Varonis DatAdvantage

When you configure your Varonis DatAdvantage to send log data to USM Appliance, you can use the Varonis DatAdvantage plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Varonis
Device Type Data Protection
Connection Type Syslog
Data Source Name varonis-datadvantage
Data Source ID 2503

Integrating Varonis DatAdvantage

Before you configure the Varonis DatAdvantage integration, you must have the IP Address of the USM Appliance Sensor.

To configure Varonis DatAdvantage to send Syslog messages to USM Appliance

  1. Log in to Varonis DatAdvantage.
  2. Select Tools > DatAlert.
  3. Select the Configuration tab and specify values for fields in the Syslog Message Forwarding section:
    • Syslog server IP address: Enter the USM Appliance IP address
    • Port: 514
    • Facility name: Choose a value based on your environment
    • Identity: Use the default value
  4. Select the Alert Templates tab.

  5. Create a new alert template with the format below, replacing {{VARONIS_SERVER}} with the hostname of your Varonis Server.

    <Alert Time> VaronisDatAlert Varonis: CEF:0|Varonis Inc.|DatAdvantage|<DatAdvantage version>|<Event Op Code>|<Rule Name>|<Severity>|rt=<Alert Time> cat=Alert rep_device_rule_id=<Rule ID> event_action=<Event Type> event_outcome=<Event Status> event_receipt_time=<Event Time> needs_enrichment=https://{{VARONIS_SERVER}}/Datadvantage/#/app/analytics/entity/Alert/<Alert ID> source_username=<Acting Object> filePath=<Access Path> fname=<Affected Object> destination_hostname=<File Server/Domain> rep_device_hostname=<Device Name> rep_device_version=<Device IP Address>

    Important: Do not use the Varonis default template because the Syslog messages it generates are not compatible with USM Appliance's parser.

  6. In the Apply to alert methods field, select Syslog message.
  7. Click OK, then click Apply to save your changes.
  8. Create and configure rules based on your environment.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.varonis.com/products/datadvantage/

For troubleshooting, see the vendor documentation.