Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Egnyte Secure & Govern App for Splunk

Overview

Egnyte Secure & Govern App For Splunk provides insights to the enterprises for the overall incidents which are identified and raised by Egnyte Secure & Govern. It would enable Splunk administrators to track the enterprise-wide incidents identified by Egnyte Secure & Govern directly through the Splunk App. 

Egnyte Secure & Govern is a SaaS content governance solution that is simple to set up and use. It works across multiple repository types, such as Egnyte Connect, OneDrive for Business, and Windows File Servers. It shows where the sensitive information resides and highlights potential exposures of information.

Egnyte Secure & Govern delivers content classification, identifies issues, sends real-time alerts, enables remediation.

Egnyte Secure & Govern Apps on Splunkbase

There are two bundles available on Splunkbase for the Egnyte Secure & Govern App for Splunk.

Bundle Name

SplunkBase URL

Description

Egnyte Secure & Govern Add-on For Splunk

https://splunkbase.splunk.com/app/4526/

Egnyte Secure & Govern Add-on to ingest events into Splunk.

Egnyte Secure & Govern App For Splunk

https://splunkbase.splunk.com/app/4519/

Egnyte App with all the visualizations.

 

Setting up the Egnyte Secure & Govern Apps in Splunk Environment

Installing app in Splunk

The Egnyte Secure & Govern Splunk app lets the user collect incidents data from the Egnyte Secure & Govern.

 Before setting up the app, ensure that all of the following requirements:

  • Proper Splunk credentials(Admin)
  • Egnyte Secure & Govern
  • Splunk Enterprise 6.6.x and above

Phase

Task

Description

Install the Engyte Add-on & App in Splunk

Download the free Egnyte Secure & Govern Add-on & Egnyte Secure & Govern App from the Splunk App store and install it.

  1. Go to Splunk App Store:
    https://splunkbase.splunk.com
  2. In the search field, search for Egnyte Secure & Govern.
  3. In the search result, click on Egnyte Secure & Govern Add-on For Splunk. Download it.
    https://splunkbase.splunk.com/app/4526/
  4. In the search result, click on Egnyte Secure & Govern App For Splunk, Download it. https://splunkbase.splunk.com/app/4519/



Configure Egnyte Secure & Govern Add-on in Splunk

Configure Add-on in Splunk

The user must configure Egnyte Secure & Govern Add-on in their Splunk instance in order for Egnyte Protect to send data into their Splunk instance.

See : “Configure Egnyte Secure & Govern Add-on in Splunk Instance”

Note: Username should have necessary privileges to configure Add-on.

Perform Post Setup Configuration

Post setup configuration of the Egnyte Add-on

After the data has started ingesting into Splunk instance, Configurations would be required to ensure that the App is pointed to the right Index in which data is being ingested by Egnyte Add-on.


See: Update Macro Configuration

 

Configuring Egnyte Apps

To configure Egnyte Secure & Govern Add-on in Splunk Instance:

  1. Go to Egnyte Secure & Govern Add-on in Splunk. 
    Screen_Shot_2019-06-11_at_5.36.34_PM.png
  2. Click on Configuration.
    Screen_Shot_2020-05-20_at_7.38.23_PM.png
  3. Click on Add under the Accounts tab
    Screen_Shot_2020-05-20_at_7.39.54_PM.png
  4. Egnyte Secure & Govern supports OAuth 2.0. To begin the Authorization process, click on USA Authorization to access the Egnyte Secure & Govern Endpoint in the US region.For customers in the EU region, click on Europe Authorization.  This would open up a new browser window for  to authorize Splunk  to ingest the events.
    Screen_Shot_2020-05-20_at_7.40.59_PM.png

    Follow the steps mentioned below to retrieve the Client ID and Client Secret:

