Document toolboxDocument toolbox

uba.varonis

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Aug 10, 2023 by Borja Moro Moreno
4 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ] [ 4 How is the data sent to Devo? ]

Introduction

The tags beginning with uba.varonis identify events generated by Varonis Data Security Platform belonging to Varonis.

You need to configure the Varonis rules to generate syslog messages-type alert method, create an alert template for sending to Devo, and set up syslog message forwarding to the Devo Relay. The messages should be sent to a dedicated port (of your choice) on the relay to be tagged and forwarded securely to the Devo Cloud.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as uba.varonis and the third identifies the type of events sent.

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Varonis Data Security Platform

uba.varonis.alerts

uba.varonis.alerts

uba.varonis.audit

uba.varonis.audit

uba.varonis.dataalert

uba.varonis.dataalert

Table structure

This is the set displayed by these tables.

uba.varonis.alerts

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

hostchain

str

 

✓

cefVersion

str

 

 

embDeviceVendor

str

 

 

embDeviceProduct

str

 

 

deviceVersion

str

 

 

signatureID

str

 

 

name

str

 

 

severity

str

 

 

_cefVer

str

 

 

act

str

 

 

cat

str

 

 

ruleID

int8

 

 

mailRecipient

str

 

 

ruleName

str

 

 

attachmentName

str

 

 

clientAccessType

str

 

 

mailboxAccessType

str

 

 

changedPermissions

str

 

 

cnt

int4

 

 

deviceCustomDate1Label

str

 

 

deviceCustomDate1

timestamp

 

 

dhost

str

 

 

dpriv

str

 

 

duser

str

 

 

dvchost

str

 

 

end

timestamp

 

 

filePath

str

 

 

filePermission

str

 

 

fileType

str

 

 

fname

str

 

 

msg

str

 

 

oldFilePermission

str

 

 

outcome

str

 

 

rt

timestamp

 

 

start

timestamp

 

 

rawMessage

str

rawSource

✓

uba.varonis.audit

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

rawMessage

str

rawSource

✓

RuleID

str

 

 

RuleName

str

 

 

AlertTime

str

 

 

EventTime

str

 

 

ActingObject

str

 

 

EventType

str

 

 

FileServerDomain

str

 

 

Path

str

 

 

AffectedObject

str

 

 

IPAddressHost

str

 

 

AdditionalData

str

 

 

Severity

str

 

 

Threshold

str

 

 

FirstEventTime

str

 

 

EventStatus

str

 

 

ActingObjectSAMAccountName

str

 

 

hostchain

str

 

✓

tag

str

 

✓

uba.varonis.dataalert

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

RuleName

str

 

 

AlertTime

str

 

 

EventTime

str

 

 

ActingObject

str

 

 

EventType

str

 

 

FileServerDomain

str

 

 

Path

str

 

 

AffectedObject

str

 

 

IPAddressHost

ip4

 

 

AdditionalData

str

 

 

AlertDescription

str

 

 

ChangedPermissions

str

 

 

PermissionsBeforeChange

str

 

 

PermissionsAfterChange

str

 

 

rawMessage

str

 

 

hostchain

str

 

✓

tag

str

 

✓

How is the data sent to Devo?

Varonis configuration

To set up message forwarding, you will need to take the following steps in the DatAlert area of the DatAdvantage management tool:

  1. Set up Syslog Message Forwarding to your Devo Relay in the DatAlert Configuration settings. You'll need to specify the relay's IP address and the relay port to which you want to send DatAlert messages. 

  2. Create a new alert template to apply to syslog message-type alert methods.

  3. Edit the DatAlert rules to generate syslog messages. This means that the messages will get forwarded to the Devo Relay.

Configure Syslog message forwarding

  1. In DatAdvantage, select Tools → DatAlert. DatAlert is displayed.

  2. Select Configuration in the left menu.

  3. In Syslog Message Forwarding, enter the following information:

    1. Syslog server IP address - The IP address of the Devo relay.

    2. Port - The port on which the Devo relay will be listening according to the rule defined in the previous step.

Define a new template

Templates define the format of the alert messages sent from DatAlert, using Syslog, to Devo.

  1. In DatAlert, click Alert Templates in the left menu.

  2. Click the green plus sign to add a new alert template:

    1. Enter a template name.

    2. Open the Apply to alert methods dropdown list and select Syslog message.

    3. Select the parameters that you want to monitor.

Configure the rules to send the alerts to Devo

To send the events triggered by the rules to Devo, the alert must be transferred by creating a Syslog message. Go to the DatAlert rules table and:

  1. Select the rule or rules and then click Edit Rule.

  2. Click Alert Method.

  3. Check the option Syslog message.

Devo Relay rules

The rule should simply apply the uba.varonis.dataalert or uba.varonis.alerts tag to all events received on the selected port. Syslog tags contained in the messages received should also be ignored.

Rule 1 - datAlert events

  • Source Port → 13076

  • Target Tag → uba.varonis.dataalert

  • Select both Stop Processing and Sent without syslog tag

Rule 2 - datAdvantage events

  • Source Port → 13076

  • Target Tag → uba.varonis.alerts

  • Select both Stop Processing and Sent without syslog tag

Â