Varonis Edge Configuration Training Lab

Installation and Configuration of the following products:

• Varonis Edge for DNS

• Varonis Edge for VPN
• Configuring DatAdvantage to connect to Splunk
• Varonis Edge for Web Proxy

For assistance, please contact partner-certification@varonis.com

Table of Contents
How to Access the Virtual Training Environment .......................................................................................... 3
Lab Overview............................................................................................................................................... 6
Varonis Edge – Overview ............................................................................................................................. 7
Lab 1 – Configuring a Collector to Enable Varonis Edge ................................................................................ 8
Lab 2 – Begin Configuring DNS Monitoring in DatAdvantage ...................................................................... 11
Lab 3 – Confirming DNS Event Collection .................................................................................................... 17
Lab 4 – Configuring Pulse Secure for Monitoring with Syslog ...................................................................... 19
Lab 5 – Adding Pulse Secure Monitoring with Syslog to DatAdvantage ....................................................... 21
Lab 6 – Generating an Event with Pulse Secure and Verify Event Collection ................................................ 26
Lab 7 – Configuring Pulse Secure for Monitoring with Splunk ..................................................................... 29
Lab 8 – Adding Pulse Secure Monitoring with Splunk to DatAdvantage ...................................................... 32
Lab 9 – Configuring Squid Web Proxy for Monitoring with Syslog ............................................................... 38
Lab 10 – Confirming Event Collection for Squid Proxy ................................................................................. 45

2
How to Access the Virtual Training Environment
1. Navigate to https://certification-labs.varonis.com
*Note: Varonis employees cannot use this link to access the virtual training environment. Varonis
Sales Engineers should use https://se-labs.varonis.com/ to access the labs while PS engineers should use
https://ps-labs.varonis.com/.
2. Sign in using your employee/partner login credentials. These credentials are the same credentials you used to
login to https://partneredu.varonis.com

3. On the left-hand side, select “New Environment”

3
4. Choose a name for your environment. In this case, I have named it “Varonis Edge Install and Configuration”
a. Select a template that you want to deploy. The template name is identical to the course that you signed
up for. In this case, I am deploying the “Varonis Edge Install and Configuration” template.
b. Select a region that you would like to deploy the template in. Please select the region that is closest to
your location. I am in the United States, so I will be deploying the template in “East US 2”.
c. Choose a window that the lab will be available for. Make sure that you select the appropriate time
zone for your location. I would like my lab to be available from 9 AM – 5 PM EST.
d. Click “Create” once you have filled all the sections out.

5. Click the check button to confirm your selection.

6. Once your environment has been deployed, you will see your environment if you click “Environments” on the
left-hand side. The status of the environment will show a green arrow pointing up when it is ready to be used.
Please allow 5-10 minutes for the lab to deploy successfully.

4
7. Click on the recently deployed environment. A panel will appear on the right-hand side. For this specific
template, there are 7 different machines that will be used. Each machine is designated by name.

8. Each machine has four action buttons. Info, Connect, Stop and Restart.
a. Info – Displays information for the selected server such as its IP address.
b. Connect – Opens a new tab in your browser and opens a RDP connection to the selected server.
c. Stop – Turns off the virtual machine
d. Restart – Restarts the virtual machine
*Note: The connect button functions differently for Varonis employees. Clicking “Connect” will download a
link to an RDP session for the machine you selected. You will then have to enter the username/password for
the machine to connect. The username for all machines is “vrnslab\itadmin” and the password is
“p@ssword1”.

9. If you do not finish the lab in the time period that you selected when deploying the environment, the
environment will shut down. You have the option to restart the lab the next day and pick up from the previous
spot you stopped at by selecting the “Start” option.

5
Lab Overview
This certification lab will guide the Engineer through installing and monitoring Edge data sources such as a VPN, DNS and
Web Proxy.

EDUCATIONAL PREREQUISITES – The person completing these labs must have successfully completed both the DA
Installation and the Operational Use of DA certifications.

TRAINING ENVIRONMENT SUPPORT:

If problems occur while using the Virtual Training Environment, please send an email, with any relevant screenshots, to
partner-certification@varonis.com.

6
Varonis Edge – Overview
With DatAdvantage and DatAlert, Varonis can successfully protect the customer core data stores from insider threats
and cyberattacks. With Varonis Edge, Varonis is now able to collect perimeter logs from sources like a VPN, DNS and web
proxies. By monitoring perimeter devices, Varonis can detect threats before they get in and can accelerate incident
response by applying additional context to DatAlert threat models.