    1. An Admin must register an application for their domain on this link. Under Register Your New Application, choose Public Available Application as Type, New App as Current User Base, and Other as Platform.
      Egnyte Collaborate Add-On For Splunk 4.png
    2. Egnyte Domain you will use for testing will be a trial domain. Customers can register for a trial domain if they do not already have one.
      Egnyte Collaborate Add-On For Splunk 5.png
    3.  Select the required Web APIs under Select which web APIs you will use.
      Egnyte Collaborate Add-On For Splunk 6.png
    4. Mention Splunk Collaborate, Splunk S&G or Splunk Collaborate and S&G as the options in the Please describe what your application will do field.
    5. Registered OAuth Redirect URI field can be left blank.
    6. Fill the other details and Click on Register.
      Egnyte Collaborate Add-On For Splunk 7.png

    The application will go through the verification process and will be activated upon successful verification.

  5. It will ask for the Email ID and Password to connect to the Egnyte Account. Click on Allow Access to authorize the Splunk App. The App must be authorized with a full Admin account (not a service account)
    Screen_Shot_2019-06-11_at_5.41.53_PM.png
  6. Upon clicking on Allow Access, it would display a code which we would then have to supply back to the Splunk App. Click on Copy.
    Screen_Shot_2019-06-11_at_5.42.33_PM.png
  7. Go back to the Splunk Add-on configuration page and fill up all the details and then click on Add.
    Screen_Shot_2020-09-28_at_4.28.29_PM.png

    Field Name

    Description

    Account Name

    A logical name to the Account

    Client ID

    Retrieve the Client ID from Egnyte Support team to provide input to this field.

    Client Secret

    Retrieve the Client Secret from Egnyte Support team to provide input to this field.

    Authorization Code Paste the code which has been copied from the link.
    Region

    Based on the Egnyte Secure & Govern location, the user may choose the US or EU region.

    Default Value: US

    Index

    Index name in which Add-on would be collecting Egnyte Secure & Govern Data

    Default Value: main


    Input would be created automatically once the account has been configured. In case it’s not created in that case please execute Step#8.

  8. a. (Optional) Click on Create New Input.
    Screen_Shot_2020-05-20_at_7.48.02_PM.png

        b. (Optional) Provide input to the required field. Select the Account from the dropdown of Global Account which was configured in the previous step.
    Screen_Shot_2019-06-11_at_5.46.26_PM.png

    Field Name

    Description

    Name

    A logical name to the Input.

    Interval(in seconds)

    An interval on which Add-on would be invoked to collect data from Egnyte Secure & Govern.

    Recommended Value: 3600

    Index

    Index name in which Add-on would be collecting Egnyte Secure & Govern Data

    Default Value: main

    Region

    Based on the Egnyte Secure & Govern location, the user may choose the US or EU region.

    Default Value: US

    Global Account

    Select the account which is configured as part of the Account tab.

    If there are any ERROR after configuring the input, It’ll be flagged in the message tray on Splunk UI.


    Screen_Shot_2020-09-28_at_4.33.15_PM.png

 

Update Macro Configuration

By default, Egnyte App for Splunk would be ingesting data into default(main) index. In case the index value has been set separately during the Add-on Input configuration, it would have to be updated into Macro configured for the App as per following instructions.

  1. Go to SettingsAdvanced Search.
    Screen_Shot_2019-06-11_at_5.44.22_PM.png
  2. Click on Search Macros.
    Screen_Shot_2019-06-11_at_5.45.04_PM.png
  3. Set App Context to Egnyte App for Splunk. The macro name egnyte_get_index should be displayed. Click on the name of the macro.
    Screen_Shot_2019-06-11_at_5.45.47_PM.png
  4. Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on input. Click on Save.
    Egnyte Secure & Govern App For Splunk 18.png

The Update to Macro is required only in case the events are pushed into a separate Index.

 

Install & Configuring app in a Distributed Splunk Environment

Following is the matrix of apps to be deployed in Splunk’s distributed environment.

