Varonis Data Security
Overview
Varonis offers solutions to track and protect data.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Varonis Data Security. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Varonis Data Security on ATT&CK Navigator
Cron Files Alteration
Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.
- Effort: advanced
NTDS.dit File In Suspicious Directory
The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.
- Effort: advanced
OneNote Embedded File
Detects creation or uses of OneNote embedded files with unusual extensions.
- Effort: intermediate
Package Manager Alteration
Package manager (eg: apt, yum) can be altered to install malicious software
- Effort: advanced
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
SSH Authorized Key Alteration
The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision.
- Effort: advanced
Suspicious Email Attachment Received
Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware.
- Effort: elementary
Varonis Data Security Email Alert
Varonis Data Security has raised an alert related to a supervised email account.
- Effort: master
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Webshell Creation
Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Data loss prevention |
Varonis detects data exportation |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | `` |
| Type | info |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs1=joh.doe@gmail.com cs3=runme.exe cs5=Mon Aug 1 06:40:30 2022 deviceCustomDate1=Mon Aug 1 06:40:35 2022 suser=fool rt=2023-06-09T14:16:15.212418 cs2=Abnormal admin behavior: access to atypical mailboxes cn1=Rule Name end=2023-06-09T14:16:15.212435 duser=root dhost=127.0.0.1 filePath=~/pub.key act=Alert dvchost=HOSTNAME dvc=192.168.0.1 outcome=failure msg=Hello externalId=172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481",
"event": {
"action": "Alert",
"category": [
"email"
],
"dataset": "Alert",
"end": "2023-06-09T14:16:15.212435Z",
"kind": "alert",
"reason": "Hello",
"type": [
"info"
]
},
"@timestamp": "2023-06-09T14:16:15.212418Z",
"email": {
"attachments": [
{
"file": {
"mime_type": "",
"name": "runme.exe"
}
}
],
"delivery_timestamp": "2022-08-01T06:40:35Z",
"from": {
"address": "fool"
},
"to": {
"address": "joh.doe@gmail.com"
}
},
"file": {
"directory": "~",
"name": "pub.key",
"path": "~/pub.key"
},
"host": {
"name": "127.0.0.1"
},
"observer": {
"product": "DatAdvantage",
"vendor": "Varonis",
"version": "0.0.1"
},
"related": {
"ip": [
"192.168.0.1"
],
"user": [
"root"
]
},
"rule": {
"description": "Abnormal admin behavior: access to atypical mailboxes",
"id": "666",
"name": "Rule Name"
},
"source": {
"address": "192.168.0.1",
"ip": "192.168.0.1"
},
"user": {
"name": "root"
},
"varonis": {
"datalert": {
"id": "172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481",
"outcome": "failure"
}
}
}
{
"message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs2=SomeRule cs2Label=RuleName cn1=Some rule description cn1Label=RuleID end= duser= dhost=1.2.3.4 filePath= fname= act= dvchost= outcome= msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission=555 filePermission=777 dpriv= start=",
"event": {
"category": [
"network"
],
"dataset": "Alert",
"kind": "alert",
"type": [
"info"
]
},
"host": {
"name": "1.2.3.4"
},
"observer": {
"product": "DatAdvantage",
"vendor": "Varonis",
"version": "0.0.1"
},
"rule": {
"description": "SomeRule",
"id": "666",
"name": "Some rule description"
},
"varonis": {
"datalert": {
"file": {
"old_permission": "555",
"permission": "777"
}
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
email.attachments |
nested |
List of objects describing the attachments. |
email.delivery_timestamp |
date |
Date and time when message was delivered. |
email.from.address |
keyword |
The sender's email address. |
email.to.address |
keyword |
Email address of recipient |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
event.url |
keyword |
Event investigation URL |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
host.name |
keyword |
Name of the host. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
observer.version |
keyword |
Observer version. |
rule.description |
keyword |
Rule description |
rule.id |
keyword |
Rule ID |
rule.name |
keyword |
Rule name |
source.ip |
ip |
IP address of the source. |
user.name |
keyword |
Short name or login of the user. |
varonis.datalert.file.old_permission |
keyword |
The permissions before the change. Data is not collected for all event types. |
varonis.datalert.file.permission |
keyword |
The permissions after the change. Data is not collected for all event types. |
varonis.datalert.file.permissions_change |
keyword |
The specified changes in permissions. Data is not collected for all event types. |
varonis.datalert.id |
keyword |
The ID of the triggered alert within DatAlert. |
varonis.datalert.num_events |
number |
The number of events which triggered the alert. |
varonis.datalert.outcome |
keyword |
Whether the event which triggered the alert succeeded or failed. |
Configure
This setup guide will show you how to forward your Varonis Data Security logs to Sekoia.io by means of a syslog transport channel.
Prerequisites
- Have an internal log concentrator (Rsyslog)
Enable Syslog forwarding for Varonis Data Security
You can configure the Syslog server address in DatAlert so that alerts are sent to SEKOIA. To configure the Syslog server address in DatAlert:
- In DatAdvantage, select Tools > DatAlert. DatAlert is displayed.
- From the left menu, select Configuration.
- In Syslog Message Forwarding fill the Syslog server IP address and the Port with the ip address and the port of the log concentrator.
- Click OK
Create the intake
Go to the intake page and create a new intake from the format Varonis Data Security
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Currently, the syslog format generated by Varonis does not comply with RFC standards. As a result, the transmitted data is not inherently compatible with the Sekoia forwarder. Therefore, it is necessary to refer to this documentation in order to extend the default configuration of the forwarder (available since version 2.4) and add this specific configuration for Varonis logs:
input(type="im$PROTOCOL" port="$PORT" ruleset="remoteVaronis")
template(name="SEKOIAIO_Varonis_Template" type="string" string="<%pri%>1 %timegenerated:::date-rfc3339% %hostname% $APP-NAME - LOG [SEKOIA@53288 intake_key=\"$INTAKE-KEY\"] %msg:R,ERE,1,FIELD:.*(CEF.*)$--end%\n")
ruleset(name="remoteVaronis"){
action(
name="varonis"
type="omfwd"
protocol="tcp"
target="intake.sekoia.io"
port="10514"
TCP_Framing="octet-counted"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="intake.sekoia.io"
Template="SEKOIAIO_Varonis_Template"
)
}
Note
Don't forget to replace the variables $PROTOCOL (tcp or udp) to choose the protocol by which Varonis logs are received, the $PORT of entry, your $APP-NAME syslog, and your $INTAKE-KEY Sekoia.