Egnyte Protect App for Splunk

Overview

Egnyte Protect App For Splunk provides insights to the enterprises for the overall incidents which are identified and raised by Egnyte Protect. It would enable Splunk administrators to track the enterprise-wide incidents identified by Egnyte Protect directly through the Splunk App.

Egnyte Protect is a SaaS content governance solution that is simple to set up and use. It works across multiple repository types, such as Egnyte Connect, OneDrive for Business and Windows File Servers. It shows you where your sensitive information resides and highlights potential exposures of information.

Egnyte Protect delivers content classification, identifies issues, sends real-time alerts, enables remediation.

Egnyte Protect Apps on Splunkbase

There are two bundles available on Splunkbase for the Egnyte Protect App for Splunk.

^{Bundle Name}	^{SplunkBase URL}	^Description
^{Egnyte Protect Add-on For Splunk}	https://splunkbase.splunk.com/app/4526/	^{Egnyte Protect Add-on to ingest events into Splunk.}
^{Egnyte Protect App For Splunk}	https://splunkbase.splunk.com/app/4519/	^{Egnyte App with all the visualizations.}

Setting up the Egnyte Protect Apps in Splunk Environment

Installing app in Splunk

The Egnyte Protect Splunk app lets you collect incidents data from the Egnyte Protect.

Before you set up the app, ensure that you have all of the following requirements:

Proper Splunk credentials(Admin)
Egnyte Protect
Splunk Enterprise 6.6.x and above

Phase	Task	Description
Install the Engyte Add-on & App in Splunk	Download the free Egnyte Protect Add-on & Egnyte Protect App from the Splunk App store and install it.	Go to Splunk App Store: https://splunkbase.splunk.com In the search field, search for Egnyte Protect. In the search result, click on Egnyte Protect Add-on For Splunk. Download it. https://splunkbase.splunk.com/app/4526/ In the search result, click on Egnyte Protect App For Splunk, Download it. https://splunkbase.splunk.com/app/4519/
Configure Egnyte Protect Add-on in Splunk	Configure Add-on in Splunk	You must configure Egnyte Protect Add-on in your Splunk instance in order for Egnyte Protect to send data into your Splunk instance. See : “Configure Egnyte Protect Add-on in Splunk Instance” Note: Your username should have necessary privileges to configure Add-on.
Perform Post Setup Configuration	Post setup configuration of the Egnyte Add-on	After the data has started ingesting into Splunk instance, Configurations would be required to ensure that the App is pointed to the right Index in which data is being ingested by Egnyte Add-on. See: Update Macro Configuration

Configuring Egnyte Apps

Configure Egnyte Protect Add-on in Splunk Instance

Go to Egnyte Protect.
Click on “Create New Input”.
Egnyte Protect supports OAuth 2.0. To begin the Authorization process, Click on “Click here to generate token”. This would open up a new browser window for you to authorize Splunk to ingest the events.
It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow” to authorize the Splunk App.
Upon clicking on “Allow”, it would display a code which we would then have to supply back to the Splunk App. Click on “Copy”.
Go back to Splunk Add-on configuration page and fill up all the details and then click on “Add”.

Field Name	Description
Name	A logical name to the Input
Interval(in seconds)	An interval on which Add-on would be invoked to collect data from Egnyte Protect. Recommended Value: 3600
Index	Index name in which Add-on would be collecting Egnyte Protect Data Default Value: main
Endpoint	Based on your Egnyte Protect location you may choose US or EU region. Default Value: US
Code	Paste the code which has been copied from the link.

Update Macro Configuration

By default, Egnyte App for Splunk would be ingesting data into default(main) index. In case the index value has been set separately during the Add-on Input configuration. The same index value would have to be updated into Macro configured for the App as per following instructions.

Go to Settings → Advanced Search
Click on “Search Macros”
Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed and click on the name of the macro.
Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on input. Click on “Save”.

Note: The Update to Macro is required only in case the events are pushed into a separate Index.

