Varonis Data Security
Overview
Varonis offers solutions to track and protect data.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Varonis Data Security. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Varonis Data Security on ATT&CK Navigator
Cookies Deletion
Detects when cookies are deleted by a suspicious process.
- Effort: master
Cron Files Alteration
Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
- Effort: advanced
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
NTDS.dit File In Suspicious Directory
The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
- Effort: advanced
OneNote Embedded File
Detects creation or uses of OneNote embedded files with unusual extensions.
- Effort: intermediate
Package Manager Alteration
Package manager (eg: apt, yum) can be altered to install malicious software
- Effort: advanced
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
SSH Authorized Key Alteration
The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.
- Effort: advanced
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
Suspicious Email Attachment Received
Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware.
- Effort: elementary
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
Varonis Data Security Email Alert
Varonis Data Security has raised an alert related to a supervised email account.
- Effort: master
Varonis Data Security Network Alert
Varonis Data Security has raised an alert related to a network rule
- Effort: master
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Webshell Creation
Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Data loss prevention |
Varonis detects data exportation |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | `` |
| Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs1=joh.doe@gmail.com cs3=runme.exe cs5=Mon Aug 1 06:40:30 2022 deviceCustomDate1=Mon Aug 1 06:40:35 2022 suser=fool rt=2023-06-09T14:16:15.212418 cs2=Abnormal admin behavior: access to atypical mailboxes cn1=Rule Name end=2023-06-09T14:16:15.212435 duser=root dhost=127.0.0.1 filePath=~/pub.key act=Alert dvchost=HOSTNAME dvc=192.168.0.1 outcome=failure msg=Hello externalId=172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481",
"event": {
"action": "Alert",
"category": [
"email"
],
"dataset": "Alert",
"end": "2023-06-09T14:16:15.212435Z",
"kind": "alert",
"reason": "Hello",
"type": [
"info"
]
},
"@timestamp": "2023-06-09T14:16:15.212418Z",
"email": {
"attachments": [
{
"file": {
"mime_type": "",
"name": "runme.exe"
}
}
],
"delivery_timestamp": "2022-08-01T06:40:35Z",
"from": {
"address": "fool"
},
"to": {
"address": "joh.doe@gmail.com"
}
},
"file": {
"directory": "~",
"name": "pub.key",
"path": "~/pub.key"
},
"host": {
"name": "127.0.0.1"
},
"observer": {
"product": "DatAdvantage",
"vendor": "Varonis",
"version": "0.0.1"
},
"related": {
"ip": [
"192.168.0.1"
],
"user": [
"root"
]
},
"rule": {
"description": "Abnormal admin behavior: access to atypical mailboxes",
"id": "666",
"name": "Rule Name"
},
"source": {
"address": "192.168.0.1",
"ip": "192.168.0.1"
},
"user": {
"name": "root"
},
"varonis": {
"datalert": {
"id": "172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481",
"outcome": "failure"
}
}
}
{
"message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs2=SomeRule cs2Label=RuleName cn1=Some rule description cn1Label=RuleID end= duser= dhost=1.2.3.4 filePath= fname= act= dvchost= outcome= msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission=555 filePermission=777 dpriv= start=",
"event": {
"category": [
"network"
],
"dataset": "Alert",
"kind": "alert",
"type": [
"info"
]
},
"host": {
"name": "1.2.3.4"
},
"observer": {
"product": "DatAdvantage",
"vendor": "Varonis",
"version": "0.0.1"
},
"rule": {
"description": "SomeRule",
"id": "666",
"name": "Some rule description"
},
"varonis": {
"datalert": {
"file": {
"old_permission": "555",
"permission": "777"
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
email.attachments |
nested |
List of objects describing the attachments. |
email.delivery_timestamp |
date |
Date and time when message was delivered. |
email.from.address |
keyword |
The sender's email address. |
email.to.address |
keyword |
Email address of recipient |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
event.url |
keyword |
Event investigation URL |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.name |
keyword |
Name of the host. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
rule.description |
keyword |
Rule description |
rule.id |
keyword |
Rule ID |
rule.name |
keyword |
Rule name |
source.ip |
ip |
IP address of the source. |
user.name |
keyword |
Short name or login of the user. |
varonis.datalert.file.old_permission |
keyword |
The permissions before the change. Data is not collected for all event types. |
varonis.datalert.file.permission |
keyword |
The permissions after the change. Data is not collected for all event types. |
varonis.datalert.file.permissions_change |
keyword |
The specified changes in permissions. Data is not collected for all event types. |
varonis.datalert.id |
keyword |
The ID of the triggered alert within DatAlert. |
varonis.datalert.num_events |
number |
The number of events which triggered the alert. |
varonis.datalert.outcome |
keyword |
Whether the event which triggered the alert succeeded or failed. |
Configure
This setup guide will show you how to forward your Varonis Data Security logs to Sekoia.io by means of a syslog transport channel.
Prerequisites
- Have an internal log concentrator (Rsyslog)
Enable Syslog forwarding for Varonis Data Security
You can configure the Syslog server address in DatAlert so that alerts are sent to SEKOIA. To configure the Syslog server address in DatAlert:
- In DatAdvantage, select
Tools>DatAlert. DatAlert is displayed. - From the left menu, select
Configuration. - In the
Syslog Message Forwardingsection, fill the Syslog server IP address and the Port with the ip address and the port of the log concentrator. - Click OK
Create a message forwarding template
- In DatAlert, select
Alert Templates - Select
External system default template (CEF)and clickEdit Alert Template - In
Apply to alert methods, selectSyslog message - Click OK
Create the intake
Go to the intake page and create a new intake from the format Varonis Data Security
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Currently, the syslog format generated by Varonis does not comply with RFC standards. As a result, the transmitted data is not inherently compatible with the Sekoia forwarder. Therefore, it is necessary to refer to this documentation in order to extend the default configuration of the forwarder (available since version 2.4) and add this specific configuration for Varonis logs:
input(type="im$PROTOCOL" port="$PORT" ruleset="remoteVaronis")
template(name="SEKOIAIO_Varonis_Template" type="string" string="<%pri%>1 %timegenerated:::date-rfc3339% %hostname% $APP-NAME - LOG [SEKOIA@53288 intake_key=\"$INTAKE-KEY\"] %msg:R,ERE,1,FIELD:.*(CEF.*)$--end%\n")
ruleset(name="remoteVaronis"){
action(
name="varonis"
type="omfwd"
protocol="tcp"
target="intake.sekoia.io"
port="10514"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="intake.sekoia.io"
Template="SEKOIAIO_Varonis_Template"
)
}
Note
Don't forget to replace the variables $PROTOCOL (tcp or udp) to choose the protocol by which Varonis logs are received, the $PORT of entry, your $APP-NAME syslog, and your $INTAKE-KEY Sekoia.