SOLUTION GUIDE

Real-time Analysis of Remote Work Operational and Security Data in the Cloud

Remote Work Insights

1Remote Work Insights

SOLUTION GUIDE

Empowering the Remote WorkforceAs more organizations empower their employees to work

from home, remote systems are becoming increasingly

mission critical. Optimizing performance and mitigating

security risks are more critical than ever before.

Splunk offers a free program, Remote Work Insights

for existing and new customers looking to monitor and

secure their remote workforce. This program delivers

the foundation to deploy and deliver meaningful insights

in a rapid, scalable way across the entire organization.

With Remote Work Insights, customers that participate

receive a free Splunk Cloud1 instance for a defined

Use Cases Supported With Remote Work Insights

Remote Access VPN Monitoring

With an increasing number of remote workers, organizations are experiencing increasing performance demands.

Remote access VPN monitoring enables users to better monitor, secure and troubleshoot their work environments

with insights ranging from performance issues to application usage.

Sample dashboard showing real-time visibility into VPN activity

1. For more information on Splunk Cloud generally, see this webpage.

period (usually 90 days). Together with Splunk, you will

onboard your data and implement best practices on

select use cases. Additionally, Splunk will enable you to

monitor key performance indicators, identify emerging

issues and perform deep root cause analysis across

a representative subset of your full environment — all

from a single platform.

Remote Work Insights is a program that:

• Understands and quantifies your business

challenges

• Identifies key use cases relevant to your business

• Curates Splunkbase apps and add-ons needed

to satisfy the selected use cases

Remote Access: Collaboration Monitoring With Microsoft 365

As employees shift to working from home, companies are experiencing increased load and even outages across their

remote access and collaboration tools. And with the growing reliance on communication and collaboration solutions

like Microsoft 365, the dreaded outage is more painful than ever. Companies who want to maintain employee

productivity and consistent service delivery against committed SLAs must be able to monitor service performance,

investigate incidents and correlate that data to cloud service data. Remote Work Insights makes this easy with

Microsoft 365 collaboration monitoring.

2Remote Work Insights

SOLUTION GUIDE

Sample dashboard showing real-time visibility into Microsoft 365 activity.

Sample dashboard showing real-time visibility into Zoom video conferencing activity.

Sample dashboard showing real-time visibility into Authentication activity.

Video Conferencing

Use of video conferencing solutions has increased dramatically with the shift to remote work — potentially adding

strain to already busy IT operations teams. IT teams now have to increasingly troubleshoot issues related to third-

party provided video conferencing solutions as a result. Remote Work Insights provides visibility into issues impacting

audio and video performance and quality for Zoom meetings, webinars and Rooms.

Authentication

Similar to Remote Access VPN Monitoring, viewing authentication data can provide visibility into key IT operations

issues such as concurrent connections or user counts, active users in the system, bandwidth utilization, and service

problems reflected in failed or dropped logins and sessions. Remote Work Insights’ supported authentication services

include Okta, Duo, Sailpoint, and Windows.

3Remote Work Insights

SOLUTION GUIDE

Splunk created a list of key operations and security use cases that can be demonstrated during the engagement. Please

check off the areas of specific interest to you and your organization. Organizations may select more than one use case

but no more than three use cases to begin. You’ll work with your account team to determine the best path forward.

Use Case #1Remote Access VPN Monitoring

Target Devices Data Sources (choose up to 2)

VPN Gateways or Clients Cisco AnyConnect

Palo Alto Networks GlobalProtect

Fortinet Forticlient

Check Point SecuRemote, SecuClient, Endpoint Security, SSL VPN

Zscaler ZPA, ZPI

Technical Success Criteria How many people are connected to VPN? Over time? Total User Count?

Origin — where are people connecting from?

Errors

Concurrent users at any given time

Device types connected to VPN

Who can’t connect to VPN? (i.e. failed attempts or no attempt)

Are connections dropped?

What applications are being accessed?

Use Case #2Remote Access VPN Security Posture

Target Devices Data Sources (choose up to 2)

VPN Gateways or Clients Cisco AnyConnect

Palo Alto Networks GlobalProtect

Fortinet Forticlient

Check Point SecuRemote, SecuClient, Endpoint Security, SSL VPN

Zscaler ZPA, ZPI

Security Detection and Response Use Case

Successful Logins from Rare/Unexpected Countries

Geographically Improbable Access

Password Spraying

Multiple Simultaneous Logins

VPN Connection from Unsupported Device

Authentication from TOR or Suspicious Domain

SMB/UPnP/Bonjour Devices Visible/Available on VPN Subnet

4Remote Work Insights

SOLUTION GUIDE

Use Case #3Remote Access: Collaboration Monitoring with Microsoft 365

Microsoft 365 App provides several out of the box dashboards, please select those of interest.

Azure Active Directory

User Audit dashboard

Exchange

SharePoint

OneDrive

Microsoft Teams

Power BI

The data source for this use case will be supported by deployment of the Microsoft 365 Technology Add-On. A full step-by-step data onboarding guide is included.

