Varonis DatAdvantage

Varonis DatAdvantage gives you visibility and control over your data and hybrid IT infrastructure by mapping who accesses your data across file and email systems. If you’re a Varonis DatAdvantage customer, you can set up an integration to forward DatAdvantage alerts to InsightIDR. This third-party alerts integration saves you time spent reviewing alerts in 2 places, and allows you to leverage investigation features in IDR for DatAdvantage events.

To set up the Varonis DatAdvantage integration, you’ll need to:

  1. Set up the Varonis DatAdvantage Event Source in InsightIDR
  2. Configure Varonis DatAdvantage Alert Forwarding

Set Up the Varonis DatAdvantage Event Source in InsightIDR

First, set up the Varonis DatAdvantage event source in InsightIDR so you can receive forwarded alerts.

To set up the Varonis DatAdvantage event source:

  1. From the left menu, go to Data Collection.
  2. Click the Setup Event Source dropdown menu and choose Add Event Source.
  3. In the “Third Party Alerts” section, click the Varonis DatAdvantage icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. If you are sending additional events beyond alerts, select the unfiltered logs option.
  6. Specify an unused port on the collector that can receive forwarded Varonis alerts. We recommend you use TCP as your protocol.

Port Number and IP Address

Note the port number as well as the IP address associated with your IDR collector. You will need both to configure your Varonis syslog server address later.

  1. Click Save.

Configure Varonis DatAdvantage Alert Forwarding

After configuring the Varonis DatAdvantage event source in InsightIDR, you can configure DatAdvantage to forward alerts to IDR. There are 3 tasks in this configuration procedure:

Task 1: Configure the syslog server address in Varonis DatAdvantage

  1. Log in to Varonis DatAdvantage.
  2. Select Tools > DatAlert.
  3. From the left menu, select Configuration.
  4. Specify values for these fields in the “Syslog Message Forwarding” section:
    • Syslog server IP address: InsightIDR collector IP address
    • Port: Port number associated with the event source you set up in Insight IDR

Task 2: Create a CEF or LEEF syslog message forwarding template

  1. From the left menu in DatAlert, select Alert Templates.
  2. Click the green plus sign. The “Add Alert Template” dialog box appears.
  3. Enter a Template name.
  4. From the “Apply to alert methods” dropdown menu, select Syslog message.
  5. Create a new Alert Template Format using the example templates below.
    • Use this example to send alerts in CEF format.
1
CEF:0|Varonis|DatAdvantage|<DatAdvantage version>|<Event Op Code>|<Event Type>|<Severity>|rt=<Alert Time> cat=Alert cs2=<Rule Name> cs2Label=RuleName cn1=<Rule ID> cn1Label=RuleID end=<Event Time> duser=<Acting Object> dhost=<File Server/Domain> filePath=<Access Path> fname=<Affected Object> act=<Event Type> dvchost=<Device Name> dvc=<Device IP Address> outcome=<Event Status> msg=<Additional Data> cs3=<Attachment Name> cs3Label=AttachmentName cs4=http://<DLS_IP_ADDRESS>/DatAdvantage/#/app/analytics/entity/Alert/<Alert ID> cs4Label=AlertURL deviceCustomDate1=<Mail Date> fileType=<Mail Item Type> cs1=<Mail Recipients> cs1Label=MailRecipient suser=<Mail Source> cs5=<Mailbox Access Type> cs5Label=MailboxAccessType cnt=<Threshold> cs6=<Changed Permissions> cs6Label=ChangedPermissions oldFilePermission=<Permissions Before Change> filePermission=<Permissions After Change> dpriv=<Trustee> start=<First Event Time> externalId=<Alert ID>
1
* Use this example to send alerts in LEEF format.
1
LEEF:9.1.0|Varonis|DatAdvantage|<DatAdvantage Version>|<file| cat=<Alert Category> devTime=<Alert time> devTimeFormat=MMM dd yyyy HH:mm:ss proto=Syslog sev=<Severity> src=<Device IP Address> Device_Name=<Device Name> Alert_Description=<Alert Description> usrName=<Acting Object> accountName=<Acting Object SAM Account Name> domain=<Acting Object Domain Name> Event_Type=<Event Type> Event_Type_ID=<Event Op Code> Event_Status=<Event Status> Affected_Object=<Affected Object> Event_File_Server_Domain=<File Server/Domain> Affected_Object_Path=<Path> Event_Additional_Data=<Additional data> Threshold_Value=<Threshold> Threshold_First_Timestamp=<First event time> Event_by_MailboxOwner=<Client Access Type> Email_Sender=<Mail Source> Email_Date=<Mail Date> Account_of_Changed_Permissions=<Trustee> Permissions_Changes=<Changed Permissions> Permissions_before_Change=<Permissions Before Change> Permissions_after_Change=<Permissions After Change> Alert_Page_URL=<Alert page URL> Alert_ID=<Alert ID>LEEF:9.1.0|Varonis|DatAdvantage|<DatAdvantage Version>|<file| cat=<Alert Category> devTime=<Alert time> devTimeFormat=MMM dd yyyy HH:mm:ss proto=Syslog sev=<Severity> src=<Device IP Address> Device_Name=<Device Name> Alert_Description=<Alert Description> usrName=<Acting Object> accountName=<Acting Object SAM Account Name> domain=<Acting Object Domain Name> Event_Type=<Event Type> Event_Type_ID=<Event Op Code> Event_Status=<Event Status> Affected_Object=<Affected Object> Event_File_Server_Domain=<File Server/Domain> Affected_Object_Path=<Path> Event_Additional_Data=<Additional data> Threshold_Value=<Threshold> Threshold_First_Timestamp=<First event time> Event_by_MailboxOwner=<Client Access Type> Email_Sender=<Mail Source> Email_Date=<Mail Date> Account_of_Changed_Permissions=<Trustee> Permissions_Changes=<Changed Permissions> Permissions_before_Change=<Permissions Before Change> Permissions_after_Change=<Permissions After Change> Alert_Page_URL=<Alert page URL> Alert_ID=<Alert ID>
  1. Click OK, and verify that the new template appears in the “Alert Templates” table.
  2. Click OK.

Task 3: Set up alerts for single or multiple rules

You set up rules in Varonis DatAdvantage regarding which behaviors cause alerts. To complete your integration, you have to associate those rules with the syslog connection you configured in Task 1 by selecting the Syslog alert method for each rule.

To select the Syslog alert method for a single rule:

  1. From the DatAlert rules table, select the rule, then click Edit Rule. The rule editing menu appears.
  2. From the left menu, select Alerts Method. The “Alert Method” window appears.
  3. Select Syslog message.
  4. Click OK.

To select the Syslog alert method for multiple rules:

  1. From the DatAlert rules table, select the rules, then click Edit Rule. The rule editing menu appears.
  2. From the left menu, select Alerts Method. The “Alert Method” window appears and its contents are disabled for selection.
  3. Click the edit icon for the Syslog message option, then click the checkbox next to Syslog message.
  4. Click OK.

Verify the Configuration

After configuring the Varonis DatAdvantage event source and alert forwarding, you can perform a log search for Varonis alerts in InsightIDR to verify they are forwarding successfully.

When DatAdvantage alerts appear in InsightIDR, you’ll notice their associated severity rankings are converted to match InsightIDR conventions. Here’s what each alert severity means in InsightIDR.

  • Red - High severity
    These alerts have a DatAdvantage severity of Emergency, Alert, or Critical.
  • Orange - Medium severity
    These alerts have a DatAdvantage severity of Error or Warning.
  • Green - Low severity
    These alerts have a DatAdvantage severity of Notice, Informational, or Debug.