Overview
Egnyte Secure & Govern App For Splunk provides insights to the enterprises for the overall incidents which are identified and raised by Egnyte Secure & Govern. It would enable Splunk administrators to track the enterprise-wide incidents identified by Egnyte Secure & Govern directly through the Splunk App.
Egnyte Secure & Govern is a SaaS content governance solution that is simple to set up and use. It works across multiple repository types, such as Egnyte Connect, OneDrive for Business, and Windows File Servers. It shows you where your sensitive information resides and highlights potential exposures of information.
Egnyte Secure & Govern delivers content classification, identifies issues, sends real-time alerts, enables remediation.
Egnyte Secure & Govern Apps on Splunkbase
There are two bundles available on Splunkbase for the Egnyte Secure & Govern App for Splunk.
Bundle Name |
SplunkBase URL |
Description |
Egnyte Secure & Govern Add-on For Splunk |
Egnyte Secure & Govern Add-on to ingest events into Splunk. |
|
Egnyte Secure & Govern App For Splunk |
Egnyte App with all the visualizations. |
Setting up the Egnyte Secure & Govern Apps in Splunk Environment
Installing app in Splunk
The Egnyte Secure & Govern Splunk app lets you collect incidents data from the Egnyte Secure & Govern.
Before you set up the app, ensure that you have all of the following requirements:
- Proper Splunk credentials(Admin)
- Egnyte Secure & Govern
- Splunk Enterprise 6.6.x and above
Phase |
Task |
Description |
Install the Engyte Add-on & App in Splunk |
Download the free Egnyte Secure & Govern Add-on & Egnyte Secure & Govern App from the Splunk App store and install it. |
|
Configure Egnyte Secure & Govern Add-on in Splunk |
Configure Add-on in Splunk |
You must configure Egnyte Secure & Govern Add-on in your Splunk instance in order for Egnyte Protect to send data into your Splunk instance. |
Perform Post Setup Configuration |
Post setup configuration of the Egnyte Add-on |
After the data has started ingesting into Splunk instance, Configurations would be required to ensure that the App is pointed to the right Index in which data is being ingested by Egnyte Add-on.
|
Configuring Egnyte Apps
Configure Egnyte Secure & Govern Add-on in Splunk Instance
- Go to Egnyte Secure & Govern.
- Click on “Configuration”.
- Click on "Add" under the "Accounts" tab
- Egnyte Secure & Govern supports OAuth 2.0. To begin the Authorization process, Click on “USA Authorization” to access the Egnyte Secure & Govern Endpoint in the US region.For customers in the EU region, Click on “Europe Authorization”. This would open up a new browser window for you to authorize Splunk to ingest the events.
For retrieving Client ID and Client Secret please reach out to our team at splunk@egnyte.com
- It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow” to authorize the Splunk App. You must authorize with a full Admin account (not a service account)
- Upon clicking on “Allow”, it would display a code which we would then have to supply back to the Splunk App. Click on “Copy”.
- Go back to Splunk Add-on configuration page and fill up all the details and then click on “Add”.
Field Name |
Description |
Account Name |
A logical name to the Account |
Client ID |
Retrieve the Client ID from Egnyte Support team to provide input to this field. |
Client Secret |
Retrieve the Client Secret from Egnyte Support team to provide input to this field. |
Authorization Code | Paste the code which has been copied from the link. |
Region |
Based on your Egnyte Secure & Govern location you may choose the US or EU region. Default Value: US |
Index |
Index name in which Add-on would be collecting Egnyte Secure & Govern Data Default Value: main |
Input would be created automatically once the account has been configured. In case it’s not created in that case please execute Step#8.
8. a. (Optional) Click on "Create New Input".
b. (Optional) Provide input to the required field. Select the Account from the dropdown of “Global Account” which was configured in the previous step.
Field Name |
Description |
Name |
A logical name to the Input. |
Interval(in seconds) |
An interval on which Add-on would be invoked to collect data from Egnyte Secure & Govern. Recommended Value: 3600 |
Index |
Index name in which Add-on would be collecting Egnyte Secure & Govern Data Default Value: main |
Region |
Based on your Egnyte Secure & Govern location you may choose the US or EU region. Default Value: US |
Global Account |
Select the account which is configured as part of the Account tab. |
If there are any ERROR after configuring the input, It’ll be flagged in the message tray on Splunk UI.
Update Macro Configuration
By default, Egnyte App for Splunk would be ingesting data into default(main) index. In case the index value has been set separately during the Add-on Input configuration. The same index value would have to be updated into Macro configured for the App as per following instructions.
