AQUILA - Varonis (DLP) Integration

Purpose

This document outlines the procedure to integrate Varonis DatAlert or DatAdvantage with a SIEM platform using Syslog (CEF). The integration provides visibility into sensitive data access, permissions changes, and threat alerts.

Prerequisites

• Admin access to Varonis DatAlert Console

• IP address and port of your SIEM/syslog collector

• Network/firewall access from Varonis to SIEM (UDP or TCP port open)

• (Optional) CEF parsing support in your SIEM

Step 1: Configure Varonis DatAlert for Syslog forwarding

1. Log in to the Varonis DatAlert Console.

2. Navigate to:
   Tools → DatAlert → Configuration → Syslog
   

3. Click Add Syslog Server.

4. Input the following:

   • Server Name: Descriptive name (e.g., AquilaSyslog)

   • IP Address:  AQUILA log collector IP

   • Port: Common options: 514 or 10514

   • Protocol: Choose UDP or TCP (enable encryption if needed)

   • Message Format: Choose CEF

5. Click Apply.

Step 2: Create Alert Template in Varonis DatAlert

1. Go to:
   Tools → DatAlert → Templates
   

2. Click New Template.

3. Enter:

   • Template Name: e.g., “AQUILA Syslog CEF Export”

   • Description: Template for sending alerts to AQUILA

4. In the Alert Outputs section:

   • Check Syslog Message

   • Choose the syslog server created in Step 1

5. Set the Message Format to External system default template (CEF)

6. Click OK.

Step 3: Enable Alerts to Send via Syslog

1. Navigate to:
   DatAlert → Rules
   

2. Select a rule (e.g., “Mass file access” or “Sensitive File Access”)

3. Click Edit on the rule.

4. Go to the Outputs section:

   • Check Syslog Message

   • Assign your custom template (e.g., “Syslog CEF Export”)

5. Click Save.

6. Repeat for each alert rule you want to forward to AQUILA.

---

Please provide the following information to CyTech Support: 

 

 

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.