Monday, December 21, 2015

Can Varonis Capture "Copy" Events?

I get asked regularly if Varonis DatAdvantage can identify when a user copies a file?  

It depends. 

  • If the user opens a file on a server and copies it to his desktop, Varonis DOES NOT record the copy to the desktop, only that the file on the server was opened.  
  • If the user copies a file from one folder to another on the same server, we will see a rename event.
  • If the user copies a file from one server to another server, you will see a File Open on the first server and a File Create on the second server.

Based on how must people ask the question, the answer is no.  To really know what the user did with the file you need a Data Loss Prevention solution like Digital Guardian (our choice) or Symantec DLP.

Friday, November 13, 2015

Identifying Distribution Groups within Security Groups

It is important to identify Active Directory distribution groups that are embedded in AD security groups, since it is not best practice to use distro groups for file server permissions.  Unfortunately within Varonis DatAdvantage the 3a Group Members report does not have a filter to sort by Group Type.  Here is a workaround that I have used; identifying group types by their email properties.

There are several caveats here.  It is possible that a Security group has an email address and it is possible that a distribution list does not have an email address assigned.  To get a truly comprehensive picture we would have to create a CSV file from the 3d report of all distribution groups, create a CSV file from the 3a report just looking for Groups embedded in groups, and then use Excel or PowerShell to merge the data to identify the distribution group members.

Wednesday, August 19, 2015

Varonis Connection lost to a server

If Varonis DatAdvantage is no longer collecting events from a server, the Varonis probe will send out error messages on a regular basis that look something like this:

Subject: [VARONISPROBE] Varonis: Connection lost between SERVER (48) and XXXXXXXXX (IDU Probe) (code 13002)

They generally are caused in one of several ways:

1) The server no longer exists. (Then you should disable it in or remove it from Varonis)
2) Someone has upgraded or rebuilt the server and therefore the agent no longer exists on the box. (Then you should manually install the agent)
3) Someone has disabled or removed the Varonis services (After uncovering the reason for the change you can manually reinstall the agent)
4) There are connectivity problems getting to the server. (This needs to get fixed outside of the Varonis infrastructure.

If you have administrative credentials to the monitored server, it is helpful to run Computer Management from the probe and connect to the monitored server from the probe.  The results of using the Computer Management tool from the probe may provide additional clues to the problem.  Looking through the Varonis Event logs on the monitored server via the Event viewer on the Probe can also be helpful.

Friday, August 14, 2015

DatAlert Alert Template for Syslog

Within Varonis DatAlert, the default Alert Template for syslog messages contains line feeds and carriage returns.  Most syslog parsers have a much easier time dealing with single line messages.  If you are going to send Varonis alerts to syslog you should create a template specifically for that.  Here is a sample that I work with.

Saturday, April 4, 2015

Correct Share Settings for Adding a Server in Varonis

When adding servers to Varonis, under the Shares tab select the highest level shares that Varonis has access to.  In addition, there is an option to Automatically detect shares.  This should be set to “Detect and Notify” and the “Notify” option should be set to once.  That way, whenever a share is added to a server an email will go out indicating that fact.  At that point, if it is a new volume or new top-level share, you can go back into the Management Console and add that volume.  Do not automatically monitor shares, as this may pick up devices such as CD drives or shares that should not be monitored, such as backup shares.

Friday, February 6, 2015

Removing Disabled Users from the Varonis Permissions Report

One of the most commonly used reports in Varonis DatAdvantage is the “4b - Effective Permissions for User or Group” report.  This is used to list all of the groups and users that have access to a particular folder.  One of the challenges that we faced at a particular customer was that the business people did not want to see the disabled users who had access to the folder.  There is a filter, “Disabled Accounts,” that lets you exclude them.  However, if you just add that filter it removes all of the groups that have access to the folder.  Thanks to Kevin Cyr for asking me if there is a way around this.  Indeed, there is!  Here is a screenshot that handles the problem, which is that the groups do not have the “Disabled Account” property in Active Directory so they are excluded by the standalone “Disabled Accounts” filter.