App Name

Search Head Instance

Indexer Instance

Forwarder Instance

Egnyte App For Splunk

Yes

No

No

Egnyte Add-on For Splunk

No

No

Yes

 

App Installation & Setup Process for Search Head Instance remains the same as explained under “Setting Up Egnyte Secure & Govern Apps in Splunk Environment”

For information about distributed deployment for Splunk, visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics

 

Using the Egnyte Secure & Govern App for Splunk

Egnyte Secure & Govern App for Splunk has mainly divided the dashboards into two categories to distinguish the overall incidents identified by Egnyte Secure & Govern.  

Incidents Summary

This dashboard enables Splunk users to have a summarized view of incidents identified by Egnyte Secure & Govern.

It consists of various panels and charts as described below.

Panel/Chart

Description

Total Issues

Count of number of distinct Id in the selected interval

High Severity

Count of number of distinct Id in the selected interval which has Severity greater than 6

Medium Severity

Count of number of distinct Id in the selected interval which has Severity greater than 3 but less than 7

Low Severity

Count of number of distinct Id in the selected interval which has Severity less than 4

Incidents Reported Over Time

Time Chart with the number of incidents reported by different severity over time.

Open issues by severity

Pie Chart of distinct issues by severity which is divided into three categories.

Open issues by severity

Pie chart of distinct issues by Type

Open issues by source

Pie chart of distinct issues by Source

Incidents Summary

Table chart with all the issues reported in the selected time interval.

 

 

Incident Information

This investigation dashboard enables Splunk users to track and search any specific incidents reported by Egnyte Secure & Govern.

It consists of various panels and charts as described below.

Panel/Chart

Description

Time Filter

Filter/Search incidents based on specific time.

ID

Filter/Search incident based on Incident ID

Policy

Filter/Search incidents based on the Policy

Incident Type

Filter/Search incidents based on specific incident type

Item-Type

Filter/Search incidents based on specific Item-type reported in the incident

Severity

Filter/Search incidents based on severity. 

Incident Details

This panel would display all the incidents reported by Egnyte Secure & Govern based on the inputs provided by the Splunk users in input filters.

 

APPENDIX A: Various Possible Splunk Distributed Deployments

Indexer Clustering

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture

Egnyte Secure & Govern App For Splunk 19.png

Search Head Clustering

http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling
Egnyte Secure & Govern App For Splunk 20.png

Multisite Clustering

http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture

Egnyte Secure & Govern App For Splunk 21.png

 

APPENDIX B: Event data collection in Splunk

Index

In Splunk, any application event data is stored in indexes. It is a good practice to create indexes at the time of installation of the apps before any app configuration is done. Egnyte Secure & Govern app for Splunk uses default Splunk indexes as below:

Index Name

Created in App/Manual

Purpose/Type of Event Data

main

Available as part of Splunk Framework

All of the event data from Egnyte Secure & Govern would be indexed into Splunk at this index by default.

The above index will be used in various dashboards of “Egnyte Secure & Govern App for Splunk”. This index should not be cleaned; otherwise, the information will be lost.

Source-type

Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is the table which shows how the Egnyte Secure & Govern related event data is distributed in these fields.
Please read more about the default fields at
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields
 

Index Name

Source type

Purpose/Type of event data

main

egnyte:protect:incidents

All the events reported from Egnyte Secure & Govern are ingested into this SourceType.

 

CIM Mapping

For mapping, the events reported in Egnyte Secure & Govern into CIM models, Following fields are mapped to CIM Data Model. 

Dataset name

Field name

Data type

Description

Egnyte Field Mapping

Alerts

app

string

The application involved in the event.

Egnyte Secure & Govern

body

string

The body of a message.

type, source*, item*, updated, detected, policies

id

string

The unique identifier of a message.

id

severity

string

The severity of a message.

severity

severity_id

string

A numeric severity indicator for a message.

severity

src

string

The source of the message. The user can alias this from more specific fields, such as src_host, src_ip, or src_name.

source

subject

string

The message subject.

Egnyte Secure & Govern issue: <issue.item.displayName>

type

string

The message type.

alert

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.