Skip to content

Varonis Data Security

Overview

Varonis offers solutions to track and protect data.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Benefit from SEKOIA.IO built-in rules and upgrade Varonis Data Security [BETA] with the following detection capabilities out-of-the-box.

SEKOIA.IO x Varonis Data Security [BETA] on ATT&CK Navigator

Cron Files Alteration

Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation.

  • Effort: advanced
NTDS.dit File In Suspicious Directory

The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes.

  • Effort: advanced
OneNote Embedded File

Detects creation or uses of OneNote embedded files with unusual extensions.

  • Effort: intermediate
Package Manager Alteration

Package manager (eg: apt, yum) can be altered to install malicious software

  • Effort: advanced
RTLO Character

Detects RTLO (Right-To-Left character) in file and process names.

  • Effort: elementary
RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

  • Effort: elementary
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
SSH Authorized Key Alteration

The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision

  • Effort: advanced
WCE wceaux.dll Creation

Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.

  • Effort: intermediate
Webshell Creation

Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Data loss prevention Varonis detects data exportation

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category ``
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs1=joh.doe@gmail.com cs3=runme.exe cs5=Mon Aug  1 06:40:30 2022 deviceCustomDate1=Mon Aug  1 06:40:35 2022 suser=fool rt=2023-06-09T14:16:15.212418 cs2=Abnormal admin behavior: access to atypical mailboxes cn1=Rule Name end=2023-06-09T14:16:15.212435 duser=root dhost=127.0.0.1 filePath=~/pub.key act=Alert dvchost=HOSTNAME dvc=192.168.0.1 outcome=failure msg=Hello externalId=172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481",
    "event": {
        "kind": "alert",
        "category": [
            "email"
        ],
        "type": [
            "info"
        ],
        "dataset": "Alert",
        "action": "Alert",
        "end": "2023-06-09T14:16:15.212435Z",
        "reason": "Hello"
    },
    "@timestamp": "2023-06-09T14:16:15.212418Z",
    "observer": {
        "vendor": "Varonis",
        "product": "DatAdvantage",
        "version": "0.0.1"
    },
    "rule": {
        "id": "666",
        "name": "Rule Name",
        "description": "Abnormal admin behavior: access to atypical mailboxes"
    },
    "user": {
        "name": "root"
    },
    "host": {
        "name": "127.0.0.1"
    },
    "file": {
        "path": "~/pub.key",
        "name": "pub.key",
        "directory": "~"
    },
    "source": {
        "ip": "192.168.0.1",
        "address": "192.168.0.1"
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "name": "runme.exe",
                    "mime_type": ""
                }
            }
        ],
        "delivery_timestamp": "2022-08-01T06:40:35Z",
        "to": {
            "address": "joh.doe@gmail.com"
        },
        "from": {
            "address": "fool"
        }
    },
    "varonis": {
        "datalert": {
            "outcome": "failure",
            "id": "172ae7a0-e2c6-4b0d-a48e-b2cb8ead2481"
        }
    },
    "related": {
        "ip": [
            "192.168.0.1"
        ],
        "user": [
            "root"
        ]
    }
}
{
    "message": "CEF:0|Varonis|DatAdvantage|0.0.1|666|Alert|Medium|cat=Alert cs2=SomeRule cs2Label=RuleName cn1=Some rule description cn1Label=RuleID end= duser= dhost=1.2.3.4 filePath= fname= act= dvchost= outcome= msg= cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission=555 filePermission=777 dpriv= start=",
    "event": {
        "kind": "alert",
        "category": [
            "network"
        ],
        "type": [
            "info"
        ],
        "dataset": "Alert"
    },
    "observer": {
        "vendor": "Varonis",
        "product": "DatAdvantage",
        "version": "0.0.1"
    },
    "rule": {
        "id": "666",
        "name": "Some rule description",
        "description": "SomeRule"
    },
    "host": {
        "name": "1.2.3.4"
    },
    "varonis": {
        "datalert": {
            "file": {
                "old_permission": "555",
                "permission": "777"
            }
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
email.attachments nested List of objects describing the attachments.
email.delivery_timestamp date Date and time when message was delivered.
email.from.address keyword The sender's email address.
email.to.address keyword Email address of recipient
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.dataset keyword Name of the dataset.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
event.url keyword Event investigation URL
file.name keyword Name of the file including the extension, without the directory.
file.path keyword Full path to the file, including the file name.
host.name keyword Name of the host.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
observer.version keyword Observer version.
rule.description keyword Rule description
rule.id keyword Rule ID
rule.name keyword Rule name
source.ip ip IP address of the source.
user.name keyword Short name or login of the user.
varonis.datalert.file.old_permission keyword The permissions before the change. Data is not collected for all event types.
varonis.datalert.file.permission keyword The permissions after the change. Data is not collected for all event types.
varonis.datalert.file.permissions_change keyword The specified changes in permissions. Data is not collected for all event types.
varonis.datalert.id keyword The ID of the triggered alert within DatAlert.
varonis.datalert.num_events number The number of events which triggered the alert.
varonis.datalert.outcome keyword Whether the event which triggered the alert succeeded or failed.

Configure

This setup guide will show you how to forward your Varonis Data Security logs to Sekoia.io by means of a syslog transport channel.

Prerequisites

  • Have an internal log concentrator (Rsyslog)

Enable Syslog forwarding for Varonis Data Security

You can configure the Syslog server address in DatAlert so that alerts are sent to SEKOIA. To configure the Syslog server address in DatAlert:

  1. In DatAdvantage, select Tools > DatAlert. DatAlert is displayed.
  2. From the left menu, select Configuration.
  3. In Syslog Message Forwarding fill the Syslog server IP address and the Port with the ip address and the port of the log concentrator.
  4. Click OK

Create the intake

Go to the intake page and create a new intake from the format Varonis Data Security

Forward logs to Sekoia.io

Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.