Page Comparison

Introduction

The tags beginning with uba.varonis identify events generated by Varonis Data Security Platform belonging to Varonis

.

You need to configure the Varonis rules to generate syslog messages-type alert method, create an alert template for sending to Devo, and set up syslog message forwarding to the Devo Relay. The messages should be sent to a dedicated port (of your choice) on the relay to be tagged and forwarded securely to the Devo Cloud.

Valid tags and data tables 

The full tag must have

3 levels. The first two are fixed as uba.varonis

and the third identifies the type of events sent.

Table structure

This is the set displayed by these tables.

• uba.varonis.

• alerts

• uba.varonis.

• audit

• uba.varonis.

• dataalert

uba.varonis.

alerts

uba.varonis.audit

uba.varonis.

dataalert

How is the data sent to Devo?

Varonis configuration

To set up message forwarding, you will need to take the following steps in the DatAlert area of the DatAdvantage management tool:

1. Set up Syslog Message Forwarding to your Devo Relay in the DatAlert Configuration settings. You'll need to specify the relay's IP address and the relay port to which you want to send DatAlert messages. 

2. Create a new alert template to apply to syslog message-type alert methods.

3. Edit the DatAlert rules to generate syslog messages. This means that the messages will get forwarded to the Devo Relay.

Configure Syslog message forwarding

1. In DatAdvantage, select Tools → DatAlert. DatAlert is displayed.

2. Select Configuration in the left menu.

3. In Syslog Message Forwarding, enter the following information:

   1. Syslog server IP address - The IP address of the Devo relay.

   2. Port - The port on which the Devo relay will be listening according to the rule defined in the previous step.

Image Added

Define a new template

Templates define the format of the alert messages sent from DatAlert, using Syslog, to Devo.

1. In DatAlert, click Alert Templates in the left menu.

1. Click the green plus sign to add a new alert template:

   1. Enter a template name.

   2. Open the Apply to alert methods dropdown list and select Syslog message.

   3. Select the parameters that you want to monitor.

Configure the rules to send the alerts to Devo

To send the events triggered by the rules to Devo, the alert must be transferred by creating a Syslog message. Go to the DatAlert rules table and:

1. Select the rule or rules and then click Edit Rule.

2. Click Alert Method.

3. Check the option Syslog message.

Image Added

Devo Relay rules

The rule should simply apply the uba.varonis.dataalert or uba.varonis.alerts tag to all events received on the selected port. Syslog tags contained in the messages received should also be ignored.

Rule 1 - datAlert events

• Source Port → 13076

• Target Tag → uba.varonis.dataalert

• Select both Stop Processing and Sent without syslog tag

Rule 2 - datAdvantage events

• Source Port → 13076

• Target Tag → uba.varonis.alerts

• Select both Stop Processing and Sent without syslog tag