Up
Previous Next

Sheriff CSMâ„¢

Varonis DatAdvantage

When you configure Varonis DatAdvantage to send log data to Sheriff CSM, you can use the Varonis DatAdvantage plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor Varonis
Device Type Data Protection
Connection Type Syslog
Data Source Name varonis-datadvantage
Data Source ID 2503

Integrating Varonis DatAdvantage

Before you configure the Varonis DatAdvantage integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

To configure Varonis DatAdvantage to send Syslog messages to Sheriff CSM
  1. Log in to Varonis DatAdvantage.
  2. Select Tools > DatAlert.

  3. Select the Configuration tab and specify values for fields in the Syslog Message Forwarding section:

    • Syslog server IP address: Enter the Sheriff CSM IP address
    • Port: 514
    • Facility name: Choose a value based on your environment
    • Identity: Use the default value
  4. Select the Alert Templates tab.

  5. Create a new alert template with the format below, replacing {{VARONIS_SERVER}} with the hostname of your Varonis Server.

    <Alert Time> VaronisDatAlert Varonis: CEF:0|Varonis Inc.|!DatAdvantage|<!DatAdvantage version>|<Event Op Code>|<Rule Name>|<Severity>|rt=<Alert Time> cat=Alert rep_device_rule_id=<Rule ID> event_action=<Event Type> event_outcome=<Event Status> event_receipt_time=<Event Time> needs_enrichment=https://{{VARONIS_SERVER}}/Datadvantage/#/app/analytics/entity/Alert/<Alert ID> source_username=<Acting Object> filePath=<Access Path> fname=<Affected Object> destination_hostname=<File Server/Domain> rep_device_hostname=<Device Name> rep_device_version=<Device IP Address>

    Important: Do not use the Varonis default template because the Syslog messages it generates are not compatible with Sheriff CSM's parser.

  6. In the Apply to alert methods field, select Syslog message.

  7. Click OK, then click Apply to save your changes.

  8. Create and configure rules based on your environment.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.varonis.com/products/datadvantage/

For troubleshooting, see the vendor documentation.
Topic revision: r8 - 26 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.