7
Lab 1 – Configuring a Collector to Enable Varonis Edge
1. To prepare the environment for use, first connect to the HUB-DC machine in your environment. HUB-DC is
designated in your environment by dcxxxxx.

2. Once you login, a Command Prompt window will open and scripts will be running in the background. This process
will run for about 5 minutes and open Chrome to do some automatic configuration. Please wait for the scripts to
run uninterrupted. Once all the windows close automatically, the lab is ready for use.

3. Open the Varonis Management Console on HUB-DSP. HUB-DSP is designated in your environment by dspxxxxx.

8
4. Click “Collectors” on the left-hand side of the Management Console.

5. Select “HUB-COLL” and click “Edit”.

9
6. All the configuration info for the collector will show. Click “Edge” on the left-hand side.

7. This is where Edge is configured. When you are installing the collector, you must check the box for “Install Edge
data source event collection components”. The collector and Edge are already installed in our environment, so this
has already been done. Don’t forget to check this box when installing a collector if you are looking to install
Edge. Click “Cancel” to close this window.

You have successfully finished configuring a Collector to monitor Varonis Edge.

10
Lab 2 – Begin Configuring DNS Monitoring in DatAdvantage
1. Click “File Servers” on the left-hand side of the Management Console.

2. Click “Add” next to resources.

11
3. Configure the DNS data source in the following order:
a. Collector: Click the dropdown arrow and select “HUB-COLL” as the Collector. You may be
prompted for credentials to authenticate to the Collector. Use “VRNSLAB\itadmin” for the
username and “p@ssword1” as the password.
b. Resource Type: Click the dropdown arrow and select “DNS” as the resource type.
c. Resource/Server Name: Use “DNS” for the resource name. Click “Configuration” on the left-
hand side once completed.

Note: You can choose whatever name you would like when adding Edge data sources. The name
you enter in this field does not need to match the server hosting the resource.

12
4. Scroll down to the section labeled “Source Device”. Under product select “Microsoft DNS Server”. Select “(UTC
+00:00) Africa/Abidjan” for the time zone. It is important to remember that our specific lab uses UTC time for all
devices in the environment. In a production environment, make sure to select the appropriate time zone.

5. Under “Interface Configuration” an interface must be selected. Click the dropdown arrow and select “Filebeat”.
We will use all the default settings for our configuration. Filebeat is the recommended interface to use for DNS
monitoring.

13
6. Previously, Filebeat had to be manually installed onto any DC that we wanted to collect DNS logs from. In
DatAdvantage 7.5 and above, a new tab is available during configuration to automatically deploy the agent to any
DC that will forward DNS logs to Edge. Click “Filebeat deployment” on the left-hand side and click “Rescan DCs”.

7. All DCs in the environment should automatically be detected. You’ll see “hub-dc.vrnslab.se” show up in the list
with a status of “Never run”. Highlight “hub-dc.vrnslab.se” and click “Deploy”.

Note: If a customer already has DNS logging settings configured, it is best to check the box for “Override DNS
logging settings” so that all the appropriate DNS logging settings can be configured for Varonis to collect all DNS
events.

14
8. Enter “VRNSLAB\itadmin” as the username and “p@ssword1” as the password. Click “OK”.

Note: The account that you use to deploy the agent must be either a Domain Admin or a built-in Administrator
(that has permissions to deploy software on Domain Controllers).

9. The status will switch to “Running” meaning the agent is being deployed.

10. In 1-2 minutes, the installation should finish and show a status of “Succeeded”. Now that the Filebeat agent is
installed on the DC we want to gather logs from, we can finish the install. Click “Install”.

15
11. After checking prerequisites, the DNS resource will start installing. Wait until the progress bar has reached 100%
before proceeding. It should take no more than 5-10 minutes to install.

You have successfully added DNS monitoring to DatAdvantage.

16
Lab 3 – Confirming DNS Event Collection
1. Open “Chrome” from the Windows taskbar.

2. Type https://hub-dsp/DatAdvantage into the address bar. A security warning will appear as we do not have a
certificate tied to the Web UI in our lab. Click “Advanced” and then “Proceed to hub-dsp (unsafe)”.

