© 2020 SPLUNK INC.

© 2020 SPLUNK INC.

Whose is It Anyway? PLA1256

Alan Ivarson Staff Cloud Architect | Splunk

Matt Portnoy Senior Sales Engineer | Splunk During the course of this presentation, we may make forward‐looking statements regarding Forward- future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual Looking events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after Statements its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward‐looking statements made herein.

In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release.

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved © 2020 SPLUNK INC.

Matt Portnoy

Senior Sales Engineer | Splunk © 2020 SPLUNK INC.

1) Why are We Talking About This? Agenda These are critical capabilities as you move to the cloud

Where are we going today? 2) What Does “Cloud” Mean? Which aaS are we focused on here?

3) How Does This Work? What are the rules?

4) See it in Action! Multiple examples for you to follow

5) Recap and Next Steps Don’t stop at getting the data! © 2020 SPLUNK INC.

Why Are We Talking About This? © 2020 SPLUNK INC.

Why This Presentation? The current pandemic has shifted 10 years of cloud growth into merely a few months.

Speed of Flexibility Cost Innovation

90% of Organizations Use CapEx  OpEx Cloud is no longer just an Some Cloud Services option. © 2020 SPLUNK INC.

Where Does the Improv Fit In? These are not the only one we can pull from © 2020 SPLUNK INC.

What Does “Cloud” Mean? © 2020 SPLUNK INC. Whose “Cloud” Is It Anyway?

On-Premises

Applications

Data

Runtime

Middleware

Operating System

Virtualization

Servers

Storage

Networking

User Managed © 2020 SPLUNK INC. Whose “Cloud” Is It Anyway?

On-Premises Infrastructure Applications Applications

Data Data

Runtime Runtime

Middleware Middleware

Operating System Operating System

Virtualization Virtualization

Servers Servers

Storage Storage

Networking Networking

User Managed Vendor Managed © 2020 SPLUNK INC. Whose “Cloud” Is It Anyway?

On-Premises Infrastructure as a Service Applications Applications Applications

Data Data Data

Runtime Runtime Runtime

Middleware Middleware Middleware

Operating System Operating System Operating System

Virtualization Virtualization Virtualization Servers Servers Servers AWS Elastic Beanstalk Storage Storage Storage

Networking Networking Networking

User Managed Vendor Managed © 2020 SPLUNK INC. Whose “Cloud” Is It Anyway?

On-Premises Infrastructure as a Platform as a Service Service Applications Applications Applications Applications

Data Data Data Data

Runtime Runtime Runtime Runtime

Middleware Middleware Middleware Middleware

Operating System Operating System Operating System Operating System

Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

User Managed Vendor Managed © 2020 SPLUNK INC.

What are the Rules? © 2020 SPLUNK INC.

The General Process How do we replicate this for all SaaS data sources

Research 1 How to get the data? What Splunk Technology Add-ons (TAs) can help?

Prepare Splunk for receiving the data 2 Install TAs. Create index to store data.

Configure the SaaS app for integration 3 Setup auth tokens. Validate logging is enabled.

Get the data in Splunk 4 Configure Splunk inputs. Validate data is received properly. Troubleshoot, if needed. © 2020 SPLUNK INC.

Research 1 Onboarding SaaS data? Many paths – What does the SaaS provider allow?

Inputs Data HTTP Event Heavy Forwarder Manager Collector (HEC)

Web Service or API Web Service or API Streaming Logs and Scripted / Modular Inputs Scripted / Modular Inputs Metrics (Pull) (Pull) (Push) © 2020 SPLUNK INC.

Research Splunkbase – Apps and Add-ons 1 https://apps.splunk.com OR https://splunkbase.splunk.com

950+ Splunk Cloud Vetted apps Most common use cases and products are already vetted • Security – ES • IT Ops – ITSI • Product/Vendor based All Splunk Cloud apps are vetted for security and performance risks © 2020 SPLUNK INC.

Prepare Splunk Install Apps and Add-ons 2 Where to install Apps and Add-ons – on-premises deployment

Consult the installation instructions for each individual add-on, which indicate where your add- on must be installed in order to work in a distributed architecture.

Rule of thumb: Add-ons everywhere. Apps on Search Head. https://docs.splunk.com/Document ation/AddOns/released/Overview/ Wheretoinstall © 2020 SPLUNK INC.

Prepare Splunk Install Apps and Add-ons 2 Where to install Apps and Add-ons – Splunk Cloud

Easy route: Splunk Cloud – Browse apps inside stack – Click install and Splunk puts the apps and add-ons where they need to go.

*Some apps or add-ons may require a support ticket. © 2020 SPLUNK INC.

Prepare Splunk Create Index for Data 2 Index creation

Best Practice: Separate Data Types by Index for RBAC and Retention control.