- Go to Settings → Advanced Search
- Click on “Search Macros”
- Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed and click on the name of the macro.
- Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on input. Click on “Save”.
The Update to Macro is required only in case the events are pushed into a separate Index.
Install & Configuring app in a Distributed Splunk Environment
Following is the matrix of apps to be deployed in Splunk’s distributed environment.
App Name |
Search Head Instance |
Indexer Instance |
Forwarder Instance |
Egnyte App For Splunk |
Yes |
No |
No |
Egnyte Add-on For Splunk |
No |
No |
Yes |
App Installation & Setup Process for Search Head Instance remains the same as explained under “Setting Up Egnyte Secure & Govern Apps in Splunk Environment”
For information about distributed deployment for Splunk, please visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics
Using the Egnyte Secure & Govern App for Splunk
Dashboards
Egnyte Secure & Govern App for Splunk has mainly divided the dashboards into two categories to distinguish the overall incidents identified by Egnyte Secure & Govern.
Incidents Summary
This dashboard enables Splunk users to have a summarized view of incidents identified by Egnyte Secure & Govern.
It consists of various panels and charts as described below.
Panel/Chart |
Description |
Total Issues |
Count of number of distinct Id in the selected interval |
High Severity |
Count of number of distinct Id in the selected interval which has Severity greater than 6 |
Medium Severity |
Count of number of distinct Id in the selected interval which has Severity greater than 3 but less than 7 |
Low Severity |
Count of number of distinct Id in the selected interval which has Severity less than 4 |
Incidents Reported Over Time |
Time Chart with the number of incidents reported by different severity over time. |
Open issues by severity |
Pie Chart of distinct issues by severity which is divided into three categories. |
Open issues by severity |
Pie chart of distinct issues by Type |
Open issues by source |
Pie chart of distinct issues by Source |
Incidents Summary |
Table chart with all the issues reported in the selected time interval.
|
Incident Information
This investigation dashboard enables Splunk users to track and search any specific incidents reported by Egnyte Secure & Govern.
It consists of various panels and charts as described below.
Panel/Chart |
Description |
Time Filter |
Filter/Search incidents based on specific time. |
ID |
Filter/Search incident based on Incident ID |
Policy |
Filter/Search incidents based on the Policy |
Incident Type |
Filter/Search incidents based on specific incident type |
Item-Type |
Filter/Search incidents based on specific Item-type reported in the incident |
Severity |
Filter/Search incidents based on severity. |
Incident Details |
This panel would display all the incidents reported by Egnyte Secure & Govern based on the inputs provided by the Splunk users in input filters. |
APPENDIX A: Various Possible Splunk Distributed Deployments
Indexer Clustering
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture
Search Head Clustering
http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling
Multisite Clustering
http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture
APPENDIX B: Event data collection in Splunk
Index
In Splunk, any application event data is stored in indexes. It is a good practice to create indexes at the time of installation of the apps before any app configuration is done. Egnyte Secure & Govern app for Splunk uses default Splunk indexes as below:
Index Name |
Created in App/Manual |
Purpose/Type of Event Data |
main |
Available as part of Splunk Framework |
All of the event data from Egnyte Secure & Govern would be indexed into Splunk at this index by default. |
The above index will be used in various dashboards of “Egnyte Secure & Govern App for Splunk”. This index should not be cleaned; otherwise, the information will be lost.
Source-type
Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is the table which shows how the Egnyte Secure & Govern related event data is distributed in these fields.
Please read more about the default fields at
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields
Index Name |
Source type |
Purpose/Type of event data |
main |
egnyte:protect:incidents |
All the events reported from Egnyte Secure & Govern is ingested into this SourceType. |
CIM Mapping
For mapping, the events reported in Egnyte Secure & Govern into CIM models, Following fields are mapped to CIM Data Model.
Dataset name |
Field name |
Data type |
Description |
Egnyte Field Mapping |
Alerts |
app |
string |
The application involved in the event. |
Egnyte Secure & Govern |
body |
string |
The body of a message. |
type, source*, item*, updated, detected, policies |
|
id |
string |
The unique identifier of a message. |
id |
|
severity |
string |
The severity of a message. |
severity |
|
severity_id |
string |
A numeric severity indicator for a message. |
severity |
|
src |
string |
The source of the message. You can alias this from more specific fields, such as src_host, src_ip, or src_name. |
source |
|
subject |
string |
The message subject. |
Egnyte Secure & Govern issue: <issue.item.displayName> |
|
type |
string |
The message type. |
alert |