Collect Varonis logs

Supported in:

This document explains how to ingest Varonis logs to Google Security Operations using Bindplane. The parser extracts fields from the logs (SYSLOG + KV (CEF), LEEF) using grok patterns, specifically handling CEF, LEEF, and other Varonis-specific formats. It then maps the extracted fields to the Unified Data Model (UDM), handling various data formats and edge cases to ensure consistent representation.

Before you begin

Ensure that you have the following prerequisites:

  • Google SecOps instance
  • Windows 2016 or later or Linux host with systemd
  • If running behind a proxy, firewall ports are open
  • Privileged access to Varonis

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:
    • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, "nano", "vi", or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: 'VARONIS'
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent

  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent

Configure Syslog export in Varonis

  1. Sign in to the Varonis web UI.
  2. Go to Tools > DatAlert > Select DatAlert.
  3. Select Configuration.
  4. Provide the following configuration details:
    • Syslog Message IP Address: Enter the Bindplane Agent IP address.
    • Port: Enter the Bindplane agent port number (for example, 514 for UDP).
    • Facility name: Select a facility.
  5. Click Apply.

Configure Syslog format in Varonis

  1. Go to Tools > DatAlert > Alert Templates.
  2. Click Edit Alert Template and select External system default template.
  3. In Apply to alert methods, select Syslog message from the list.
  4. Select Rules > Alert Method from the menu.
  5. Select Syslog message.
  6. Click OK.

UDM mapping table

Log Field UDM Mapping Logic
act security_result.summary Value from the act field in the CEF message.
cn1 security_result.rule_id Value from the cn1 field in the CEF message.
cs1 network.email.to Value from the cs1 field in the CEF message, specifically the email recipient.
cs2 security_result.rule_name Value from the cs2 field in the CEF message.
device_version metadata.product_version Value from the device_version field in the CEF message.
dhost principal.hostname Value from the dhost field in the CEF message, representing the principal hostname. If file_server is present and not "DirectoryServices", it overwrites this value.
duser target.user.userid Value from the duser field in the CEF message. Undergoes gsub transformation to remove backslashes and split into target.user.userid and target.administrative_domain.
dvchost target.hostname Value from the dvchost field in the CEF message.
filePath target.file.full_path Value from the filePath field in the CEF message.
rt metadata.event_timestamp Value from the rt field in the CEF message, parsed as a timestamp.
severity security_result.severity Value from the severity field in the CEF message or LEEF message. Converted to uppercase. Mapped to UDM severity values (LOW, INFORMATIONAL, MEDIUM, HIGH, CRITICAL) based on numeric value or keyword.
Acting Object target.user.user_display_name Value from the Acting Object field in the key-value data. Split by "\" to extract the display name.
Acting Object SAM Account Name target.user.userid Value from the Acting Object SAM Account Name field in the key-value data.
Device hostname target.hostname Value from the Device hostname field in the key-value data.
Device IP address target.ip Value from the Device IP address field in the key-value data.
Event Time metadata.event_timestamp Value from the Event Time field in the key-value data, parsed as a timestamp.
Event Type target.application, metadata.event_type Value from the Event Type field in the key-value data. Used to derive metadata.event_type (FILE_OPEN, USER_CHANGE_PERMISSIONS, USER_CHANGE_PASSWORD, USER_UNCATEGORIZED).
File Server/Domain principal.hostname Value from the File Server/Domain field in the key-value data. If not "DirectoryServices", it overwrites the principal.hostname derived from dhost.
Path target.file.full_path Value from the Path field in the key-value data.
Rule Description metadata.description Value from the Rule Description field in the key-value data.
Rule ID security_result.rule_id Value from the Rule ID field in the key-value data.
Rule Name security_result.rule_name Value from the Rule Name field in the key-value data.
intermediary_host intermediary.hostname Value extracted by grok, representing the intermediary hostname.
log_type metadata.log_type Hardcoded to VARONIS.
metadata.event_type metadata.event_type Derived based on the values of evt_typ, act, and filepath. Defaults to STATUS_UPDATE if event_type is GENERIC_EVENT and principal_hostname is present.
metadata.product_name metadata.product_name Hardcoded to VARONIS, but can be overwritten by the product_name field from the LEEF message.
metadata.vendor_name metadata.vendor_name Hardcoded to VARONIS, but can be overwritten by the vendor field from the LEEF message.
prin_host principal.hostname Value extracted by grok, representing the principal hostname.
product_name metadata.product_name Value from the LEEF message.
security_result.action security_result.action Derived from the result or Event Status field. Set to "ALLOW" if the result is Success, otherwise set to BLOCK.
timestamp timestamp, metadata.event_timestamp The event timestamp is derived from various fields (datetime1, event_time, start_datetime, datetime2) based on availability. The create_time from the raw log is used as a fallback and mapped to both timestamp and metadata.event_timestamp if no other timestamp fields are available.
vendor metadata.vendor_name Value from the LEEF message.

Changes

2025-02-06

Enhancement:

  • Added a new Grok pattern for LEEF log type.
  • Mapped description to metadata.description.
  • Mapped usrName to principal.user.userid.
  • Mapped Event_Type to metadata.product_event_type.
  • Mapped domain to prinicipal.administrative_domain.
  • Mapped proto, cat, Event_Additional_Data, Event_Status, Email_Attachment_Name, Email_Date, Account_of_Changed_Permissions, Permissions_Changes, Permissions_before_Change, and Permissions_after_Change to additional.fields.
  • Mapped Affected_Object_Path to taregt.file.full_path.
  • Mapped Affected_Object to security_result.detection_fields.
  • Mapped src to principal.ip and principal.assest.ip.
  • Mapped Alert_ID to security_result.rule_id.
  • Mapped Email_Recipients to network.email.to.
  • Mapped Email_Item, Mailbox_Access_by_Owner, Threshold_Value, Threshold_First_Timestamp, Event_by_MailboxOwner, and Email_Sender to additional.fields.
  • Mapped Email_Sender to network.email.from.
  • Mapped accountName to target.user.userid.
  • Mapped Device_Name to taregt.hostname and taregt.asset.hostname`.
  • Mapped Event_Type_ID to metadata.product_log_id.
  • Mapped Event_File_Server_Domain to target.administrative_domain.
  • Mapped Alert_Page_URL to taregt.url.
  • Mapped devTime to metadata.event_timestamp.
  • Mapped sev to security_result.severity.

2022-10-08

Enhancement:

  • Added grok pattern for LEEF log type.
  • Mapped severity to security_result.severity.
  • Mapped device_version to metadata.product_version.
  • Mapped administrative_domain to target.administrative_domain
  • Added conditional check for intermediary_host.

2022-10-07

Bug fix:

  • Mapped rt to metadata.event_timestamp if rt is not null.

Need more help? Get answers from Community members and Google SecOps professionals.