Configure Varonis to send logs to Arctic Wolf

You can configure Varonis® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • An activated Arctic Wolf Sensor
  • Admin access to Varonis DatAdvantage

Configure syslog message forwarding

  1. Sign in to Varonis DatAdvantage using admin credentials.
  2. Click Tools > DatAlert.
  3. In the menu, click Configuration.
  4. In the Syslog Message Forwarding section, configure these settings:
    • Syslog server IP address — Enter your Arctic Wolf Sensor IP address.
    • Port — Enter 514.
  5. Click Apply.

Configure the alert template format

  1. Sign in to Varonis DatAdvantage using admin credentials.
  2. Click Tools > DatAlert.
  3. In the menu, click Configuration.
  4. In the Alert Templates section, click to add a new alert template.
    The Add Alert Template dialog opens.
  5. In the Add Alert Template dialog, configure these settings:
    • Template name — Enter a template name, such as EventTracker syslog (CEF).
    • Apply to alert methods — Select Syslog message.
    • Alert template format — Manually edit the text in the field, where DLS_IP_ADDRESS is the IP address or hostname of the server running Varonis.
    Template text is similar to:
    CODE 
    CEF:0|Varonis|DatAdvantage|<DatAdvantage version>|<Event Op Code>|<Event Type>|<Severity>|rt=<Alert Time> cat=Alert cs2=<Rule Name> cs2Label=RuleName cn1=<Rule ID> cn1Label=RuleID end=<Event Time> duser=<Acting Object> dhost=<File Server/Domain> filePath=<Access Path> fname=<Affected Object> act=<Event Type> dvchost=<Device Name> dvc=<Device IP Address> outcome=<Event Status> msg=<Additional Data> cs3=<Attachment Name> cs3Label=AttachmentName cs4=http://<DLS_IP_ADDRESS>/DatAdvantage/#/app/analytics/entity/Alert/<Alert ID> cs4Label=AlertURL deviceCustomDate1=<Mail Date> fileType=<Mail Item Type> cs1=<Mail Recipients> cs1Label=MailRecipient suser=<Mail Source> cs5=<Mailbox Access Type> cs5Label=MailboxAccessType cnt=<Threshold> cs6=<Changed Permissions> cs6Label=ChangedPermissions oldFilePermission=<Permissions Before Change> filePermission=<Permissions After Change> dpriv=<Trustee> start=<First Event Time> externalId=<Alert ID>
  6. Click OK.
  7. Verify that the new alert template appears in the Alert Templates table.
  8. Click Apply.

Configure alerts for a single rule or multiple rules

You must configure a syslog message to forward the events triggered by the rules to EventTracker.

  1. Sign in to Varonis DatAdvantage using admin credentials.
  2. Click Tools > DatAlert.
  3. In the menu, click Configuration.
  4. In the Rules section, select one or more rules to edit, and then click Edit Rule.
    The rule editing dialog opens.
  5. In the menu, click Alert Method.
  6. If you selected multiple rules, you must enable content to change settings. Next to Syslog message, click to enable the checkbox.
  7. Select Syslog message.
  8. Click OK.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.