3. Click “Analytics” at the top of the screen.

17
4. Select the dropdown box for “All Servers” and uncheck everything but “DNS”. Click “Apply”.

5. A search will automatically run and events will appear related to DNS if everything is configured correctly.

Note: DNS events can take 15-30 minutes to appear in the Web UI in the lab environment. Please feel free to
move onto the next lab and return to this section once the required time has passed.

You have successfully confirmed event collection from Microsoft DNS into Varonis Edge.

18
Lab 4 – Configuring Pulse Secure for Monitoring with Syslog
1. Open Chrome from the taskbar.

2. Enter https://hub-hyperv/dana-na/auth/url_admin/welcome.cgi into the address bar. The same warning message
will appear due to an invalid certificate. Continue through that screen until you get to the login page. The
credentials for the username are “itadmin” and “p@ssword1” for the password. Click “Sign In”.

3. Click “System” then click “Log/Monitoring > Settings” under User Access.

19
4. Confirm that all the “Events to Log” are selected and then scroll down to “Syslog Servers”. In the Server name
field, enter the IP address of the collector in your environment. You also need to add the port that the syslog will
be sent to. This port should be identical to the port that you will configure the listener for in the next section. In
our lab, my collector’s IP address is 10.20.1.212 and I will be using port 516 for my listener. The format should be
10.20.1.212:516. Click “Add”.

Note: In production you do not need all the events checked. Varonis Edge does not collect client certificate
events. If this is already configured in a production environment, you can leave it checked as Varonis Edge will
ignore these events.

You have successfully configured Pulse Secure for monitoring with Syslog.

20
Lab 5 – Adding Pulse Secure Monitoring with Syslog to
DatAdvantage
1. On HUB-DSP, open the Varonis Management Console.

2. Click “File Servers” on the left-hand side of the Management Console.

21
3. Click “Add” next to resources.

4. Configure the Pulse Secure data source in the following order:

a. Collector: Click the dropdown arrow and select “HUB-COLL” as the Collector.
b. Resource Type: Click the dropdown arrow and select “VPN” as the resource type.
c. Resource/Server Name: Use “VPN” for the resource name. Click “Configuration” on the left-
hand side once completed.

22
5. Scroll down to the section labeled “Source Device”. Under product select “Pulse Secure”. Select “(UTC +00:00)
Africa/Abidjan” for the time zone. It’s important to remember that our specific lab uses UTC time for all devices
in the environment. In a production environment, make sure to select the appropriate time zone. Select
“Syslog” under interface configuration and then click “Manage”.

6. A new listener needs to be added to monitor Pulse Secure. Click “+”.

23
7. Configure the listener:
a. Name: Name the listener accordingly to what it will be monitoring. I will use “Pulse-VPN” in this
example.
b. Protocol: Select the appropriate protocol for what you will be monitoring. We used UDP when
setting up the Syslog Server in Pulse Secure, so I will use UDP here as well.
c. Port: The port we setup earlier was port 516 so I need to set that value here as well.
d. Click “OK”.

Note: TCP is the recommended protocol to use to avoid packet loss. Although you are not obligated to use
TCP, it is highly recommended to use in production environments.

8. Click “Save” and then click “Close”.

24
9. Select “Pulse-VPN” as the listener and then click “Install”.

10. After checking prerequisites, the VPN syslog monitoring will start installing. Wait until the progress bar has
reached 100% before proceeding. It should take no more than 5 minutes to install.

You have successfully added VPN syslog monitoring to DatAdvantage.

25
Lab 6 – Generating an Event with Pulse Secure and Verify Event
Collection
1. On HUB-DSP, open Internet Explorer and navigate to https://hub-hyperv.vrnslab.se/.

2. Click “More Information” and then “Go on to the webpage (not recommended)”.

3. You’ll be brought to the Pulse Connect Secure webpage. Type “vrnslab\itadmin” for the username and
“p@ssword1” for the password. Click “Sign In”.

Note: If you want to generate some failed events as well, type the wrong password and click sign in a few times.

4. You will be prompted with an install window. Do not click anything on this page. It will redirect you momentarily.

26
5. You have now generated a logon event within Pulse Secure. Open Chrome on the taskbar and navigate to
https://hub-dsp/datadvantage/.

6. Click “Analytics” at the top of the screen.

7. Select the dropdown box for “DNS” and uncheck everything but “VPN”. Click “Apply”.

27
8. A search will automatically run and events will appear related to Pulse Secure if everything is configured correctly.

