rw_vpn_indexes | (index=pan) |
- Follow the CIM Index Constraints documentation to update the Index Constraints for the
Authentication,Network SessionsandNetwork TrafficCIM data models.
| Category | CIM Data Model | Indexes to add |
|---|---|---|
| Authentication | Authentication | okta, pan |
| VPN | Network Sessions | pan |
| VPN | Network Traffic | pan |
This section is only applicable to Zoom Data Collection.
- Ensure your environment allows incoming traffic from the Zoom Webhook Event Services. Work with your Network Administrator and Zoom Support to whitelist the related Zoom network CIDR blocks. For more details, please visit the Network Firewall or Proxy Server Settings for Zoom documentation and feel free to contact Zoom support directly for additional assistance.
- Install Splunk JWT Webhook Modular Input Add-on on a Splunk Heavy Forwarder (Single Instance Deployments can use the same instance)
- From the Splunk Web Interface, go to Settings > Data Inputs
- Click Add New for the JWT Webhook input
- Fill the parameters as per the table below or you may enter specific value as per your environment. Note:
- The JWT Webhook Add-On uses the default Splunk Web self-signed certificate and private key as described here: About securing Splunk Enterprise with SSL. For security reasons and best practices, it is recommended to use a Trusted CA Signed SSL Certificates. You may follow this documentation to assist you with generating the needed certificates for your trusted CA: How to get certificates signed by a third-party.
- For the purpose of this document, we will use the default certificates that were shipped with Splunk to help you understand the setup process. The default certificates are located here
$SPLUNK_HOME/etc/auth/splunkweb/cert.pem$SPLUNK_HOME/etc/auth/splunkweb/privkey.pem
- If you wish to use your own SSL certificates, we recommend storing your certificate and private key in the following directory:
$SPLUNK_HOME/etc/auth/<your_folder>
| Parameter | Value |
|---|---|
| Name | Zoom |
| Secret | Leave Empty |
| Port | 4443 |
| Path | Leave Empty |
| SSL Certificate File | etc/auth/splunkweb/cert.pem |
| SSL Certificate Key File | etc/auth/splunkweb/privkey.pem |
| Password | Leave Empty |
| Set sourcetype | Manual |
| Sourcetype | zoom:webhook |
| Host | Leave as is |
| Index | zoom |
- Click the Next button and this should complete the Input setup.
For this section, you may follow Zoom's documentation: Create a Webhook-Only App
- Go to: https://marketplace.zoom.us/ and login
- On the top right corner, click Develop > Build App
- Create a Webhook Only App
- Fill the App Information and click Continue
- App Name
- Short Description
- Company Name
- Developer Name
- Developer Email Address
- Enable Event Subscriptions
- Click on Add new event subscription button
- Provide the following information
- Subscription Name (eg: Splunk)
- Event notification endpoint URL (eg: https://example.com:4443)
- Click on Add events button
- Subscribe to any Webhook Events you wish.
- For more details, please visit the Zoom Webhook Reference page.
- Click Save
- Click Continue
- Activate your newly created Webhook Only App
- From the Splunk Search Head, go to the RWI - Executive Dashboard App
- Go to Settings > Advanced Search > Search Macros to update the Index Macros
- Update the following indexes macros
| Category | Macro | Definition |
|---|---|---|
| Authentication | rw_auth_indexes | (index=okta) |
| Video Conferencing | rw_vc_indexes | (index=zoom) |
| VPN | rw_vpn_indexes | (index=pan) |
- App deployment overview
- Install an add-on in a single-instance Splunk Enterprise deployment
- About securing Splunk Enterprise with SSL
- How to get certificates signed by a third-party
- Splunkbase
- Splunk Connect for Syslog
- Splunk Connect for Syslog - Runbook for redhat 8
- Splunk CIM Manual
- Splunk CIM Index Constraints
- Zoom Create a Webhook-only App
- Zoom Network Firewall or Proxy Server Settings
- Zoom Marketplace
- Zoom Webhook Logs
- Zoom Webhook Documentation
- Zoom Developer Forum
Dashboard Reference: rw_exec.xml
The first row of the Remote Work Insights - Executive Dashboard provides real-time information on the number of workers connected via VPN, real-time number of active Zoom meetings, and the top application accessed via Okta for the current day. The second row enables us to look at aggregate daily statistics over time for these same mission-critical indicators: number of VPN logins, number of Zoom meetings and average duration, and top 10 apps accessed via Okta. The bottom of the panel shows VPN connectivity counts by geographic location. Sudden drops during working hours may indicate connectivity issues.
The combination of VPN, authentication, and video conferencing services will provide insight into the following questions for a remote workforce:
- Is our remote workforce connected?
- Are they able to stay productive and run the business?
- Are they engaging with each other?
Dashboard Reference: rw_vpn_ops.xml
The top panel of the VPN Ops Dashboard shows successful and failed login attempts by location. The middle sequence of pie charts provides more specific information by country and city, as well as an overall indicator of successful and failed login attempts. The bottom row provides a time history of login attempts and insight into the number of unique users logging in to the network, and also a more granular view of users by regions.
Dashboard Reference: rw_vc_zoom_ops.xml
The top row of the Zoom Ops dashboard displays real time Zoom statistics: number of current active video conferencing sessions, number of active participants, duration of the longest ongoing meeting, average meeting length, and shortest meeting in the last 1 hour. The middle row shows the number of meetings over time by hour and whether meetings are completed in the scheduled amount of time or run over to provide insight into the distribution of activity over the course of a day. The bottom row shows the number of meetings by type and also indicates the distribution of devices that were used to join Zoom.
Dashboard Reference: rw_auth_ops.xml
The top row of the Authentication Ops dashboard provides real time authentication information for applications accessed via Okta: the success rate and the number of authentication attempts over the last hour. The middle row provides these same metrics over the past seven days, and indicates the reasons for failure. The bottom panel indicates the authentication success rate by application.