better CIM compliance and proper formatted config

README.md

@@ -15,7 +15,7 @@ This repo is for integrating Egnyte Protect with Splunk. There are mainly two mo
 
 - run `./start.sh` to start splunk in docker
 - open localhost:8000
-- load app files from build 
+- load app files from build
 ![sideloading apps](./sideloading.png)
 
 # App Specification Document (For Installing & Setting up Apps in Splunk)
@@ -32,7 +32,7 @@ This repo is for integrating Egnyte Protect with Splunk. There are mainly two mo
     - static : this folder consists default icons of the App.
 - **Egnyte Add-on for Splunk**
     - appserver : All the UI specific assets are generated in this folder.
-    - bin : All the binary files(python files) related to API calls are defined in this folder. 
+    - bin : All the binary files(python files) related to API calls are defined in this folder.
     - default : All the default configurations of the App.
         - app.conf --> default App configuration file, for example Application version
         - inputs.conf --> For storing Add-on input details once it's created
@@ -115,7 +115,7 @@ We can create the Package of the Splunk using the Splunk CLi.
     ```
     $ cd <<Git Folder>>/src/
     $ docker cp . <<Docker ID>>:/opt/splunk/etc/apps/
-    ```    
+    ```
 - Change the ownership of the Apps
     ```
     $ chown -R splunk:splunk /opt/splunk/etc/apps/TA-egnyte-protect
@@ -152,4 +152,4 @@ OCI runtime exec failed: exec failed: container_linux.go:344: starting container
 ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf" -- maybe $SPLUNK_HOME or $SPLUNK_ETC is set wrong?
 ```
 ### ***---ACTUAL VERSION---***
-As ```.spl``` files are technically ```.tar.gz``` files there is no need to use Splunk binary to create them. It's enough to use just ```tar``` and ```gzip```. However we need to make sure that all files/folders in archive have proper permissions required by Splunkbase. 
+As ```.spl``` files are technically ```.tar.gz``` files there is no need to use Splunk binary to create them. It's enough to use just ```tar``` and ```gzip```. However we need to make sure that all files/folders in archive have proper permissions required by Splunkbase.

src/Egnyte_Protect/README.md

@@ -11,7 +11,7 @@ Egnyte Secure & Govern delivers content classification, identifies issues, sends
 # REQUIREMENTS
 
 * Egnyte Secure & Govern Add-on For Splunk
-* Splunk version 7.2.x, 7.3.x , 8.x.x 
+* Splunk version 7.2.x, 7.3.x , 8.x.x
 * This application should be installed on Search Head.
 
 # Release Notes
@@ -37,4 +37,3 @@ If you don't see these sourcetypes, run following query to find out if any alert
 
 # Support
 Customers can file issues by sending emails to : [email protected]
-

src/Egnyte_Protect/default/app.conf

@@ -3,8 +3,14 @@
 #
 [ui]
 is_visible = 1
+show_in_nav = true
 label = Egnyte Secure & Govern App for Splunk
 
+[install]
+state_change_requires_restart = true
+is_configured = false
+state = enabled
+
 [launcher]
 author = Egnyte Inc
 description = This application provides dashboards for tracking Splunk to Egnyte Secure & Govern integration.

src/Egnyte_Protect/metadata/default.meta

@@ -3,4 +3,4 @@
 
 []
 access = read : [ * ], write : [ admin ]
-export = none
+export = none

src/TA-egnyte-protect/README.md

@@ -1,48 +1,54 @@
 # OVERVIEW
 
-Egnyte Secure & Govern Add-on For Splunk integrates with Egnyte Secure & Govern platform and ingest events from Egnyte Secure & Govern into Splunk.
-
+Egnyte Secure & Govern Add-on For Splunk integrates with Egnyte Secure & Govern platform and ingest
+events from Egnyte Secure & Govern into Splunk.
 
 # REQUIREMENTS
 
-* Splunk version 7.2.x, 7.3.x, 8.x.x
-* This application should be installed on Forwarder in case of cluster.
+- Splunk version 7.2.x, 7.3.x, 8.x.x
+- This application should be installed on Forwarder in case of cluster.
 
 # Release Notes
 
 ## Version: 1.0.4
+
 - Added support of Splunk v8
 - Fixed Appcert issue and moved Authorization Code and ClientID to Configuration page
 
 ## Version: 1.0.6
-- Update Add-on name.
 
+- Update Add-on name.
 
 # RECOMMENDED SYSTEM CONFIGURATION
 
-* Standard Splunk configuration of Forwarder.
+- Standard Splunk configuration of Forwarder.
 
 # Application Setup
 
 - Go to Egnyte Secure & Govern
 - Click on “Create New Input”.
-- Egnyte Secure & Govern supports OAuth 2.0. To begin the Authorization process, Click on “Click here to generate token”.  This would open up a new browser window for you to authorize Splunk  to ingest the events.
-- It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow” to authorize the Splunk App.
-- Upon clicking on “Allow”, it would display a code which we would then have to supply back to the Splunk App. Click on “Copy”.
+- Egnyte Secure & Govern supports OAuth 2.0. To begin the Authorization process, Click on “Click
+  here to generate token”. This would open up a new browser window for you to authorize Splunk to
+  ingest the events.
