Varonis integration


Version	0.2.0 beta:[] (View all)
Compatible Kibana version(s)	8.15.3 or higher 9.0.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Elastic

Varonis is a data security platform that helps organizations protect their sensitive data from insider threats and cyberattacks. This integration collects and analyzes security alerts from Varonis, enabling real-time threat monitoring, compliance reporting, and incident response.

Data Streams

logs: Provides alert data from Varonis syslog. This data stream includes information about alerts generated by Varonis, such as the alert type, severity, file permission changes, and more.

Requirements

Configure Varonis DatAlert for Syslog forwarding:

Users can configure the syslog server address in DatAlert so that alerts can be sent to elasticsearch integration.

Login to the Varonis UI using admin credentials.
In Data Advantage, select Tools > DatAlert > Select DatAlert.
From the left menu, select Configuration.
In syslog message forwarding, do the following:
- Syslog server IP address: Enter the IP address of the machine where the Elasticsearch integration agent is running.
- Port: Enter the UDP port on which this integration will be configured (e.g., 9035).
Click Apply.

Create Alert Template in Varonis DatAlert:

In DatAlert, select Alert Templates.
Click the Green Plus sign to add a new alert template.
Template name: Select External system default template (CEF).
Apply to alert methods: Select Syslog message.
Click OK.

This integration expects to use External system default template (CEF) for alert forwarding in Varonis DatAlert tool. In case any custom template is used, all the fields in External system default template (CEF) should also be present in custom template along with the other additional fields. Additional fields will be part of varonis.logs object and such fields will be indexed only if dynamic mapping is enabled in Elasticsearch.

Pre-Processors

There are cases where incoming CEF messages do not follow the CEF specification exactly, and this can cause errors with message decoding. To work around this, there is an option for pre-processors, which are run before the CEF message is decoded. These can be used modify the message to follow the CEF specification correctly, which will allow proper decoding.

The pre-processors will modify the message field before CEF decoding is done on the agent, but the original, non-preprocessed, message will still be preserved in the event.original field when the agent sends the event.

Logs reference

varonis.logs

Logs documents can be found by setting the following filter: event.dataset : "varonis.logs"

		{
    "@timestamp": "2024-11-22T16:19:09.000Z",
    "agent": {
        "ephemeral_id": "97d1a7b2-9413-428f-8969-4f5f62d5432f",
        "id": "d1133e80-f6c0-4944-b3c2-426cddf483b7",
        "name": "elastic-agent-18048",
        "type": "filebeat",
        "version": "8.15.3"
    },
    "data_stream": {
        "dataset": "varonis.logs",
        "namespace": "72531",
        "type": "logs"
    },
    "destination": {
        "domain": "10.100.20.12",
        "user": {
            "group": {
                "name": "Everyone"
            },
            "name": "zta.local\\Dani Lulli (ADMIN)"
        }
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d1133e80-f6c0-4944-b3c2-426cddf483b7",
        "snapshot": false,
        "version": "8.15.3"
    },
    "event": {
        "action": "Folder permissions added",
        "agent_id_status": "verified",
        "category": [
            "configuration"
        ],
        "code": "6000",
        "dataset": "varonis.logs",
        "end": "2024-11-22T16:19:05.000Z",
        "ingested": "2025-03-28T17:00:05Z",
        "kind": "event",
        "module": "varonis",
        "original": "CEF:0|Varonis Inc.|DatAdvantage|8.6.51|6000|Folder permissions added|3|rt=Nov 22 2024 16:19:09 cat=Alert cs2=Permissions granted to Global Access Groups cs2Label=RuleName cn1=132 cn1Label=RuleID end=Nov 22 2024 16:19:05 duser=zta.local\\\\Dani Lulli (ADMIN) dhost=10.100.20.12 filePath=E:\\\\Share\\\\Share\\\\Finance fname=Finance act=Folder permissions added dvchost= outcome=Success msg=Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\\\Share\\\\Share\\\\Finance cs3= cs3Label=AttachmentName cs4=test cs4Label=ClientAccessType deviceCustomDate1= fileType=csv cs1=admin@test.com cs1Label=MailRecipient suser=Admin cs5=test cs5Label=MailboxAccessType cnt=10 cs6=Read & Execute cs6Label=ChangedPermissions oldFilePermission=Read filePermission=Read & Execute dpriv=Everyone start=",
        "outcome": "success",
        "severity": 3,
        "severity_label": "error",
        "type": [
            "info"
        ]
    },
    "file": {
        "group": "Read & Execute",
        "name": "Finance",
        "path": "E:\\Share\\Share\\Finance",
        "type": "csv"
    },
    "input": {
        "type": "udp"
    },
    "message": "Read & Execute permissions for This folder, subfolders and files (not inherited) was added to  Everyone on E:\\Share\\Share\\Finance",
    "observer": {
        "product": "DatAdvantage",
        "vendor": "Varonis Inc.",
        "version": "8.6.51"
    },
    "source": {
        "user": {
            "name": "Admin"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded"
    ],
    "varonis": {
        "logs": {
            "base_event_count": 10,
            "changed_permissions": "Read & Execute",
            "client_access_type": "test",
            "device_event_category": "Alert",
            "mail_recipient": "admin@test.com",
            "mailbox_access_type": "test",
            "old_file_permission": "Read",
            "rule_id": 132,
            "rule_name": "Permissions granted to Global Access Groups"
        }
    }
}

	

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

The following non-ECS fields are used in events documents:

Field	Description	Type
@timestamp	Event timestamp.	date
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset		constant_keyword
event.module		constant_keyword
event.severity_label		keyword
input.type	Input type	keyword
varonis.logs.attachment_name	The name of the attachment involved in the event.	keyword
varonis.logs.base_event_count	The threshold value for number of events.
varonis.logs.changed_permissions	The permissions that were changed.	keyword
varonis.logs.client_access_type	The type of client access involved in the event.	keyword
varonis.logs.device_custom_date1	A custom date field from varonis syslog.
varonis.logs.device_event_category	The category of the device event.	keyword
varonis.logs.device_host_name	The host name of the device.	keyword
varonis.logs.device_receipt_time	The time the device received the event.
varonis.logs.event_category	The category of the event.	keyword
varonis.logs.mail_recipient	The mail recipient involved in the event.	keyword
varonis.logs.mailbox_access_type	The type of mailbox access involved in the event.	keyword
varonis.logs.old_file_permission	The file permissions before the change.	keyword
varonis.logs.rule_id	The ID of the rule that triggered the event.	integer
varonis.logs.rule_name	The name of the rule that triggered the event.	keyword

Changelog

Version	Details	Kibana version(s)
0.2.0	Enhancement (View pull request) Add preprocessors config option, to allow running processors before CEF messages are decoded.	—
0.1.0	Enhancement (View pull request) Initial release.	—