From 7f1d94ef7fc28ead0529df7620bd156a7bc514ce Mon Sep 17 00:00:00 2001 From: Michael Bischof Date: Mon, 13 Feb 2023 11:21:14 +0000 Subject: [PATCH] better CIM compliance and proper formatted config --- README.md | 8 +- src/Egnyte_Protect/README.md | 3 +- src/Egnyte_Protect/default/app.conf | 6 + src/Egnyte_Protect/metadata/default.meta | 2 +- src/TA-egnyte-protect/README.md | 38 ++-- src/TA-egnyte-protect/README.txt | 44 ---- src/TA-egnyte-protect/app.manifest | 104 +++++---- src/TA-egnyte-protect/default/app.conf | 7 +- src/TA-egnyte-protect/default/eventtypes.conf | 18 +- src/TA-egnyte-protect/default/props.conf | 206 ++++++++++++++++-- src/TA-egnyte-protect/default/tags.conf | 15 +- 11 files changed, 310 insertions(+), 141 deletions(-) delete mode 100644 src/TA-egnyte-protect/README.txt diff --git a/README.md b/README.md index 47eeeba..8cc9082 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ This repo is for integrating Egnyte Protect with Splunk. There are mainly two mo - run `./start.sh` to start splunk in docker - open localhost:8000 -- load app files from build +- load app files from build ![sideloading apps](./sideloading.png) # App Specification Document (For Installing & Setting up Apps in Splunk) @@ -32,7 +32,7 @@ This repo is for integrating Egnyte Protect with Splunk. There are mainly two mo - static : this folder consists default icons of the App. - **Egnyte Add-on for Splunk** - appserver : All the UI specific assets are generated in this folder. - - bin : All the binary files(python files) related to API calls are defined in this folder. + - bin : All the binary files(python files) related to API calls are defined in this folder. - default : All the default configurations of the App. - app.conf --> default App configuration file, for example Application version - inputs.conf --> For storing Add-on input details once it's created @@ -115,7 +115,7 @@ We can create the Package of the Splunk using the Splunk CLi. ``` $ cd <>/src/ $ docker cp . <>:/opt/splunk/etc/apps/ - ``` + ``` - Change the ownership of the Apps ``` $ chown -R splunk:splunk /opt/splunk/etc/apps/TA-egnyte-protect @@ -152,4 +152,4 @@ OCI runtime exec failed: exec failed: container_linux.go:344: starting container ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong? ``` ### ***---ACTUAL VERSION---*** -As ```.spl``` files are technically ```.tar.gz``` files there is no need to use Splunk binary to create them. It's enough to use just ```tar``` and ```gzip```. However we need to make sure that all files/folders in archive have proper permissions required by Splunkbase. \ No newline at end of file +As ```.spl``` files are technically ```.tar.gz``` files there is no need to use Splunk binary to create them. It's enough to use just ```tar``` and ```gzip```. However we need to make sure that all files/folders in archive have proper permissions required by Splunkbase. diff --git a/src/Egnyte_Protect/README.md b/src/Egnyte_Protect/README.md index 2840cb4..ba0ae6a 100644 --- a/src/Egnyte_Protect/README.md +++ b/src/Egnyte_Protect/README.md @@ -11,7 +11,7 @@ Egnyte Secure & Govern delivers content classification, identifies issues, sends # REQUIREMENTS * Egnyte Secure & Govern Add-on For Splunk -* Splunk version 7.2.x, 7.3.x , 8.x.x +* Splunk version 7.2.x, 7.3.x , 8.x.x * This application should be installed on Search Head. # Release Notes @@ -37,4 +37,3 @@ If you don't see these sourcetypes, run following query to find out if any alert # Support Customers can file issues by sending emails to : splunk.support@egnyte.com - diff --git a/src/Egnyte_Protect/default/app.conf b/src/Egnyte_Protect/default/app.conf index 46bf2ef..872d51e 100644 --- a/src/Egnyte_Protect/default/app.conf +++ b/src/Egnyte_Protect/default/app.conf @@ -3,8 +3,14 @@ # [ui] is_visible = 1 +show_in_nav = true label = Egnyte Secure & Govern App for Splunk +[install] +state_change_requires_restart = true +is_configured = false +state = enabled + [launcher] author = Egnyte Inc description = This application provides dashboards for tracking Splunk to Egnyte Secure & Govern integration. diff --git a/src/Egnyte_Protect/metadata/default.meta b/src/Egnyte_Protect/metadata/default.meta index 5adcd6f..63c28a4 100644 --- a/src/Egnyte_Protect/metadata/default.meta +++ b/src/Egnyte_Protect/metadata/default.meta @@ -3,4 +3,4 @@ [] access = read : [ * ], write : [ admin ] -export = none \ No newline at end of file +export = none diff --git a/src/TA-egnyte-protect/README.md b/src/TA-egnyte-protect/README.md index 600ed9d..b08cea0 100644 --- a/src/TA-egnyte-protect/README.md +++ b/src/TA-egnyte-protect/README.md @@ -1,48 +1,54 @@ # OVERVIEW -Egnyte Secure & Govern Add-on For Splunk integrates with Egnyte Secure & Govern platform and ingest events from Egnyte Secure & Govern into Splunk. - +Egnyte Secure & Govern Add-on For Splunk integrates with Egnyte Secure & Govern platform and ingest +events from Egnyte Secure & Govern into Splunk. # REQUIREMENTS -* Splunk version 7.2.x, 7.3.x, 8.x.x -* This application should be installed on Forwarder in case of cluster. +- Splunk version 7.2.x, 7.3.x, 8.x.x +- This application should be installed on Forwarder in case of cluster. # Release Notes ## Version: 1.0.4 + - Added support of Splunk v8 - Fixed Appcert issue and moved Authorization Code and ClientID to Configuration page ## Version: 1.0.6 -- Update Add-on name. +- Update Add-on name. # RECOMMENDED SYSTEM CONFIGURATION -* Standard Splunk configuration of Forwarder. +- Standard Splunk configuration of Forwarder. # Application Setup - Go to Egnyte Secure & Govern - Click on “Create New Input”. -- Egnyte Secure & Govern supports OAuth 2.0. To begin the Authorization process, Click on “Click here to generate token”. This would open up a new browser window for you to authorize Splunk to ingest the events. -- It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow” to authorize the Splunk App. -- Upon clicking on “Allow”, it would display a code which we would then have to supply back to the Splunk App. Click on “Copy”. +- Egnyte Secure & Govern supports OAuth 2.0. To begin the Authorization process, Click on “Click + here to generate token”. This would open up a new browser window for you to authorize Splunk to + ingest the events. +- It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow” + to authorize the Splunk App. +- Upon clicking on “Allow”, it would display a code which we would then have to supply back to the + Splunk App. Click on “Copy”. - Go back to Splunk Add-on configuration page and fill up all the details and then click on “Add”. # Updating Macro configuration -Egnyte App by default works on ```default``` index. In case during Add-on setup new index have been created then follow below steps to updte -Macro configuration. +Egnyte App by default works on `default` index. In case during Add-on setup new index have been +created then follow below steps to updte Macro configuration. - Go to Settings → Advanced Search - Click on “Search Macros” -- Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed and click on the name of the macro. -- Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on input. Click on “Save”. ->The Update to Macro is required only in case the events are pushed into a separate Index. - +- Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed + and click on the name of the macro. +- Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on + input. Click on “Save”. + > The Update to Macro is required only in case the events are pushed into a separate Index. # Support -Customers can file issues by sending emails to : splunk@egnyte.com +Customers can file issues by sending emails to : splunk@egnyte.com diff --git a/src/TA-egnyte-protect/README.txt b/src/TA-egnyte-protect/README.txt deleted file mode 100644 index c3adc16..0000000 --- a/src/TA-egnyte-protect/README.txt +++ /dev/null @@ -1,44 +0,0 @@ -# OVERVIEW - -Egnyte Protect Add-on For Splunk