Skip to content

Varonis

Varonis

About

Varonis focuses on protecting enterprise data on premises and in the cloud: sensitive files and emails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property.The Varonis Data Security Platform detects insider threats and cyberattacks by analyzing data, account activity, perimeter telemetry, and user behavior; prevents and limits disaster by discovering, classifying and locking down sensitive, regulated and stale data; and efficiently sustains a secure state with automation. With a focus on data security, Varonis serves a variety of use cases including data protection, threat detection and response, and compliance.

Product Details

Vendor URL: Varonis

Product Type: Data Protection

Product Tier: Tier II

Integration Method: Syslog

Parser Details

Log Format: CEF

Expected Normalization Rate: 90%

Data Label: VARONIS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
act sec_result.summary
cef_name metadata.descriton
cef_product metadata.product_name
cef_severity security_result.severity
cef_vendor metadata.vendor_name
cef_version metadata.product_version
cn1 sec_result.rule_id
cs1 network.email.to
cs2 sec_result.rule_name
cs3 target.file.names
cs4 security_result.url_back_to_product
cs6 additional.asset.attribute.permissions
dhost principal.hostname
duser target.user.userid
dvc principal.asset.ip
dvchost target.hostname
externalid additional.external_id
filepath target.file.full_path
filePermission additional.permission
fname security.result.description
oldFilePermission additional.previous_permissions
outcome security_action
rt event_timestamp
start additional.first_event_time
Suser target.user.userid

Product Event Types

Event UDM Event Classification
"File opened" FILE_OPEN
"File deleted" FILE_DELETION
"File/Folder permissions added" USER_CHANGE_PERMISSIONS
"User password reset" USER_CHANGE_PASSWORD
"User locked out" USER_UNCATEGORIZED
"LOGIN" USER_LOGIN
"File renamed/Modified" FILE_MODIFICATION
All Others GENERIC EVENT

Log Sample

<14>Oct 18 08:18:20 HOSTNAME1 CEF:0|Varonis Inc.|DatAdvantage|8.6.22|1|File opened|3|rt=Oct 18 2022 03:15:00 cat=Alert cs2=Abnormal service behavior: access to atypical folders cs2Label=RuleName cn1=1 cn1Label=RuleID end=Oct 18 2022 03:15:00 duser=corp.example.org\\User1 dhost=HOSTNAME3 filePath= fname=\\ifs\\cifs\\example.file act=File opened dvchost=HOSTNAME2 msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission= dpriv= start=

Sample Parsing

metadata.product_log_id: "1"
metadata.event_type: FILE_OPEN
metadata.event_timestamp: Oct 18 2022 03:15:00
metadata.vendor_name: "Varonis Inc."
metadata.product_name: "DatAdvantage"
metadata.product_version: "8.6.22"
metadata.description: "File opened"
principal.hostname: "HOSTNAME3"
target.hostname: "HOSTNAME2"
target.domain.name: "corp.example.com"
target.userid: "User1"
target.full_path: "\ifs\cifs\example.file"
intermediary.hostname: "HOSTNAME1"
security_result.rule_id: "1"
security_result.rule_name: "Abnormal service behavior: access to atypical folders""
security_result.summary: "File opened"
security_result.action: ALLOW
security_result.severity: MEDIUM
security_result.severity_details: "3"

Parser Alerting

This product currently does not have any Parser-based Alerting