Varonis¶
About¶
Varonis focuses on protecting enterprise data on premises and in the cloud: sensitive files and emails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property.The Varonis Data Security Platform detects insider threats and cyberattacks by analyzing data, account activity, perimeter telemetry, and user behavior; prevents and limits disaster by discovering, classifying and locking down sensitive, regulated and stale data; and efficiently sustains a secure state with automation. With a focus on data security, Varonis serves a variety of use cases including data protection, threat detection and response, and compliance.
Product Details¶
Vendor URL: Varonis
Product Type: Data Protection
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 90%
Data Label: VARONIS
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
act | sec_result.summary |
cef_name | metadata.descriton |
cef_product | metadata.product_name |
cef_severity | security_result.severity |
cef_vendor | metadata.vendor_name |
cef_version | metadata.product_version |
cn1 | sec_result.rule_id |
cs1 | network.email.to |
cs2 | sec_result.rule_name |
cs3 | target.file.names |
cs4 | security_result.url_back_to_product |
cs6 | additional.asset.attribute.permissions |
dhost | principal.hostname |
duser | target.user.userid |
dvc | principal.asset.ip |
dvchost | target.hostname |
externalid | additional.external_id |
filepath | target.file.full_path |
filePermission | additional.permission |
fname | security.result.description |
oldFilePermission | additional.previous_permissions |
outcome | security_action |
rt | event_timestamp |
start | additional.first_event_time |
Suser | target.user.userid |
Product Event Types¶
Event | UDM Event Classification |
---|---|
"File opened" | FILE_OPEN |
"File deleted" | FILE_DELETION |
"File/Folder permissions added" | USER_CHANGE_PERMISSIONS |
"User password reset" | USER_CHANGE_PASSWORD |
"User locked out" | USER_UNCATEGORIZED |
"LOGIN" | USER_LOGIN |
"File renamed/Modified" | FILE_MODIFICATION |
All Others | GENERIC EVENT |
Log Sample¶
<14>Oct 18 08:18:20 HOSTNAME1 CEF:0|Varonis Inc.|DatAdvantage|8.6.22|1|File opened|3|rt=Oct 18 2022 03:15:00 cat=Alert cs2=Abnormal service behavior: access to atypical folders cs2Label=RuleName cn1=1 cn1Label=RuleID end=Oct 18 2022 03:15:00 duser=corp.example.org\\User1 dhost=HOSTNAME3 filePath= fname=\\ifs\\cifs\\example.file act=File opened dvchost=HOSTNAME2 msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=
Sample Parsing¶
metadata.product_log_id: "1"
metadata.event_type: FILE_OPEN
metadata.event_timestamp: Oct 18 2022 03:15:00
metadata.vendor_name: "Varonis Inc."
metadata.product_name: "DatAdvantage"
metadata.product_version: "8.6.22"
metadata.description: "File opened"
principal.hostname: "HOSTNAME3"
target.hostname: "HOSTNAME2"
target.domain.name: "corp.example.com"
target.userid: "User1"
target.full_path: "\ifs\cifs\example.file"
intermediary.hostname: "HOSTNAME1"
security_result.rule_id: "1"
security_result.rule_name: "Abnormal service behavior: access to atypical folders""
security_result.summary: "File opened"
security_result.action: ALLOW
security_result.severity: MEDIUM
security_result.severity_details: "3"
Parser Alerting¶
This product currently does not have any Parser-based Alerting