+- It would be asking for your Email ID and Password to connect to Egnyte Account. Click on “Allow”
+  to authorize the Splunk App.
+- Upon clicking on “Allow”, it would display a code which we would then have to supply back to the
+  Splunk App. Click on “Copy”.
 - Go back to Splunk Add-on configuration page and fill up all the details and then click on “Add”.
 
 # Updating Macro configuration
 
-Egnyte App by default works on ```default``` index. In case during Add-on setup new index have been created then follow below steps to updte
-Macro configuration.
+Egnyte App by default works on `default` index. In case during Add-on setup new index have been
+created then follow below steps to updte Macro configuration.
 
 - Go to Settings → Advanced Search
 - Click on “Search Macros”
-- Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed and click on the name of the macro.
-- Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on input. Click on “Save”.
->The Update to Macro is required only in case the events are pushed into a separate Index.
-
+- Set App Context to “Egnyte App for Splunk”, The macro name “egnyte_get_index” should be displayed
+  and click on the name of the macro.
+- Macro is now in Edit Mode, Update Index value as per the Index created while setting up Add-on
+  input. Click on “Save”.
+  > The Update to Macro is required only in case the events are pushed into a separate Index.
 
 # Support
-Customers can file issues by sending emails to : [email protected]
 
+Customers can file issues by sending emails to : [email protected]

src/TA-egnyte-protect/app.manifest

@@ -1,53 +1,51 @@
-{
-  "schemaVersion": "1.0.0",
-  "info": {
-    "title": "Egnyte Secure & Govern",
-    "id": {
-      "group": null,
-      "name": "TA-egnyte-protect",
-      "version": "1.0.6"
-    },
-    "author": [
-      {
-        "name": "",
-        "email": null,
-        "company": null
-      }
-    ],
-    "releaseDate": null,
-    "description": "",
-    "classification": {
-      "intendedAudience": null,
-      "categories": [],
-      "developmentStatus": null
-    },
-    "commonInformationModels": null,
-    "license": {
-      "name": null,
-      "text": null,
-      "uri": null
-    },
-    "privacyPolicy": {
-      "name": null,
-      "text": null,
-      "uri": null
-    },
-    "releaseNotes": {
-      "name": null,
-      "text": null,
-      "uri": null
-    }
-  },
-  "dependencies": {
-  },
-  "tasks": [],
-  "inputGroups": {
-  },
-  "incompatibleApps": {
-  },
-  "platformRequirements": {
-    "splunk": {
-      "Enterprise": "*"
-    }
-  }
-}
+{
+  "schemaVersion": "2.0.0",
+  "info": {
+    "title": "Egnyte Secure & Govern",
+    "id": {
+      "group": null,
+      "name": "TA-egnyte-protect",
+      "version": "1.0.6"
+    },
+    "author": [
+      {
+        "name": "Egnyte Inc",
+        "email": null,
+        "company": null
+      }
+    ],
+    "releaseDate": null,
+    "description": "This TA provides interface to ingest incidents from Egnyte Secure & Govern into Splunk.",
+    "classification": {
+      "intendedAudience": null,
+      "categories": [],
+      "developmentStatus": null
+    },
+    "commonInformationModels": null,
+    "license": {
+      "name": null,
+      "text": null,
+      "uri": null
+    },
+    "privacyPolicy": {
+      "name": null,
+      "text": null,
+      "uri": null
+    },
+    "releaseNotes": {
+      "name": null,
+      "text": "./README.md",
+      "uri": null
+    }
+  },
+  "dependencies": null,
+  "tasks": null,
+  "inputGroups": null,
+  "incompatibleApps": null,
+  "platformRequirements": null,
+  "supportedDeployments": [
+    "_standalone",
+    "_distributed"
+  ],
+  "targetWorkloads": null
+}

src/TA-egnyte-protect/default/app.conf

@@ -1,7 +1,8 @@
 # this add-on is powered by splunk Add-on builder
+
 [install]
 state_change_requires_restart = true
-is_configured = 0
+is_configured = false
 state = enabled
 build = 1
 
@@ -11,7 +12,8 @@ author = Egnyte Inc
 description = This TA provides interface to ingest incidents from Egnyte Secure & Govern into Splunk.
 
 [ui]
-is_visible = 1
+is_visible = true
+show_in_nav = false
 label = Egnyte Secure & Govern
 docs_section_override = AddOns:released
 
@@ -23,4 +25,3 @@ reload.addon_builder = simple
 reload.ta_egnyte_protect_account = simple
 reload.ta_egnyte_protect_settings = simple
 reload.passwords = simple
-

src/TA-egnyte-protect/default/eventtypes.conf

@@ -1,3 +1,15 @@
-[egnyte_incidents]
-search = sourcetype=egnyte:protect:incidents
-# tags = alert
+[egnyte-malware]
+search = sourcetype="egnyte:protect:incidents" category="malware *"
+tags = malware attack
+
+[egnyte-anomaly]
+search = sourcetype="egnyte:protect:incidents" category="unusual *"
+tags = ids dlp
+
+[egnyte-compromise]
+search = sourcetype="egnyte:protect:incidents" category="compromised *"
+tags = attack
+
+[egnyte-disclosure]
+search = sourcetype="egnyte:protect:incidents" category="* access" OR category="public *" OR category="* sharing"
+tags = dlp