- Introduction
- Upgrade RWI - Executive Dashboard from v1.0.x to v.1.1.x
- Checklist
- Runbook Summary
- Zoom Walkthrough
- Configure the Remote Work Insights - Executive Dashboard
- Additional Resources
- Appendix
- Remote Work Insights - Executive Dashboard
The purpose of the Remote Work Insights - Executive Dashboard is to provide the ability to aggregate information across VPN, authentication, and video conferencing services to provide insights into the connectivity, productivity, and engagement across a remote workforce. An example dashboard that synthesizes information across these services is illustrated below:
Dashboard Reference: RWI - Executive Dashboard (rw_exec.xml)
The first row provides real-time information on the number of workers connected via VPN, real-time number of active Zoom video conferencing meetings, and the top application accessed via Okta for the current day. The second row looks at aggregate daily statistics over time for these same mission-critical indicators: number of VPN logins, number of Zoom meetings and average duration, and top 10 apps accessed via Okta. The bottom of the panel shows VPN connectivity counts by geographic location.
This document provides step by step instructions to install and configure your own Remote Work Insights - Executive Dashboard. It will allow you to dynamically create dashboards similar to the image above for a specific set of service providers: Palo Alto Network’s GlobalProtect VPN information, Okta authentication services, and Zoom video conferencing services. The instructions begin by highlighting a visual depiction of the data sources by service, a checklist of necessary Splunk Add-ons (commonly known as TAs) that must be installed, a runbook to ensure the proper Splunk Add-ons are correctly in place and finally a summary of steps required to start sending Zoom data to Splunk.
- Backup any custom dashboards or reports that were created while on v1.0.x
- Backup the navigation bar (default.xml), only if you have modified the application menu bar
- Download and install the latest version of the Splunk Add-on for RWI - Executive Dashboard from Splunkbase
- Installing on Splunk Cloud: Installing on Splunk Cloud through Self-Service Apps Install requires Splunk Cloud version 7.1.x or later.
- To install on Splunk Cloud version 7.0.x or earlier, submit a case to Splunk Support. See Contact Splunk Support for contact information and how to submit a case.
- Download and install the latest version of the RWI - Executive Dashboard
- Installing on Splunk Cloud: Installing on Splunk Cloud through Self-Service Apps Install requires Splunk Cloud version 7.1.x or later.
- To install on Splunk Cloud version 7.0.x or earlier, submit a case to Splunk Support. See Contact Splunk Support for contact information and how to submit a case.
- Restart the Splunk Search Head or Initiate a Search Head Cluster Rolling Restart
- Access the RWI - Executive Dashboard app v1.1.x+ for the first time using a Splunk Admin account and proceed with the Guided Setup
- App Prerequisites check
- Indexes macros configuration
- Data collections check
- Features/Navigation bar configuration
- Restore any custom dashboards or reports from Step 1
- ** See Important Note Before Proceeding **
- Merge any custom navigation menu from Step 2 with the default navigation bar.
- Splunk Add-on for RWI - Executive Dashboard
- This Splunk Add-on provides support functions to the RWI - Executive Dashboard v1.1 and above as to the Video Conferencing data model, field search-time extractions for the views, reports provided in the main App.
- If you have modified the Navigation Bar, you may still use the Guided Setup. Though, the menu ordering of the navigation bar may changes.
- If you are upgrading from v1.0.x to v1.1.x, you may access the Guided Setup using this link:
http(s)://<your_splunk_hostname>:<port>/en-US/app/rwi_executive_dashboard/guided_setup
This section provides you the prerequisites to successfully install the Remote Work Insights - Executive Dashboard.
Download the following apps from Splunkbase and deploy them according to your Splunk Environment. For more information on how to deploy Splunk apps and addons refer to the App Deployment Overview.
- Splunk
- Palo Alto Networks
- Okta
- Zoom
- Standalone Splunk Instance
- Any Splunk Enterprise or Splunk Cloud version 7.3 or higher
- For more information about which Splunk Deployment is right for you see About Splunk Enterprise deployments
- Any Splunk Enterprise or Splunk Cloud version 7.3 or higher
OR
- Distributed Splunk Deployment + Splunk Heavy Forwarder (HF)
- Any full version Splunk Enterprise version 7.3 or higher with a HF that will act as an independent forwarding agent for your Zoom and/or Okta data source
- Network and OS Firewall whitelist permissions
OR
- Splunk Cloud Environment with an Input Data Manager (IDM) instance
- Splunk Cloud version 7.3 or higher with an IDM that will act as an independent forwarding agent for your Okta data source
AND
- Syslog server for Palo Alto TA
- For more information on how to configure syslog
- Splunk Environment
- Splunk admin account with ability to install/configure apps and create indexes
- Splunk CLI (Command Line) access (only required for the Splunk Connect for Zoom)
- HTTP Event Collector (HEC) Token used by Splunk Connect for Syslog
- Zoom Environment
- Zoom administrator or developer account
- Zoom permissions to create and activate a Zoom App
- Network and OS Firewall whitelist permissions
- (Optional) Signed Trusted CA SSL Certificate and Private Key
In this runbook, you need to complete the following items:
- Splunk Search Head
- Remote Work Insights - Executive Dashboard
- Splunk Add-on for RWI - Executive Dashboard
- Splunk Common Information Model (CIM) Add-on
- Palo Alto Networks
- Okta
- Splunk Heavy Forwarder
- Syslog
- Palo Alto Networks
index=pan
- Okta
index=okta
- Zoom
index=zoom
- Configure the Splunk Common Information Model (CIM) Data Models
- Update the CIM Index Constraints for
Authentication,Network Sessions,Network Trafficdata models.
