Skip to main content

AQUILA - Varonis (DLP) Integration

Purpose

This document outlines the procedure to integrate Varonis DatAlert or DatAdvantage with a SIEM platform using Syslog (CEF). The integration provides visibility into sensitive data access, permissions changes, and threat alerts.

Prerequisites

  • Admin access to Varonis DatAlert Console

  • IP address and port of your SIEM/syslog collector

  • Network/firewall access from Varonis to SIEM (UDP or TCP port open)

  • (Optional) CEF parsing support in your SIEM

Step 1: Configure Varonis DatAlert for Syslog forwarding

  1. Log in to theyour Varonis DatAlertUI Console.using admin credentials.

  2. In Data Advantage, Navigate to:
    ToolsDatAlertConfigurationSelect SyslogDatAlert.

image.png

Click3. Now, select AddConfiguration.
4. In Syslog ServerMessage Forwarding.

  • Input the following:,

    • ServerSyslog Name:Message Descriptive name (e.g., AquilaSyslog)

    • IP AddressAddress: AQUILA log collector IP

    • PortPort: :9035 Common(if options:the 514port orhas 10514already been used, you can set another one)

    • ProtocolTransport protocol:: Choose UDP or TCP (enable encryption if needed)

    • Message Format: Choose CEFUDP or TCP (if not already an option; some Varonis versions infer it)

    • Facility name: Choose a different facility.

  • image.png

    5. Click ApplyApply..

    • Step 2: Create Alert Template in Varonis DatAlert

    1. Go to:
      Tools →In DatAlert, select Alert Templates.

    2. Click on the Green Plus sign to add a New Template.Alert Template.

    3. Enter:

      • Template Name: e.g., “AQUILA Syslog CEF Export

      • Description: Template for sending alerts to AQUILA

    4. In the AlertTemplate Outputsname, section:

      • Check Syslog Message

      • Choose the syslog server created in Step 1

    5. Setselect the Message Format to 'External system default template (CEF)'

    6. In the Apply to alert methods, select the 'Syslog message'
    7. Click OK.

    image.png

    image.png

    Step 3: Configuring alerts for single or multiple rules

    To select the Syslog alert method for a single rule:

    1. From the DatAlert rules table, select the rule, then click Edit Rule. The rule editing menu appears.
    2. From the left menu, select Alerts Method. The “Alert Method” window appears.
    3. Select Syslog message.
    4. Click OK.

    StepTo 3:select Enable Alerts to Send viathe Syslog alert method for multiple rules:

    1. From

      Navigatethe to:
      DatAlert rules table, select the Rulesrules, then click Edit Rule. The rule editing menu appears.

    2. From

      Selectthe aleft rulemenu, (e.g.,select Alerts Method. TheMassAlert fileMethod access”window orappears, “Sensitiveand Fileits Access”)contents are disabled for selection.

    3. Click

      the edit icon for the Syslog message option, then click the checkbox next to Syslog message.

    4. Click EditOK on the rule..

    5. Go to the Outputs section:

      • Check Syslog Message

      • Assign your custom template (e.g., “Syslog CEF Export”)

    6. Click Save.

    7. Repeat for each alert rule you want to forward to AQUILA.

    Please provide the following information to CyTech Support: 

    • IP Address

    • Port Address

    • Protocol (TCP or UDP)

     

     

    If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.

    Back to top