Note: VPN events can take 15-30 minutes to appear in the Web UI in the lab environment. Please feel free to
move onto the next lab and return to this section once the required time has passed.

You have successfully confirmed event collection from Pulse Secure VPN into Varonis Edge.

28
Lab 7 – Configuring Pulse Secure for Monitoring with Splunk
1. Return to https://hub-hyperv/dana-na/auth/url_admin/welcome.cgi and sign in.

2. Click “System” then click “Log/Monitoring > Settings”.

29
3. Confirm that all the “Events to Log” are selected and then scroll down to “Syslog Servers”. Splunk should already
be configured as one of the Syslog Servers. You should not be setting this up in a customer environment. This
should already be configured as it is in our lab. HUB-DC is hosting Splunk and we can see that it is using port 515
using UDP to send syslogs to Splunk. Note this information down and close Pulse Secure.

4. We need to confirm that events are being sent to Splunk from Pulse Secure. Open a new tab in Chrome and type
“hub-dc:8000”. You will automatically be redirected to the Splunk home page.

30
5. Click “Search & Reporting”.

6. Type “pulsevpn” into the search box. Events will appear that show the syslogs from Pulse Secure. You want to note
down the “sourcetype” string as it will be needed to add VPN monitoring with Splunk in Varonis Edge.

You have successfully configured Pulse Secure for Monitoring with Splunk.

31
Lab 8 – Adding Pulse Secure Monitoring with Splunk to
DatAdvantage
1. Before adding Pulse Secure, it’s important to ask the customer if they want all historical data from Splunk to be
imported into Varonis once Pulse Secure is added. In this scenario, we do want to collect all historical data from
Splunk that was captured before Varonis Edge was implemented. Open the Varonis Management Console and
navigate to “Varonis Web Server” under Root > DSP Server > Service Components.

2. Scroll down to “Solr Events”. By default, the number of historical events collected by Edge is set to “0” which
means that no historical events will be collected from Splunk. Estimate how many historical events will be
collected by Edge. In our lab, we don’t have more than 1 million events. Enter “1” in the box. Scroll up and hit
“Save”.

32
3. Click “HUB-SOLR” and click “Edit Credentials”.

4. Type “VRNSLAB\itadmin” as the username and “p@ssword1” as the password. Click “OK” and then click
“Continue”.

5. The prerequisites will be checked. In the lab environment, the amount of RAM on the SOLR machine is lower than
recommended as is the storage, but it will not affect the lab. Click “Continue”.

33
6. The configuration will be saved. Wait until the progress bar reaches 100% before proceeding to the next step. This
should only take 5 minutes at most.

7. Navigate to the “File Servers” tab. Click “Add” next to resources.

8. Configure the Pulse Secure data source in the following order:

a. Collector: Click the dropdown arrow and select “HUB-COLL” as the Collector.
b. Resource Type: Click the dropdown arrow and select “VPN” as the resource type.
c. Resource/Server Name: Use “VPN_Splunk” for the resource name. Click “Configuration” on the
left-hand side once completed.

34
9. Scroll down to the section labeled “Source Device”. Under product select “Pulse Secure”. Select “(UTC +00:00)
Africa/Abidjan” for the time zone. It’s important to remember that our specific lab uses UTC time for all
devices in the environment. In a production environment, make sure to select the appropriate time zone.
Select “Splunk” under interface configuration.
a. The Splunk Username is “admin”. The Splunk password is “admin”.
b. The Splunk host is https://hub-dc.vrnslab.se:8089 (the default port Splunk uses is 8089)
c. In the case the customer wants to import historical events, change the number of days to how
far back you want to import events from. In this case, I want to import the last 30 days of
events, so set the days to “30”.
d. The default string is the string that the Pulse Secure app uses for Splunk if it is installed directly
through Splunk. In our environment, this is not the case. As seen during the configuration, the
string value in our environment is “generic_single_line”. You must change this to the correct
string value in the environment you are installing in.

35
 10. Click “Test Connection”. If all the information above has been entered correctly you will see the following
message:

Note: For the lab, this is expected. Click “OK”.

11. Before clicking “Install”, we must set a Custom Date & Time Format. In this example, I want the date format to
reflect 04-13-2021 03:32:21 pm. Enter “MM-dd-yyyy hh:mm:ss a” into the “Custom Date & Time Format” field.