Settings > Indexes > New Index… © 2020 SPLUNK INC.

Prepare SaaS App Securely Connect to the Cloud 3 Token authentication creation

Create token authentication on SaaS app. Generally only read access is required.

You might need to engage a subject matter expert (SME) at your organization for this. © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Configure and Enable inputs

Create and enable inputs on Splunk Forwarding/Input Tier.

Heavy Forwarder (HF) for On- Premises deployments Input Data Manager (IDM) for Splunk Cloud

Refer to add-on specific documentation © 2020 SPLUNK INC.

What’s the Setup? © 2020 SPLUNK INC.

The Setup Search / Ui Tier

Search head Getting Data In

Indexing Tier Indexer

Indexer Indexer

Ingest Tier Input Data Manager © 2020 SPLUNK INC.

The Setup

Search head Getting Data In

Indexer

Indexer Indexer

Input Data Manager © 2020 SPLUNK INC.

Improv Time – Audience Participation! Which one do you choose? © 2020 SPLUNK INC.

Alan Ivarson

Staff Cloud Architect | Splunk © 2020 SPLUNK INC.

See It In Action! © 2020 SPLUNK INC.

The GDI Process for Okta Getting Data In for Okta

Research 1 API pull using IDM with Okta Identity Cloud Add-on for Splunk

Prepare Splunk for receiving the data 2 Install Okta Add-on on IDM and SH. Create index conf20-okta.

Configure the SaaS app for integration 3 Setup auth tokens. Validate logging is enabled.

Get the data in Splunk 4 Configure Splunk inputs. Validate data is received properly. Troubleshoot, if needed. © 2020 SPLUNK INC.

Research Splunkbase – Apps and Add-ons 1 https://apps.splunk.com OR https://splunkbase.splunk.com

Inputs Data Manager

API pull using Scripted / Modular Inputs © 2020 SPLUNK INC.

Prepare Splunk Install Okta Add-on 2 Install Okta Add-on on IDM and SH per app docs

Add-on requires installing at the Forwarding and Search Tier © 2020 SPLUNK INC.

Prepare Splunk Create Index for Okta Data 2 Index creation

Best Practice: Separate Data Types by Index for RBAC and Retention control.

Settings > Indexes > New Index… © 2020 SPLUNK INC.

Prepare SaaS App Securely Connect to the Cloud 3 Create token then assign permissions

Create an API token in Okta. You might need to engage an SME at your organization for this. ! IMPORTANT ! – Copy your key. You only get 1 chance to view it.

https://developer.okta.com/docs/gui des/create-an-api-token/overview/ © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Add account and token authentication

Add token credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Configure and Enable inputs

Add token credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Validate data has arrived in Splunk!

Add token credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation Validate that the data is in Splunk! © 2020 SPLUNK INC.

Why Did We Do All This?

1) Don’t stop at just getting the data in 2) The real value is visualizing the data and having it tell a story. 3) Data driven decisions deliver better outcomes © 2020 SPLUNK INC.

See it in Action!

Part 2 © 2020 SPLUNK INC.

The GDI Process for 365 Getting Data In for

Research 1 API pull using IDM with Microsoft Office 365 Reporting Mail Add-on for Splunk AND Splunk Add-on for Microsoft Office 365.

Prepare Splunk for receiving the data 2 Install Add-ons on IDM and SH. Create index conf20-msft365.

Configure the SaaS app for integration 3 Setup auth tokens. Validate logging is enabled.

Get the data in Splunk 4 Configure Splunk inputs. Validate data is received properly. Troubleshoot, if needed. © 2020 SPLUNK INC.

Research 1 Microsoft 365 Data Sources Consulted my Microsoft 365 SME – Jason Conger

Service Communication State/User Data

• Service Messages • Graph API – typically not time-series • Service Degradation

Management Activity Reporting Services

• Who did what and when • Message Tracing © 2020 SPLUNK INC.

Research 1 Microsoft 365 Data Sources Consulted my Microsoft 365 SME – Jason Conger

Service Communication State/User Data

• Service Messages • Graph API – typically not time-series • Service Degradation

Management Activity Reporting Services

• Who did what and when • Message Tracing © 2020 SPLUNK INC.

Research Splunkbase – Apps and Add-ons 1 https://apps.splunk.com OR https://splunkbase.splunk.com

Inputs Data Manager

Install on IDM + SH Install on IDM + SH

API pull using Scripted / Modular Inputs https://splunkbase.splunk.com/app/4055/ https://splunkbase.splunk.com/app/3720 https://splunkbase.splunk.com/app/3786 Install on SH © 2020 SPLUNK INC.