Use Case #4Remote Access: Security Posture Monitoring for Microsoft 365 Environments

Target Microsoft 365 Data Sources

Security Detection and Response Use Case

Management Data New Org BCC Rules Added

Email Forwarding Rule Created

Exporting of PSTs

Adding Permissions to Mailboxes

New Admin Account Created

Sharing of OneDrive Files

Downloads from One Drive

Azure Active Directory Successful Logins from Rare/Unexpected Countries

Geographically Improbable Access

Password Spraying

Multiple Simultaneous Logins

External Org User Logins

Attempted Logins from Expired/Disabled Account

Message Trace Logs Spike in Password Reset Emails

Emails with Pandemic-Related subjects

Emails from known-malicious domains

Emails from lookalike Domains

Emails from outside the org with Company Domains

5Remote Work Insights

SOLUTION GUIDE

Use Case #5Security Monitoring and Response for Authentication Logs

Target: Authentication Data Source

Security Detection and Response Use Case

Any with geographical mapping (IP address or similar)

Geographically Improbable Access Detected

Logins from unusual countries/regions

Multiple Logins from single location/IP

Login attempts to multiple accounts from single source (password spray)

Any (common ones include Okta, Duo, Ping, Windows Security, Azure AD, classic AD)

New Interactive Logon from a Service Account

Unauthorized User Logged Into In-Scope System

Excessive User Account Lockouts

Activity from Expired User Identity

Activity from Long-Dormant Identity

New User Taking Privileged Actions

Audit user creations/modifications/add to privileged group

Default Account Activity Detected

Unusual Application Access for User/Role

Excessive Failed Logins

Concurrent Login Attempts Detected

Successful Logins from New Device

First Time Login to New Server

First Time Login to Jump Server

Increase in hosts logged into from user

Any (common ones include Okta, Duo, Ping, Windows Security, Azure AD, classic AD) + endpoint/malware data

Watchlisted/Priority User logging into Infected System

Use Case #6Security Monitoring and Response for Zoom

Target: Zoom Data Source Security Detection and Response Use Case

Zoom Events via TCP Webhook

Reuse of personal IDs/meeting IDs

Audit client versions

Audit profile settings surrounding passwords and meeting IDs

Audit new user accounts or other changes

Abnormal Zoom Meeting duration

Zoom Events via TCP Webhook + REST API calls

Zoom logins from unusual countries/regions

Zoombombing Prevention2

2. Requires Phantom license not included in the Remote Work Insights offering but can be done by the customer on their own. More details on Phantom available and information on getting started with the free Community Edition of Phantom available here.

6Remote Work Insights

SOLUTION GUIDE

Use Case #7Zoom Service Performance and Quality Monitoring

Target: Zoom Data Source Security Detection and Response Use Case

Zoom ‘Meeting Alerts’ via TCP Webhook

Unstable audio or video (meeting)

Poor screen share quality (meeting)

High CPU utilization (meeting)

Call reconnection problems (meeting)

Zoom ‘Webinar Alert’ via TCP Webhook

Unstable audio or video (webinar)

Poor screen share quality (webinar)

High CPU utilization (webinar)

Call reconnection problems (webinar)

Use Case #8Zoom Utilization Measurement

Target: Zoom Data Source Service Utilization

Zoom ‘Meeting Created’, ‘Meeting Started’, and ‘Participant Joined’ via TCP Webhook

Meeting Created

Meeting Started

Participant Joined

Zoom ‘Webinar Created’, ‘Webinar Started’, and ‘Participant Joined’ via TCP Webhook

Meeting Created

Meeting Started

Participant Joined

Use Case #9Zoom Cloud Recording Monitoring

Target: Zoom Data Source Service Utilization

Zoom ‘Recording Completed’ via TCP Webhook

Recording Completed

Use Case #10Zoom Room Alert Monitoring

Target: Zoom Data Source Service Utilization

Zoom ‘Zoom Room Alert’ via TCP Webhook

High CPU Usage

Low Battery, Charging and/or Connection Issues in a Zoom

Room Device (Computer, Controller or Scheduling Display)

Room Controller Disconnections/Reconnections

Camera Disconnections/Reconnections

Missing Camera/Microphone

Speaker Disconnections/Reconnections

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. 20-13222-Splunk-RET-Remote Work Insights-106-SG

www.splunk.comLearn more: www.splunk.com/asksales

SOLUTION GUIDE

Insights for Success: Help Us Help YouWe want to support you through this process and set

you up for success with Remote Work Insights. Please

gather the information listed in the sections below and

return to your Splunk account team. We will schedule

a call to review your desired outcomes and to discuss

what is needed to onboard your data. We’ll also give you

information on the data types required for success and

begin the discussion on best practices for beginning

this foundational deployment.

ContactsPoints of contact for the Splunk team to engage:

Sponsor (Primary Contact):

Technical Lead:

End User #1:

End User #2:

Recommended Training and TrialsIf not a current user, please register for a splunk.com

account and also sign up for FREE Splunk eLearning

at splunk.com/training and get a handle on the

Fundamentals.