integrates with Egnyte Protect platform and ingest events from Egnyte Protect into Splunk. - - -# REQUIREMENTS - -* Splunk version 7.x.x, 8.0.x -* This application should be installed on Forwarder in case of cluster. - -# Release Notes - -* Version: 1.0.4 -- Added support of Splunk v8 -- Fixed Appcert issue and moved Authorization Code and ClientID to Configuration page - -# RECOMMENDED SYSTEM CONFIGURATION - -* Standard Splunk configuration of Forwarder. - -# Application Setup - -- Go to Egnyte Protect -- Click on “Create New Input”. -- Egnyte Protect supports OAuth 2.0. To begin the Authorization process, Click on “Click here to generate token”. This would open up a new browser window for you to authorize Splunk to ingest the events. -- It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow” to authorize the Splunk App. -- Upon clicking on “Allow”, it would display a code which we would then have to supply back to the Splunk App. Click on “Copy”. -- Go back to Splunk Add-on configuration page and fill up all the details and then click on “Add”. - -# Updating Macro configuration - -Egnyte App by default works on ```default``` index. In case during Add-on setup new index have been created then follow below steps to updte -Macro configuration. - -- Go to Settings → Advanced Search -- Click on “Search Macros” -- Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed and click on the name of the macro. -- Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on input. Click on “Save”. ->The Update to Macro is required only in case the events are pushed into a separate Index. - - -# Support -Customers can file issues by sending emails to : splunk@egnyte.com - diff --git a/src/TA-egnyte-protect/app.manifest b/src/TA-egnyte-protect/app.manifest index b538b15..29fb1c9 100644 --- a/src/TA-egnyte-protect/app.manifest +++ b/src/TA-egnyte-protect/app.manifest @@ -1,53 +1,51 @@ -{ - "schemaVersion": "1.0.0", - "info": { - "title": "Egnyte Secure & Govern", - "id": { - "group": null, - "name": "TA-egnyte-protect", - "version": "1.0.6" - }, - "author": [ - { - "name": "", - "email": null, - "company": null - } - ], - "releaseDate": null, - "description": "", - "classification": { - "intendedAudience": null, - "categories": [], - "developmentStatus": null - }, - "commonInformationModels": null, - "license": { - "name": null, - "text": null, - "uri": null - }, - "privacyPolicy": { - "name": null, - "text": null, - "uri": null - }, - "releaseNotes": { - "name": null, - "text": null, - "uri": null - } - }, - "dependencies": { - }, - "tasks": [], - "inputGroups": { - }, - "incompatibleApps": { - }, - "platformRequirements": { - "splunk": { - "Enterprise": "*" - } - } -} \ No newline at end of file +{ + "schemaVersion": "2.0.0", + "info": { + "title": "Egnyte Secure & Govern", + "id": { + "group": null, + "name": "TA-egnyte-protect", + "version": "1.0.6" + }, + "author": [ + { + "name": "Egnyte Inc", + "email": null, + "company": null + } + ], + "releaseDate": null, + "description": "This TA provides interface to ingest incidents from Egnyte Secure & Govern into Splunk.", + "classification": { + "intendedAudience": null, + "categories": [], + "developmentStatus": null + }, + "commonInformationModels": null, + "license": { + "name": null, + "text": null, + "uri": null + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseNotes": { + "name": null, + "text": "./README.md", + "uri": null + } + }, + "dependencies": null, + "tasks": null, + "inputGroups": null, + "incompatibleApps": null, + "platformRequirements": null, + "supportedDeployments": [ + "_standalone", + "_distributed" + ], + "targetWorkloads": null +} diff --git a/src/TA-egnyte-protect/default/app.conf b/src/TA-egnyte-protect/default/app.conf index ae45e74..48463ca 100644 --- a/src/TA-egnyte-protect/default/app.conf +++ b/src/TA-egnyte-protect/default/app.conf @@ -1,7 +1,8 @@ # this add-on is powered by splunk Add-on builder + [install] state_change_requires_restart = true -is_configured = 0 +is_configured = false state = enabled build = 1 @@ -11,7 +12,8 @@ author = Egnyte Inc description = This TA provides interface to ingest incidents from Egnyte Secure & Govern into Splunk. [ui] -is_visible = 1 +is_visible = true +show_in_nav = false label = Egnyte Secure & Govern docs_section_override = AddOns:released @@ -23,4 +25,3 @@ reload.addon_builder = simple reload.ta_egnyte_protect_account = simple reload.ta_egnyte_protect_settings = simple reload.passwords = simple - diff --git a/src/TA-egnyte-protect/default/eventtypes.conf b/src/TA-egnyte-protect/default/eventtypes.conf index 55fe728..1215ba1 100644 --- a/src/TA-egnyte-protect/default/eventtypes.conf +++ b/src/TA-egnyte-protect/default/eventtypes.conf @@ -1,3 +1,15 @@ -[egnyte_incidents] -search = sourcetype=egnyte:protect:incidents -# tags = alert \ No newline at end of file +[egnyte-malware] +search = sourcetype="egnyte:protect:incidents" category="malware *" +tags = malware attack + +[egnyte-anomaly] +search = sourcetype="egnyte:protect:incidents" category="unusual *" +tags = ids dlp + +[egnyte-compromise] +search = sourcetype="egnyte:protect:incidents" category="compromised *" +tags = attack + +[egnyte-disclosure] +search = sourcetype="egnyte:protect:incidents" category="* access" OR category="public *" OR category="* sharing" +tags = dlp diff --git a/src/TA-egnyte-protect/default/props.conf b/src/TA-egnyte-protect/default/props.conf index 51ece40..3678048 100644 --- a/src/TA-egnyte-protect/default/props.conf +++ b/src/TA-egnyte-protect/default/props.conf @@ -1,20 +1,200 @@ -[egnyte:protect:incidents] -DATETIME_CONFIG = CURRENT -EVAL-app = "Egnyte Secure & Govern" -EVAL-source = mvindex(source,1) -EVAL-body = type + ":" + mvindex(source,1) + ":" + 'item.displayName' + ":" + 'item.type' + ":" + updated + ":" + detected -EVAL-severity = case(severity<=3, "Low", severity>=4 AND severity<=6, "Medium", severity>6, "High") -FIELDALIAS-severity_id = severity as severity_id -FIELDALIAS-src = source as src -EVAL-subject = "Egnyte Secure & Govern issue:" + 'item.displayName' -EVAL-egnyte_type = type -EVAL-type = "alert" - -[source::...ta-egnyte-protect*.log*] +[source::...ta-egnyte-protect*.log*] sourcetype = ta:egnyte:protect:log [source::...ta_egnyte_protect*.log*] sourcetype = ta:egnyte:protect:log +[egnyte:protect:incidents] +# DATETIME_CONFIG = CURRENT +EVAL-source = mvindex(source,1) +# EVAL-body = type + ":" + mvindex(source,1) + ":" + 'item.displayName' + ":" + 'item.type' + ":" + updated + ":" + detected +# FIELDALIAS-src = source as src +# EVAL-subject = "Egnyte Secure & Govern issue:" + 'item.displayName' +# EVAL-egnyte_type = type +# EVAL-type = "alert" + +# ----------------------------------------------------- + +KV_MODE = json +SHOULD_LINEMERGE = false + +# TIME_PREFIX=\"detected\":\s+ +TIMESTAMP_FIELDS = detected +TIME_FORMAT = %s%3N +TZ = UTC +MAX_TIMESTAMP_LOOKAHEAD = -1 +# Fix-up time: +EVAL-timestamp = strptime(detected, "%s%3N") +EVAL-_time = strptime(detected, "%s%3N") +# -------------------------------------------------------------------------------------------- +# CIM +# -------------------------------------------------------------------------------------------- +# CIM - Malware: describe malware detection and endpoint protection management +# CIM - Alerts (IDS): attack detection events gathered by network monitoring devices and apps. +# DLP - Data Loss Prevention: DLP tools used to identify, monitor and protect data. +# -------------------------------------------------------------------------------------------- + + +# [ ] ALERT action - The action taken by the IDS (allowed, blocked) +# [ ] MALWARE action - The action taken by the reporting device (allowed, blocked, deferred) +# [ ] DLP action - The action taken by the DLP device. +EVAL-action = "deferred" +# TODO!!! +# violationDetails.unusualActivities{}.type + +# [X] DLP app - The application involved in the event. +EVAL-app = "Egnyte" + +# [X] DLP category - The category of the DLP event. +# [X] ALERT category - The vendor-provided category of the triggered signature, such as spyware. +# [X] MALWARE category - The category of the malware event, such as keylogger or ad-supported program +EVAL-category = replace(lower(type), "_", " ") +# EVAL-category = mvindex(split(lower(type), "_"),0) +# EVAL-category = lower('item.type') + +# [X] MALWARE date - The date of the malware event +EVAL-date = strftime(detected/1000,"%Y-%m-%d") + +# [ ] DLP dest - The target of the DLP event. +# [ ] ALERT dest - The destination of the attack detected by the IDS (dest_host, dest_ip, dest_name) +# [ ] MALWARE dest - The system that was affected by the malware event (dest_host, dest_ip, or dest_name) +FIELDALIAS-dest = case(\ + 'item.type'=="FILE" OR 'item.type'=="FOLDER", 'item.displayName', \ + !isnull('violationDetails.topAffectedFiles{}.path'), 'violationDetails.topAffectedFiles{}.path', \ + !isnull('violationDetails.topAffectedFolders{}.path'), 'violationDetails.topAffectedFolders{}.path' \ +) + +FIELDALIAS-dest_path = violationDetails.topAffectedFolders{}.path ASNEW dest_path + + +# [ ] MALWARE dest_host - The destination host, if applicable +EVAL-dest_host = mvindex(source,-1) +# [ ] MALWARE dest_nt_domain - The NT domain of the destination, if applicable + +# [ ] ALERT dest_url - The destination url, which was accessed when the ALERT was triggered +FIELDALIAS-dest_url = violationDetails.publicLinks{}.link ASNEW dest_url + +# [ ] DLP dest_zone - The zone of the DLP target. +# [ ] DLP dlp_type - The type of DLP system that generated the event. + + +# [ ] ALERT dvc - The device that detected the intrusion event (dvc_host, dvc_ip, dvc_name) + +# [ ] ALERT dvc_host - The dvc_host that detected the intrusion event + +# [ ] ALERT file_hash - A cryptographic identifier assigned to the file object affected by the event. +# [ ] MALWARE file_hash - The hash of the file with suspected malware + +# [ ] ALERT file_name - The name of the file, such as notepad.exe. + +# [ ] ALERT file_path - The path of the file, such as C:\\Windows\\System32\\notepad.exe. +FIELDALIAS-file_path = 'violationDetails.topAffectedFiles{}.path' ASNEW file_path +# [ ] MALWARE file_name - The name of the file with suspected malware + +# [ ] MALWARE file_path - The full file path of the file with suspected malware + +# [ ] ALERT src - The source involved in the attack detected by the IDS. (src_host, src_ip, or src_name) +# [ ] MALWARE src - The source of the event, such as a DAT file relay server (src_host, src_ip, or src_name) +EVAL-src = lower('violationDetails.externalUsers{}.email') +EVAL-src_user_email = lower('violationDetails.externalUsers{}.email') +EVAL-src_user_name = lower('violationDetails.externalUsers{}.displayName') +EVAL-src_user_alias = lower('violationDetails.externalUsers{}.username') +EVAL-src_user_domain = mvindex(split(lower('violationDetails.externalUsers{}.email'),"@"),-1) + +# [ ] MALWARE src_url - The source_url of the malware + +# [ ] ALERT ids_type - The type of IDS that generated the event. (network, host, application, wireless) +EVAL-ids_type = "application" + +# [ ] DLP object - The name of the affected object. +EVAL-object = case(\ + 'item.type'=="FILE" OR 'item.type'=="FOLDER", 'item.displayName', \ + !isnull('violationDetails.topAffectedFiles{}.path'), 'violationDetails.topAffectedFiles{}.path', \ + !isnull('violationDetails.topAffectedFolders{}.path'), 'violationDetails.topAffectedFolders{}.path' \ +) + +# [ ] DLP object_category - The category of the affected object. +EVAL-object_category = case( \ + 'item.type'=="FILE", "file", \ + 'item.type'=="FOLDER", 'folder' \ +) + +# [ ] DLP object_path - The path of the affected object. +EVAL-object_path = case(\ + 'item.type'=="FILE" OR 'item.type'=="FOLDER", 'item.displayName', \ + !isnull('violationDetails.topAffectedFiles{}.path'), 'violationDetails.topAffectedFiles{}.path', \ + !isnull('violationDetails.topAffectedFolders{}.path'), 'violationDetails.topAffectedFolders{}.path' \ +) + +# [ ] MALWARE sender - The reported sender of an email-based attack + +# [X] DLP severity - The severity of the DLP event. +# [X] ALERT severity - The severity of the network protection event. (critical, high, medium, low, informational) +# [ ] DLP severity - The severity of the DLP event. +EVAL-severity = case(\ + severity<=2, "informational", \ + severity>=3 AND severity<=4, "low", \ + severity>=5 AND severity<=6, "medium", \ + severity>=7 AND severity<=8, "high", \ + severity>=9, "critical" \ +) + +# [ ] DLP severity_id - The numeric or vendor specific severity indicator corresponding to the event severity. +FIELDALIAS-severity_id = severity AS severity_id + +# [ ] DLP signature_id - The unique identifier or event code of the event signature. +# [X] ALERT signature - The name of the intrusion detected on the client (PlugAndPlay_BO and JavaScript_Obfuscation_Fre) +# [X] MALWARE signature - The name of the malware infection detected on the client (Trojan.Vundo, Spyware.Gaobot, W32.Nimbda) +# [X] DLP signature - The name of the DLP event. +EVAL-signature = lower('item.type') + " " + replace(lower(type), "_", " ") + + +# [ ] DLP src - The source of the DLP event. + +# [ ] DLP src_user - The source user of the DLP event. + +# [ ] ALERT transport - The OSI layer 4 (transport) protocol of the intrusion, in lower case. + +# [X] DLP user - The target user of the DLP event. +# [X] ALERT user - The user involved with the intrusion detection event. +# [X] MALWARE user - The user involved in the malware event +EVAL-user = case(\ + !isnull('item.issueInitiator.email'),lower('item.issueInitiator.email'), \ + 'item.type'=="USER", replace(mvindex(split(lower('item.displayName'),"("), -1), "\)", "") \ +) + +# [X] ALERT user_name - The user name involved with the intrusion detection event. +EVAL-user_name = case( \ + !isnull('item.issueInitiator.name'), 'item.issueInitiator.name', \ + 'item.type'=="USER", mvindex(split('item.displayName'," ("), 0) \ +) +EVAL-user_email = case(\ + !isnull('item.issueInitiator.email'),lower('item.issueInitiator.email'), \ + 'item.type'=="USER", replace(mvindex(split(lower('item.displayName'),"("), -1), "\)", "") \ +) + +# [X] ALERT user_domain - The domain of the user involved with the intrusion detection event. +EVAL-user_domain = case(\ + !isnull('item.issueInitiator.email'), mvindex(split(lower('item.issueInitiator.email'),"@"),-1), \ + 'item.type'=="USER", mvindex(split(replace(mvindex(split(lower('item.displayName'),"("), -1), "\)", ""),"@"), -1 ) \ +) + + +# [X] MALWARE url - A URL containing more information about the vulnerability +FIELDALIAS-url = webViewLink ASNEW url + +# [X] DLP vendor_product - The vendor and product name of the DLP system. +# [X] ALERT vendor_product - The vendor and product name of the IDS or IPS system +# [X] MALWARE vendor_product - The vendor and product name of the endpoint protection system +EVAL-vendor_product = "Egnyte Secure & Govern" +EVAL-product = "Secure & Govern" +EVAL-vendor = "Egnyte" + +# [ ] MALWARE product_version - The product version of the malware operations product. + +## -------------------------------------------------------------------------------------------- +## ADDITIONAL FIELDS +## -------------------------------------------------------------------------------------------- +FIELDALIAS-event_id = sourceId ASNEW event_id diff --git a/src/TA-egnyte-protect/default/tags.conf b/src/TA-egnyte-protect/default/tags.conf index 9e35a48..15f2039 100644 --- a/src/TA-egnyte-protect/default/tags.conf +++ b/src/TA-egnyte-protect/default/tags.conf @@ -1,2 +1,13 @@ -[eventtype=egnyte_incidents] -alert = enabled \ No newline at end of file +[eventtype=egnyte-malware] +malware = enabled +attack = enabled + +[eventtype=egnyte-anomaly] +ids = enabled +dlp = enabled + +[eventtype=egnyte-compromise] +attack = enabled + +[eventtype=egnyte-disclosure] +dlp = enabled