Skip to main content

Druva app for Splunk

Updated over a week ago

Overview

The Splunk integration enables ingestion of Druva security and operational events into Splunkโ€™s SIEM and analytics platform. This provides centralized monitoring and correlation across data protection and security environments. Backup telemetry enhances threat detection by adding context around data integrity and recovery readiness. Security teams can perform advanced analytics and threat hunting using Splunk dashboards. The integration supports faster investigations and informed response decisions. It also improves compliance reporting and audit readiness. Together, Druva and Splunk strengthen security operations and cyber resilience.

Druva has two apps published in the Splunk market today:

  1. Druva App for Splunk

  2. Druva Add-on for Splunk

Druva App for Splunk

This app provides the following:

  • All Events, Operational Overview and Security Overview dashboard which you can use to get an overview of events, graphs, or telemetry

  • Capability to search for backup, restore, login, or Data Anomaly events

Druva Add-on for Splunk

This is a configuration app that helps with the following:

  • Add a tenant

  • Provide the API credentials generated from your Druva tenant

  • Provide indexing details

๐Ÿ“ Note
โ€‹Both apps must be installed to start using the dashboard.

Supported Workload events

Below is a list of different events captured and displayed on the Splunk App:

Endpoints and SaaS Apps events

  • Backup failure, success, interrupted

  • Restore failure, success, interrupted

  • Files missed from backup and restore

  • All types of alerts, notifications, and admin audit trails

  • Admin Login

  • WebDav admin login

  • Data Anomaly is supported for Endpoints, File Server, NAS, VMware, OneDrive, and SharePoint online events

  • AD Sync

  • Data Source

  • Client Upgrade

  • Device Replace

  • Additional Data Collection

  • User Event

VMware events

  • Backup Failure

  • Backup success

  • Restore Failure

  • Restore Success

๐Ÿ“ Note

To view the Access Events, you must have a Security Posture and Observability license.


All Events Dashboard

All Events Dashboard provides a consolidated list of Platform events along with Operational Overview and Security Overview dashboard. Together, this dashboard allows you to get a comprehensive understanding of all events and telemetry.

Filter the events as per your requirements:

Time Range: Select the range from the time or date range.

Event Type: Filter out the required events from the drop down.

Feature: Select the events type such as API, Admin Event, Safemode.

Severity: Filter out the events as per the severity.

Operational Overview Dashboard

You are displayed with the following 2 tabs:

  • Endpoints and SaaS Apps

  • Enterprise Workloads

Endpoints and SaaS Apps tab

Backup or IT administrators can use this dashboard to:

Monitor the deployment health

You can filter the data display using the Time filter. It allows you to filter data based on Real-time, Relative, and so on. Select an option as per your requirement.

  • Unique number of users: View the unique number of users for Endpoints and SaaS Apps

  • Unique number of devices: View the unique number of Endpoint devices

  • Unique number of SaaS Apps devices: View the unique number of Exchange Online, OneDrive, Gmail, and Google Drive devices

  • Top 15 Users by number of devices: View the top 15 users by device count

  • Top 15 Users by number of SaaS Apps: View the top 15 users by SaaS Apps device count

  • Devices/Apps Added over time: Get a graphical summary of devices added over a period that provides information about:

    • If Druva app is successfully deployed on all user devices

    • If the data is protected for all users

    • If there is a backup of additional devices for users

    • Details of users consuming maximum storage

    • Details of the deployment rate and the performance of the device addition process

  • Event Details: View the backup and restore event details such as:

    • Event ID

    • Event Type

    • Event State

    • Ip address

    • Profile Name

    • Event Details

    • Client OS (Only for Endpoints)

    • ClientVersion (Only for Endpoints)

    • Workload Name

    • Event Description

    • Event Creation Date

    • Event Details

Use the Event Type filter to search and view details specific to backup, restore, and so on. For more information, see Supported Workload Events.

Monitor the backup failure trend

  • Backup failure trend by operating system(OS): View backup failure trend by the operating system platform. It helps you understand if there is a failure pattern with a specific operating system that can be used for further analysis and resolution

Enterprise Workloads tab

Backup or IT administrators can use this dashboard to:

Monitor the deployment health

You can filter the data display using the Time filter. It allows you to filter data based on Real-time, Relative, and so on. Select an option as per your requirement.

