Varonis DatAdvantage – Verify continuous communication with all domain controllers

Posted in : Powershell, Security, Varonis By Rickard Carlsson Translate with Google ⟶

4 years ago

When you are using Varonis to monitor your environment it’s important to make sure that you don’t miss any critical events. One weakness in the current version of Varonis that I found out about is that you won’t get any notification if the event collection from one domain controller stops to work and you will only get notifications if the event collection stops working on all domain controllers (DC) at the same time.

I consider this very critical because there is a risk that there will be a loss of critical events for a long time before the issue is detected so I decided to build a Powershell script that runs on the collector to help with this issue. The script controls that the event collection works and if its not working a few services will be restarted. If that doesn’t solve the issue an email will be sent to me so I quickly can investigate the underlying issue to why the event collection doesn’t work.
Please read the comments in the code for a better understanding of the script

<#
.Synopsis
    Verifies communication with DC's.
.DESCRIPTION
    Verifies a continuous communication with all domain controllers.
.NOTES
    Name: check_dc_status.ps1
    Author: Rickard Carlsson
    Date Created: 2019-09-30
    Version History:
        2019-09-30 - Rickard Carlsson
            Initial Creation
    Xenit AB
#>
[cmdletbinding()]
Param(
    #Saves the current time to a variable,
    $datenow=(Get-Date),
    $eventid=900,
    #Time to check = the amount of hours back in time we want filter the eventlog.
    $ttc=3,
    #Times to fail = we just want to take action if this error has been consistent for at least three hours, therefor two times is ok.
    $ttf=2,
    #The services that we want to restart if the event collection doesn't work.
    $services="VrnsProbeSvc","Varonis.Forwarder.Ad","VaronisServer",
    #Define the path to where you want to store the log.
    $logpath="D:\Log\check_dc_status.log",
    #Create the eventlog filter. The interesting event we are looking for uses ID 900 and providername is VrnsForwarderSvc.
    $fltr=@{Logname='*';
            ProviderName="VrnsForwarderSvc";
            Level=4;
            ID=$eventid;
		    StartTime=(($datenow).AddHours(-$ttc))
    },
    #We are looking for events where a DC has the status "Connecting". Modify this based on you name standard on domain controllers.
    $matchfilter="*DC-*","*Connecting*",
)
Begin{
    #Collect the eventlogs based on the filter
    $gevnt=Get-WinEvent -FilterHashtable $fltr 2>$null
    #Filter out the eventlogs that match the $matchfilter.
    $gevntmes=($gevnt.Message -Like $matchfilter)
    #Save the amount of events that matched the filter to $aoe.
    $aoe=$gevntmes.Count
}
Process {
    #If there are event logs that matches the filters and the amount is greater than $ttf then restart the services.
    if ($aoe -gt $ttf) {
        Foreach ($service in $services) {
            Get-Service -Name $service  | Stop-Service
            Get-Service -Name $service  | Start-Service
        }
    }
    else {
        #If no matching events can be found update the log with that info and then exit the script.
        $datenow=(Get-Date)
        Write-Output "$datenow - Nothing needs to be done. No error messages." | Out-file $logpath -Append
        Exit
    }
    #After restarting services, wait for an hour to make sure that another event have been created. These events are created every hour.
    Start-Sleep -Seconds 3600
    #Update the variables to check if the connected event has been generated.
    $ttc=1
    $ttf=1
    $datenow=(Get-Date)
    #Collecting the eventlogs again
    $gevnt=Get-WinEvent -FilterHashtable $fltr 2>$null
    #Filtering the eventlog again
    $gevntmes=($gevnt.Message -Like $matchfilter)
    $aoe=$gevntmes.Count
}
End {
    #Check if the "Connected" event has been generated, if not send an email to X.
    if ($aoe -lt $ttf -and $aoe -ne $null) {
        $datenow=(Get-Date)
        Write-Output "$datenow - There was a problem, but a restart fixed it." | Out-file $logpath -Append
        Exit
    }
    else{
        Try{
            Send-MailMessage -From 'Varonis <varonis@yourcompany.com>' -To 'John Doe <john.doe@yourcompany.com>' -Subject 'Alert - Varonis is unable to communicate with a DC' -Body "At least one of the domain controllers is unable to send events to the collector, investigate!" -SmtpServer "yoursmtpserver.yourcompany.com"
            $datenow=(Get-Date)
            Write-Output "$datenow - Not working, email sent to John Doe" | Out-file $logpath -Append
        }
        Catch{
            $datenow=(Get-Date)
            Write-Output "$datenow - Not possible to send email, investigate!" | Out-file $logpath -Append
        }
    }
}

After you have modified the script to fit your environment and verified that it works you can configure it to run as a scheduled task on your collector. I have configured it to run once every two hours.
To summarize it, if you are using this script you will get notified when event collection doesn’t work and the script tries to solve potential issues by restarting the affected services and if that doesn’t solve the issue you will get notified and you get the opportunity to solve the issue just after a few hours instead of days or maybe months.You will also get some traceability with the log function.

This script is by no means the best or optimal solution but it will help you improve the monitoring of your Varonis environment.
If you found this script helpful or have any thoughts feel free to leave a comment below or send me an email rickard.carlsson@xenit.se

Tags : collector, datadvantage, dc, event, monitoring, notification, PowerShell, Varonis