Varonis DatAdvantage – Verify continuous communication with all domain controllers

When you are using Varonis to monitor your environment it’s important to make sure that you don’t miss any critical events. One weakness in the current version of Varonis that I found out about is that you won’t get any notification if the event collection from one domain controller stops to work and you will only get notifications if the event collection stops working on all domain controllers (DC) at the same time.

To mitigate the risk of this happening without your knowledge there is a job that runs daily called “AutoDetectResources”, and this job verifies that all the resources are reachable. This job is used to make sure that all resources that are supposed to be connected really is connected. I have seen in a customer’s environment that this job completes successfully but the event collection from a specific domain controller still doesn’t work. There is no easy way to find out about this other than manually checking the event logs. I have discussed this problem with Varonis but there is no solution to it right now. Hopefully we will see it in future releases.

I consider this very critical because there is a risk that there will be a loss of critical events for a long time before the issue is detected so I decided to build a Powershell script that runs on the collector to help with this issue. The script controls that the event collection works and if its not working a few services will be restarted. If that doesn’t solve the issue an email will be sent to me so I quickly can investigate the underlying issue to why the event collection doesn’t work.

Please read the comments in the code for a better understanding of the script

After you have modified the script to fit your environment and verified that it works you can configure it to run as a scheduled task on your collector. I have configured it to run once every two hours.

To summarize it, if you are using this script you will get notified when event collection doesn’t work and the script tries to solve potential issues by restarting the affected services and if that doesn’t solve the issue you will get notified and you get the opportunity to solve the issue just after a few hours instead of days or maybe months.You will also get some traceability with the log function.

Logfile from script

This script is by no means the best or optimal solution but it will help you improve the monitoring of your Varonis environment.

If you found this script helpful or have any thoughts feel free to leave a comment below or send me an email rickard.carlsson@xenit.se

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.