  • Unique number of VMware Backupsets: View the unique number of VMware backupsets for the selected period.

  • Top 10 Admins by Restore Activity: View the top 10 administrators based on the number of restore activities initiated.

  • Event Details: View the backup and restore event details such as:

    • Resource ID

    • Event Type

    • Workload Name

    • Event Description

    • Event Creation Date

    • Event Details

Use the Event Type filter to search and view details specific to backup or restore. For more information, see Supported Workload Events.

Monitor the backup failure trend

  • Backup failure trend: View backup failure trend for each month. It helps you understand if there is a failure pattern in a specific month that can be used for further analysis and resolution

Security Overview dashboard

Security administrators can use this dashboard to:

Monitor anomalous backup activity or threats

  • Data Anomaly alerts

    • Get a view of all the Data Anomaly alerts generated with their timestamp that helps you with an ongoing security incident investigation

    • Get a view of alert distribution based on the severity - Critical and Warning. Critical alerts help get a better understanding of the security incident

  • Failed login events: Get a view of failed administrator login and WebDav login events at a specific date and time. Multiple failed login events indicate a threat. You can block these unauthorized access actions by deleting the administrator account from the Druva console. In case of a genuine loss of credentials for a particular administrator, you can restore access with a password reset

Monitor anomalous restore activities-data exfiltration

  • Top 15 Users by Restore Activity: View the top 15 users performing restores. Multiple restore events indicate a threat. You can disable the user or device to block unauthorized restores

Install and Configure Druva Splunk App

Perform the following steps to install and configure Druva Splunk App.
โ€‹

Installation

  1. Login to the Splunk Console and navigate to Apps > Browse More Apps

  2. In the Browse More Apps search box, type the keyword Druva and click Enter. Two Druva Splunk Apps are displayed.

  3. Click Install on each app one by one. Log in with your Splunk Console admin credentials to install each app.

  4. On the on-prem or Cloud Splunk setup, click Restart Now to restart the Splunk services and then follow the installation instructions on the UI to complete the installation.

Configuration

Step 1: Generate Client id and Secret key from Druva console

  1. From the DCP dashboard left navigation bar > Druva Cloud Settings page generates the API Client ID and Secret Key. Copy the Client ID and Secret Key.

Step 2: Add Account from Splunk App

  1. Post successful installation, click Druva Add-on for Splunk App in the left pane on the Splunk console. To Add an account you need to generate the credentials.

  2. Select the Configuration tab and select the Account section.

  3. Click Add. The window for Add account appears.

  4. Populate the details and and click Add.
    โ€‹

  5. From the DCP dashboard, navigate to the left navigation bar. Click on Integration Center, and then select API Credentials. Click on New Credentials. You can then copy your Client ID and Secret Key from here.

  6. Enter the Client ID and Secret Key that was copied from the Druva console and click Add.

Step 3: Add Data Inputs

After adding an account, configure the indexing details from the Inputs page.

  1. Go to Inputs > Create new inputs. A window for Add Druva appears.

  2. Fill the details and select Add.
    โ€‹

  3. Click Druva App for Splunk to view the dashboards: All Event, Operations Overview and Security Overview. You can also use search for backup, restore, log in, or Data Anomaly events.

Configure data imports via a proxy

If you don't want that data from Druva should directly reach your Splunk setup, you can configure a proxy. You can provide your proxy's hostname or IP address, and its credentials. In that case, Splunk will try to fetch data from the server that you provide instead of the default configuration that is available with the Druva app.

To configure the proxy in Splunk:

  1. In the Add-on Splunk App, click Configuration on the top menu.

  2. On the Configuration page, select the Proxy tab.

  3. On the Proxy tab, enable proxy for your Splunk setup, specify your server's details, and click Save.

Splunk will start fetching data from the proxy server that you specify here.

Related Articles
Introduction to Druva Cloud Platform Dashboard
User Guide on preparing your environment for successful Druva OneDrive backup
Recreating a user-linked SaaS App device if it was deleted
Druva inSync - FireEye Helix Integration
Druva Add-on not sending logs into Splunk
Did this answer your question?