Integrate Splunk and Egnyte for Faster Incident Response

Security Information and Event Management (SIEM) technology provides visibility across an organization's information security systems by collecting and correlating events from logs across many different sources. Security analysts use tools like a SIEM to go “threat hunting.” By correlating disparate events across systems, they can often detect Indicators of Compromise (IoCs) that may otherwise go unnoticed on individual systems. In other words, a SIEM helps detect the first footprints of an intruder in the infrastructure, often before any damage is done.

The Egnyte platform provides a wealth of security event information, including unusual logins, deep file classification, and ML/AI driven behavior detection. It generates broad, valuable security event information.

Meanwhile, Splunk is a popular SIEM provider with world class correlation capabilities. Therefore, integration between Egnyte and Splunk provides a powerful solution for security analysts doing incident detection and response, as well as IT staff managing collaboration tools.

An analyst using the Splunk platform can correlate diverse events, such as unusual sessions detected by a firewall with a password spraying attack, so they know that an intruder may have gained access. Now, with an Egnyte integration, the analyst can also correlate those events with file access attempts to see the attacker's “end game.” More importantly, internal threats, which are often invisible to security systems, can also be exposed by integrating  Egnyte and Splunk.

Egnyte offers several tools to support the integration with Splunk. First, Egnyte offers an add-on that can be used to add and configure the Splunk integration in the Egnyte web UI. This is used to set up the integration and allow the Egnyte platform to pass data to the Splunk SIEM and to provide a security event dashboard. Egnyte also offers the Egnyte app, which is installed on the Splunk search head and allows Splunk to query for the data and ingest it. Taken together, these tools provide a seamless integration and allow Splunk to access a large amount of security event information from the Egnyte platform.

What Egnyte Event Information is Available in Splunk?

Splunk can pull issues and events from six separate Egnyte sources:

· Egnyte login audit reports

· Egnyte file audit reports

· Egnyte group provisioning audit reports

· Egnyte user provisioning audit reports

· Egnyte permissions audit reports

· Egnyte configuration settings audit reports

The information available in these data sources is generally self-explanatory. As can be expected, all reports provide detailed event information, including the date, time, and actor (user or administrator) for each event. However, Egnyte adds additional information for context. Here are some examples:

The login report also provides the IP address of the login attempt as well as the time they logged out to capture session information. An extremely short session may indicate a script accessing files, while a long session may indicate an unattended machine.

The file audit report shows additional info on the action taken. For example, a move/copy action would display the destination folder that the file or folder was moved to. For link create/delete/download actions, the link URL is displayed.

The group provisioning report shows changes in group permissions, but with more context. For example, if the action is Add Users, the report would include detailed information for all users that were added to the group, as well as where (web UI, mobile, etc.) the described action was made.

The user provisioning report provides similar depth. Not only does it indicate the type of change (create, update, delete, etc.) that occurred, but also what specifically changed when a user or group (email address, first name, etc.) is updated and where (web UI, mobile, etc.) the action was made.

The permissions audit report is useful to detect insider privilege escalation and can provide detailed information on permissions changes. For example, it might detect a group change where users inherit permissions they should not have because they are in a larger group. This helps prevent permission sprawl and helps prevent data spillage.

The settings audit report highlights any settings changed by admins, but also shows the path and before/after states. This can be used to detect privileged account abuse.

How About Dashboards for Egnyte Events?

The Egnyte App for Splunk includes helpful dashboards analysts can use to get a quick understanding of the status of issues on the Egnyte platform. Rather than just events to be correlated by Splunk, issues that have already been identified by the Egnyte ML/AI tools are provided for further investigation.

The incidents summary dashboard enables Splunk users to have a summarized view of incidents identified by the Egnyte platform. It provides counts of total issues and the number of low/medium/high severity issues. Most importantly, it shows how the number of issues change over time. It also shows pie charts of issues by severity, type, and source.

The incident investigation dashboard enables Splunk users to drill down, track and search any specific incidents reported by Egnyte Protect. It includes advanced filters to search incidents by time, ID, policy, type, and severity. When an incident is selected, a panel displays all information about that incident, along with links to the file itself.

Summary

Egnyte provides a powerful tool to collaborate, share, govern and secure files, while Splunk provides correlation of events to other systems in the organization. Taken together, Egnyte and Splunk provide a powerful solution to security analysts who need to track threats through the infrastructure.

For more information on this integration, check out this Egnyte Help Desk article.

The Egnyte tools used for integration are downloadable from Splunk: Egnyte Protect Add-On for Splunk and Egnyte Protect App for Splunk.

‍