- Update the CIM Index Constraints for
- Update Palo Alto Networks Firewall Logs Data Model Schema
- Prefix
index=panin the base search
- Prefix
- Enabled Data Model Acceleration (DMA) (Optional)
- Palo Alto Networks Add-on for Splunk
- Palo Alto Networks Firewall Logs
- Palo Alto Networks Add-on for Splunk
- Okta
- Configure Okta Identity Cloud Add-on for Splunk and collecting Okta events
- Zoom
- Configure the Splunk Connect for Zoom to accept incoming webhooks from Zoom
- Create Zoom Webhook Only App
- Enable Webhook event subscriptions
- Activate Zoom App
- Configure the indexes macros to allow the Dashboards to work as per your environment.
| Category | Macro | Definition |
|---|---|---|
| Authentication | rw_auth_indexes | (index=okta) |
| Video Conferencing | rw_vc_indexes | (index=zoom) |
| VPN | rw_vpn_indexes | (index=pan) |
- Follow the CIM Index Constraints documentation to update the Index Constraints for the
Authentication,Network SessionsandNetwork TrafficCIM data models.
| Category | CIM Data Model | Indexes to add |
|---|---|---|
| Authentication | Authentication | okta, pan |
| VPN | Network Sessions | pan |
| VPN | Network Traffic | pan |
This section is only applicable to Zoom Data Collection.
- Use the Splunk Connect for Zoom to accept incoming webhooks from Zoom
- Please visit the: Splunk Connect for Zoom user documentation to assist you with the installation and configuration.
For this section, you may follow Zoom's documentation: Create a Webhook-Only App
- Go to: https://marketplace.zoom.us/ and login
- On the top right corner, click Develop > Build App
- Create a Webhook Only App
- Fill the App Information and click Continue
- App Name
- Short Description
- Company Name
- Developer Name
- Developer Email Address
- Enable Event Subscriptions
- Click on Add new event subscription button
- Provide the following information
- Subscription Name (eg: Splunk)
- Event notification endpoint URL (eg: https://example.com:4443)
- Click on Add events button
- Subscribe to any Webhook Events you wish.
- For more details, please visit the Zoom Webhook Reference page.
- Click Save
- Click Continue
- Activate your newly created Webhook Only App
- From the Splunk Search Head, go to the RWI - Executive Dashboard App
- Go to Settings > Advanced Search > Search Macros to update the Index Macros
- Update the following indexes macros
| Category | Macro | Definition |
|---|---|---|
| Authentication | rw_auth_indexes | (index=okta) |
| Video Conferencing | rw_vc_indexes | (index=zoom) |
| VPN | rw_vpn_indexes | (index=pan) |
- From the Splunk Search Head, go to the RWI - Executive Dashboard App
- You should be prompted with the Guided Setup if running version 1.1.x+ for the first time
- The wizard will assist you with the app prerequisites, index macros configuration, incoming data check and navigation bar setup
- The Indexes Macros were moved to the Splunk Add-on for RWI - Executive Dashboard. You may still configure the Indexes Macros outside of the Guided Setup as in the previous section for Version 1.0.x
- App deployment overview
- Install an add-on in a single-instance Splunk Enterprise deployment
- About securing Splunk Enterprise with SSL
- How to get certificates signed by a third-party
- Splunkbase
- Splunk Connect for Syslog
- Splunk Connect for Syslog - Runbook for redhat 8
- Splunk CIM Manual
- Splunk CIM Index Constraints
- Zoom Create a Webhook-only App
- Zoom Network Firewall or Proxy Server Settings
- Zoom Marketplace
- Zoom Webhook Logs
- Zoom Webhook Documentation
- Zoom Developer Forum
Dashboard Reference: rw_exec.xml
The first row of the Remote Work Insights - Executive Dashboard provides real-time information on the number of workers connected via VPN, real-time number of active Zoom meetings, and the top application accessed via Okta for the current day. The second row enables us to look at aggregate daily statistics over time for these same mission-critical indicators: number of VPN logins, number of Zoom meetings and average duration, and top 10 apps accessed via Okta. The bottom of the panel shows VPN connectivity counts by geographic location. Sudden drops during working hours may indicate connectivity issues.
The combination of VPN, authentication, and video conferencing services will provide insight into the following questions for a remote workforce:
- Is our remote workforce connected?
- Are they able to stay productive and run the business?
- Are they engaging with each other?
Dashboard Reference: rw_vpn_ops.xml
The top panel of the VPN Ops Dashboard shows successful and failed login attempts by location. The middle sequence of pie charts provides more specific information by country and city, as well as an overall indicator of successful and failed login attempts. The bottom row provides a time history of login attempts and insight into the number of unique users logging in to the network, and also a more granular view of users by regions.
Dashboard Reference: rw_vc_zoom_ops.xml
The top row of the Zoom Ops dashboard displays real time Zoom statistics: number of current active video conferencing sessions, number of active participants, duration of the longest ongoing meeting, average meeting length, and shortest meeting in the last 1 hour. The middle row shows the number of meetings over time by hour and whether meetings are completed in the scheduled amount of time or run over to provide insight into the distribution of activity over the course of a day. The bottom row shows the number of meetings by type and also indicates the distribution of devices that were used to join Zoom.
Dashboard Reference: rw_auth_ops.xml
The top row of the Authentication Ops dashboard provides real time authentication information for applications accessed via Okta: the success rate and the number of authentication attempts over the last hour. The middle row provides these same metrics over the past seven days, and indicates the reasons for failure. The bottom panel indicates the authentication success rate by application.