12. Click “Install”.

36
13. After checking prerequisites, the VPN Splunk monitoring will start installing. Wait until the progress bar has
reached 100% before proceeding. It should take no more than 5 minutes to install.

You have successfully added Pulse Secure Monitoring with Splunk to DatAdvantage.

37
Lab 9 – Configuring Squid Web Proxy for Monitoring with Syslog
1. Before adding Squid to Varonis Edge, the configuration file for Squid needs to be modified. The configuration file
can be found on the server that is hosting the web proxy. In the lab, the web proxy is hosted on the HUB-
SHAREPOINT server. Open Windows Explorer and type \\hub-sharepoint\c$\Squid\etc\squid into the address bar.

2. Here you’ll find the configuration file “squid.conf”. Right click on “squid.conf” and click “Edit with Notepad++”

38
3. On an empty line, add the following (make sure access_log starts on its own line):
logformat combined %>a %[un %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %>st %<st "%{Referer}>h" "%{User-
Agent}>h" %Ss:%Sh %mt %<tt
access_log tcp://hub-coll.vrnslab.se:5166 combined

Note: “hub-coll.vrnslab.se” is the host where events will be sent. “5166” is the port we will use when
configuring the listener.

4. Click “Save” and close Notepad++

5. Return to the Management Console. Click “File Servers” on the left-hand side and then click “Add”.

39
6. Configure the Squid web proxy in the following order:
d. Collector: Click the dropdown arrow and select “HUB-COLL” as the Collector.
e. Resource Type: Click the dropdown arrow and select “Proxy” as the resource type.
f. Resource/Server Name: Use “Proxy” for the resource name. Click “Configuration” on the left-
hand side once completed.

7. Scroll down to the section labeled “Source Device”. Under product select “Squid WSA”. Select “(UTC +00:00)
Africa/Abidjan” for the time zone. It’s important to remember that our specific lab uses UTC time for all devices
in the environment. In a production environment, make sure to select the appropriate time zone. Select
“Syslog” under interface configuration and then click “Manage”.

40
8. A new listener needs to be added to monitor Squid. Click “+”.

9. Configure the listener:

a. Name: Name the listener accordingly to what it will be monitoring. I will use “SquidProxy” in this
example.
b. Protocol: Select the appropriate protocol for what you will be monitoring. TCP is the
recommended setting for web proxy.
c. Port: The port we setup earlier was port 5166 so I need to set that value here as well.
d. “Click “OK”.

41
10. Click “Save” and then click “Close”.

11. Select “SquidProxy” as the listener and then click “Install”.

42
12. The install of the web proxy will start. Wait until it has reached 100% and then close the Management Console.

13. The last step is to restart the Squid service since we modified the configuration file. We can do this remotely
from the server we are logged into. Open a “run” window and type “services.msc” into the dialog box and click
“OK”.

14. Right click on “Service (Local)” on the left-hand side and select “Connect to another computer…”.

43
15. Type “hub-sharepoint” into the dialog box and click “OK”.

16. The services on HUB-SHAREPOINT will appear. Scroll down until you find “Squid for Windows”. Right click on the
service and click “Restart”.

You have successfully configured Squid web proxy for monitoring.

44
Lab 10 – Confirming Event Collection for Squid Proxy
1. Right click the Windows start button on HUB-DSP and click “Run”.

2. Type “inetcpl.cpl” into the box and click “OK”.

3. Click “Connections” at the top and click “LAN Settings”.

45
4. Uncheck “Automatically detect settings” and check “Use a proxy server for your LAN”. Set the Address to “hub-
sharepoint” and the port to “3128”. Check “Bypass proxy server for local addresses” and click “OK”.

5. Click “OK” to close the dialog box.

46
6. Open Internet Explorer and type “yahoo.com” into the address bar. A dialog box will pop up asking to authenticate
to the proxy server. Type “itadmin” as the username and “p@ssword1” as the password. Click “OK”.

7. The webpage will load in the background. This is our first proxy event. Once the web page has loaded, close
Internet Explorer.

47
8. Open Chrome and return to the Web Dashboard. Go to the “Analytics” tab. Uncheck everything but “Proxy” and
click “Apply”.

9. You will see events from the Web Proxy. Remember to wait up to 20 minutes for the events to show up.

You have successfully confirmed event collection from the Squid web proxy.

48