Varonis¶
About¶
Varonis focuses on protecting enterprise data on premises and in the cloud: sensitive files and emails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property.The Varonis Data Security Platform detects insider threats and cyberattacks by analyzing data, account activity, perimeter telemetry, and user behavior; prevents and limits disaster by discovering, classifying and locking down sensitive, regulated and stale data; and efficiently sustains a secure state with automation. With a focus on data security, Varonis serves a variety of use cases including data protection, threat detection and response, and compliance.
Product Details¶
Vendor URL: Varonis
Product Type: Data Protection
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 90%
Data Label: VARONIS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| act | sec_result.summary |
| cef_name | metadata.descriton |
| cef_product | metadata.product_name |
| cef_severity | security_result.severity |
| cef_vendor | metadata.vendor_name |
| cef_version | metadata.product_version |
| cn1 | sec_result.rule_id |
| cs1 | network.email.to |
| cs2 | sec_result.rule_name |
| cs3 | target.file.names |
| cs4 | security_result.url_back_to_product |
| cs6 | additional.asset.attribute.permissions |
| dhost | principal.hostname |
| duser | target.user.userid |
| dvc | principal.asset.ip |
| dvchost | target.hostname |
| externalid | additional.external_id |
| filepath | target.file.full_path |
| filePermission | additional.permission |
| fname | security.result.description |
| oldFilePermission | additional.previous_permissions |
| outcome | security_action |
| rt | event_timestamp |
| start | additional.first_event_time |
| Suser | target.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| "File opened" | FILE_OPEN |
| "File deleted" | FILE_DELETION |
| "File/Folder permissions added" | USER_CHANGE_PERMISSIONS |
| "User password reset" | USER_CHANGE_PASSWORD |
| "User locked out" | USER_UNCATEGORIZED |
| "LOGIN" | USER_LOGIN |
| "File renamed/Modified" | FILE_MODIFICATION |
| All Others | GENERIC EVENT |
Log Sample¶
<14>Oct 18 08:18:20 HOSTNAME1 CEF:0|Varonis Inc.|DatAdvantage|8.6.22|1|File opened|3|rt=Oct 18 2022 03:15:00 cat=Alert cs2=Abnormal service behavior: access to atypical folders cs2Label=RuleName cn1=1 cn1Label=RuleID end=Oct 18 2022 03:15:00 duser=corp.example.org\\User1 dhost=HOSTNAME3 filePath= fname=\\ifs\\cifs\\example.file act=File opened dvchost=HOSTNAME2 msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=
Sample Parsing¶
metadata.product_log_id: "1"
metadata.event_type: FILE_OPEN
metadata.event_timestamp: Oct 18 2022 03:15:00
metadata.vendor_name: "Varonis Inc."
metadata.product_name: "DatAdvantage"
metadata.product_version: "8.6.22"
metadata.description: "File opened"
principal.hostname: "HOSTNAME3"
target.hostname: "HOSTNAME2"
target.domain.name: "corp.example.com"
target.userid: "User1"
target.full_path: "\ifs\cifs\example.file"
intermediary.hostname: "HOSTNAME1"
security_result.rule_id: "1"
security_result.rule_name: "Abnormal service behavior: access to atypical folders""
security_result.summary: "File opened"
security_result.action: ALLOW
security_result.severity: MEDIUM
security_result.severity_details: "3"
Parser Alerting¶
This product currently does not have any Parser-based Alerting