Prepare Splunk Install Apps and Add-ons 2 Install MSFT Add-ons on IDM and SH per app docs

Requires installing Add-on at the Forwarding and Search Tier. App installed on Search Tier only. © 2020 SPLUNK INC.

Prepare Splunk Create Index for Microsoft 365 Data 2 Index creation

Best Practice: Separate Data Types by Index for RBAC and Retention control.

Settings > Indexes > New Index… © 2020 SPLUNK INC.

Prepare SaaS App Securely Connect to the Cloud 3 Create user

Follow screenshot instructions inside Microsoft 365 App or the list of instructions in the Splunk Add-on for Microsoft 365 splunkbase page. Identity and Access Management for Microsoft 365 is controlled by Azure Active Directory.

! IMPORTANT ! - Prereq: You must link your Exchange account with an Azure subscription. https://docs.microsoft.com/en-us/microsoft- 365/enterprise/subscriptions-licenses- accounts-and-tenants-for-microsoft-cloud- offerings?view=o365- worldwide#:~:text=To%20add%20an%20Azur e%20subscription,Subscriptions%2C%20and %20then%20click%20Add. © 2020 SPLUNK INC.

Prepare SaaS App Securely Connect to the Cloud 3 Assign permissions

Give permissions to pull from API in Office 365 Security & Compliance Center: https://protection.office.com/permissions

You might need to engage an SME at your organization for this.

! IMPORTANT ! – To do a message trace, you need to be a member of the Organization Management, Compliance Management or Help Desk role groups. © 2020 SPLUNK INC.

Prepare SaaS App Securely Connect to the Cloud 3 Splunk Add-on for Microsoft Office 365

Follow the step by step instructions inside the Microsoft 365 App - https://splunkbase.splunk.com/app/ 3786

You might need to engage an SME at your organization for this.

Identity and Access Management for Microsoft 365 is controlled by Azure Active Directory. Therefore, we will create an application in Azure Active Directory that the Splunk add-on can use for authentication. © 2020 SPLUNK INC.

Prepare SaaS App Securely Connect to the Cloud 3 Create App Registration, Grant Permission, Create Token

Create an app registration in the Azure Active Directory admin center: https://aad.portal.azure.com/#blade/Micr osoft_AAD_IAM/ActiveDirectoryMenuBl ade/RegisteredApps

You might need to engage an SME at your organization for this. Create App Apply Permissions Create Token Registration Add Permissions Credentials

! IMPORTANT ! – Steps with Grant Permissions screenshots are detailed in Help of Microsoft 365 Splunk App. © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Add account and basic authentication

Add user credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Configure and Enable inputs

Add token credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation

! IMPORTANT ! – Adjust default values as needed for your organization size. © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Add account and token authentication

Add user and token credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Configure and Enable inputs

Add user and token credentials Create and enable inputs on the Splunk IDM. Refer to add-on specific documentation © 2020 SPLUNK INC.

Data to Splunk Get Data into Splunk Cloud 4 Validate data has arrived in Splunk!

Refer to add-on documentation Validate the data is in Splunk! Troubleshoot as needed. ! IMPORTANT ! – Make sure audit logging is enabled in the Security and Compliance admin center. https://docs.microsoft.com/en-us/microsoft- 365/compliance/turn-audit-log-search-on-or- off?view=o365-worldwide

! IMPORTANT ! – MSFT says delays can typically be 1h but as much as 24h in getting data from API. Note: Portals change frequently, but the docs do not. © 2020 SPLUNK INC.

Why Did We Do All This?

1) Don’t stop at just getting the data in 2) The real value is visualizing the data and having it tell a story. 3) Data driven decisions deliver better outcomes © 2020 SPLUNK INC.

Recap and Next Steps

Where do I go from here? © 2020 SPLUNK INC.

Putting It All Together Practice, practice, practice

1. Don’t stop at just getting the data in

2. The real value is visualizing the data and having it tell a story.

3. Data driven decisions deliver better outcomes Remote Work Insights Autobahn POV Cloud-based solution for rapid insights into remote work environments • Receive a free Splunk Cloud instance with RWI capabilities for 90 days • Onboard your data and implement best practices on select use cases • Includes Okta and Microsoft 365 with new use cases added on a regular basis • Sign up online at: https://www.splunk.com/en_ s/solutions/covid19-response- overview/remote-work- insights.html

© 2020 SPLUNK INC. © 2020 SPLUNK INC. Remote Work Insights – Autobahn POV https://www.splunk.com/en_us/solutions/covid19-response-overview/remote-work-insights.html © 2020 SPLUNK INC. Remote Work Insights – Autobahn POV https://www.splunk.com/en_us/solutions/covid19-response-overview/remote-work-insights.html © 2020 SPLUNK INC.

Please provide feedback via the SESSION SURVEY