Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

Table of Contents
maxLevel2
typeflat

Introduction

The tags beginning with uba.varonis identify events generated by Varonis Data Security Platform belonging to Varonis

...

.

You need to configure the Varonis rules to generate syslog messages-type alert method, create an alert template for sending to Devo, and set up syslog message forwarding to the Devo Relay. The messages should be sent to a dedicated port (of your choice) on the relay to be tagged and forwarded securely to the Devo Cloud.

...

Valid tags and data tables 

The full tag must have

...

3 levels. The first two are fixed as uba.varonis

...

Technology

...

Brand

...

Type

...

uba

...

varonis

...

  • dataalert

  • alerts

  • audit

...

and the third identifies the type of events sent.

Product / Service

Tags

Data tables

Varonis Data Security Platform

uba.varonis.alerts

uba.varonis.alerts

uba.varonis.audit

uba.varonis.audit

uba.varonis.dataalert

uba.varonis.dataalert

Table structure

This is the set displayed by these tables.

Anchor
uba.varonis.alerts
uba.varonis.alerts

uba.varonis.alerts

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

vhost

hostchain

str

 

cefVersion

str

 

embDeviceVendor

str

 

embDeviceProduct

str

 

deviceVersion

str

 

signatureID

str

 

name

str

 

severity

str

 

_cefVer

str

 

act

str

 

cat

str

 

ruleID

int8

 

mailRecipient

str

 

ruleName

str

 

attachmentName

str

 

clientAccessType

str

 

mailboxAccessType

str

 

changedPermissions

str

 

cnt

int4

 

deviceCustomDate1Label

str

 

deviceCustomDate1

timestamp

 

dhost

str

 

dpriv

str

 

duser

str

 

dvchost

str

 

end

timestamp

 

filePath

str

 

filePermission

str

 

fileType

str

 

fname

str

 

msg

str

 

oldFilePermission

str

 

outcome

str

 

rt

timestamp

 

start

timestamp

 

rawMessage

str

rawSource

Anchor
uba.varonis.audit
uba.varonis.audit

uba.varonis.audit

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

vhost

rawMessage

str

rawSource

RuleID

str

 

RuleName

str

 

AlertTime

str

 

EventTime

str

 

ActingObject

str

 

EventType

str

 

FileServerDomain

str

 

Path

str

 

AffectedObject

str

 

IPAddressHost

str

 

AdditionalData

str

 

Severity

str

 

Threshold

str

 

FirstEventTime

str

 

EventStatus

str

 

ActingObjectSAMAccountName

str

 

hostchain

str

 

tag

str

 

Anchor
uba.varonis.dataalert
uba.varonis.

...

dataalert

uba.varonis.

...

dataalert

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

host

str

vhost

RuleName

str

 

AlertTime

str

 

EventTime

str

 

ActingObject

str

 

EventType

str

 

FileServerDomain

str

 

Path

str

 

AffectedObject

str

 

IPAddressHost

ip4

 

AdditionalData

str

 

AlertDescription

str

 

ChangedPermissions

str

 

PermissionsBeforeChange

str

 

PermissionsAfterChange

str

 

rawMessage

str

 

hostchain

str

 

tag

str

 

How is the data sent to Devo?

Varonis configuration

To set up message forwarding, you will need to take the following steps in the DatAlert area of the DatAdvantage management tool:

  1. Set up Syslog Message Forwarding to your Devo Relay in the DatAlert Configuration settings. You'll need to specify the relay's IP address and the relay port to which you want to send DatAlert messages. 

  2. Create a new alert template to apply to syslog message-type alert methods.

  3. Edit the DatAlert rules to generate syslog messages. This means that the messages will get forwarded to the Devo Relay.

Configure Syslog message forwarding

  1. In DatAdvantage, select Tools → DatAlert. DatAlert is displayed.

  2. Select Configuration in the left menu.

  3. In Syslog Message Forwarding, enter the following information:

    1. Syslog server IP address - The IP address of the Devo relay.

    2. Port - The port on which the Devo relay will be listening according to the rule defined in the previous step.

...

Image Added

Define a new template

Templates define the format of the alert messages sent from DatAlert, using Syslog, to Devo.

  1. In DatAlert, click Alert Templates in the left menu.

...

  1. Click the green plus sign to add a new alert template:

    1. Enter a template name.

    2. Open the Apply to alert methods dropdown list and select Syslog message.

    3. Select the parameters that you want to monitor.

Image Added

...

Image Added

Configure the rules to send the alerts to Devo

To send the events triggered by the rules to Devo, the alert must be transferred by creating a Syslog message. Go to the DatAlert rules table and:

  1. Select the rule or rules and then click Edit Rule.

  2. Click Alert Method.

  3. Check the option Syslog message.

...

Image Added

Devo Relay rules

The rule should simply apply the uba.varonis.dataalert or uba.varonis.alerts tag to all events received on the selected port. Syslog tags contained in the messages received should also be ignored.

Rule 1 - datAlert events

  • Source Port → 13076

  • Target Tag → uba.varonis.dataalert

  • Select both Stop Processing and Sent without syslog tag

...

Rule 2 - datAdvantage events

  • Source Port → 13076

  • Target Tag → uba.varonis.alerts

  • Select both Stop Processing and Sent without syslog tag

...