Documentation Center
AlienVault® USM Anywhere™

Varonis DatAdvantage

When you configure Varonis DatAdvantage to send log data to USM Anywhere, you can use the Varonis DatAdvantage plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Varonis
Device Type Data Protection
Connection Type Syslog

Integrating Varonis DatAdvantage

Before you configure the Varonis DatAdvantage integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Varonis DatAdvantage to send Syslog messages to USM Anywhere

  1. Log into Varonis DatAdvantage.
  2. Select Tools > DatAlert.
  3. Select the Configuration tab and specify values for fields in the Syslog Message Forwarding section:
    • Syslog server IP address: Enter the USM Anywhere IP address
    • Port: 514
    • Facility name: Choose a value based on your environment
    • Identity: Use the default value
  4. Select the Alert Templates tab, and choose the Varonis default template.
  5. In the Apply to alert methods field, select Syslog message.
  6. Click OK, then click Apply to save your changes.
  7. Create and configure rules based on your environment.

Plugin Enablement

The Varonis DatAdvantage plugin will automatically process all messages when the raw message contains "DatAdvantage".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_5
  • destination_hostname
  • destination_ntdomain
  • destination_user_privileges
  • destination_username
  • device_event_category
  • email_recipient
  • event_action
  • event_name
  • event_outcome
  • event_receipt_time
  • event_severity
  • file_name
  • file_old_permission
  • file_path
  • file_permission
  • highlight_fields
  • needs_enrichment
  • plugin_device
  • plugin_device_type
  • rep_device_hostname
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_ntdomain
  • source_username
  • time_end
  • transient

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.