Install & Configuring app in a Distributed Splunk Environment

Following is the matrix of apps to be deployed in Splunk’s distributed environment.

App Name	Search Head Instance	Indexer Instance	Forwarder Instance
Egnyte App For Splunk	Yes	No	No
Egnyte Add-on For Splunk	No	No	Yes

App Installation & Setup Process for Search Head Instance remains the same as explained under “Setting Up Egnyte Protect Apps in Splunk Environment”

For information about distributed deployment for Splunk, please visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics

Using the Egnyte Protect App for Splunk

Dashboards

Egnyte Protect App for Splunk has mainly divided the dashboards into two categories to distinguish the overall incidents identified by Egnyte Protect.

Incidents Summary

This dashboard enables Splunk users to have a summarized view of incidents identified by Egnyte Protect.

It consists of various panels and charts as described below.

Panel/Chart	Description
Total Issues	Count of number of distinct Id in the selected interval
High Severity	Count of number of distinct Id in the selected interval which has Severity greater than 6
Medium Severity	Count of number of distinct Id in the selected interval which has Severity greater than 3 but less than 7
Low Severity	Count of number of distinct Id in the selected interval which has Severity less than 4
Incidents Reported Over Time	Time Chart with the number of incidents reported by different severity over time.
Open issues by severity	Pie Chart of distinct issues by severity which is divided into three categories.
Open issues by severity	Pie chart of distinct issues by Type
Open issues by source	Pie chart of distinct issues by Source
Incidents Summary	Table chart with all the issues reported in the selected time interval.

Incident Information

This investigation dashboard enables Splunk users to track and search any specific incidents reported by Egnyte Protect.

It consists of various panels and charts as described below.

Panel/Chart	Description
Time Filter	Filter/Search incidents based on specific time.
ID	Filter/Search incident based on Incident ID
Policy	Filter/Search incidents based on the Policy
Incident Type	Filter/Search incidents based on specific incident type
Item-Type	Filter/Search incidents based on specific Item-type reported in the incident
Severity	Filter/Search incidents based on severity.
Incident Details	This panel would display all the incidents reported by Egnyte Protect based on the inputs provided by the Splunk users in input filters.

APPENDIX A: Various Possible Splunk Distributed Deployments

Indexer Clustering

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture Screen_Shot_2019-06-11_at_5.47.37_PM.png

Search Head Clustering

http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling

Multisite Clustering

http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture Screen_Shot_2019-06-11_at_5.50.36_PM.png

APPENDIX B: Event data collection in Splunk

Index

In Splunk, any application event data is stored in indexes. It is a good practice to create indexes at the time of installation of the apps before any app configuration is done. Egnyte Protect app for Splunk uses default Splunk indexes as below:

Index Name	Created in App/Manual	Purpose/Type of Event Data
main	Available as part of Splunk Framework	All of the event data from Egnyte Protect would be indexed into Splunk at this index by default.

The above index will be used in various dashboards of “Egnyte Protect App for Splunk”. This index should not be cleaned; otherwise, the information will be lost.

Source-type

Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is the table which shows how the Egnyte Protect related event data is distributed in these fields.
Please read more about the default fields at
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields

Index Name	Source type	Purpose/Type of event data
main	egnyte:protect:incidents	All the events reported from Egnyte Protect is ingested into this SourceType.

CIM Mapping

For mapping, the events reported in Egnyte Protect into CIM models, Following fields are mapped to CIM Data Model.

Dataset name	Field name	Data type	Description	Egnyte Field Mapping
Alerts	app	string	The application involved in the event.	Egnyte Protect
	body	string	The body of a message.	type, source, item, updated, detected, policies
	id	string	The unique identifier of a message.	id
	severity	string	The severity of a message.	severity
	severity_id	string	A numeric severity indicator for a message.	severity
	src	string	The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name.	source
	subject	string	The message subject.	Egnyte Protect issue: <issue.item.displayName>
	type	string	The message type.	alert