Skip to main content

Varonis Data Security Platform

This Integration is part of the Varonis Data Security Platform Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Streamline alerts and related forensic information from Varonis DSP This integration was integrated and tested with version 1.0 of VaronisDataSecurityPlatform

Configure Varonis Data Security Platform in Cortex#

ParameterDescriptionRequired
Fetch incidentsFalse
Incident typeFalse
The FQDN/IP the integration should connect toTrue
Name of Varonis userTrue
PasswordTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
Maximum number of incidents per fetchMaximum value is 100False
First fetch timeFalse
Minimum severity of alerts to fetchFalse
Varonis threat model nameComma-separated list of threat model names of alerts to fetchFalse
Varonis alert statusFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

varonis-get-alerts#


Get alerts from Varonis DA

Base Command#

varonis-get-alerts

Input#

Argument NameDescriptionRequired
threat_model_nameList of requested threat models to retrieve.Optional
max_resultsThe max number of alerts to retrieve (up to 50). Default is 50.Optional
start_timeStart time of alert range.Optional
end_timeEnd time of alert range.Optional
alert_statusList of required alerts status.Optional
alert_severityList of required alerts severity.Optional
device_nameList of required alerts device name.Optional
user_nameList of users (up to 5).Optional
user_domain_nameUser domain name (cannot be provided without user_name).Optional
sam_account_nameList of sam account names (up to 5).Optional
emailList of emails (up to 5).Optional
last_daysNumber of days you want the search to go back to.Optional
descending_orderIndicates whether alerts should be ordered in newest to oldest order.Optional
pagePage number. Default is 1.Optional

Context Output#

PathTypeDescription
Varonis.Alert.IDNumberVaronis ID for alert
Varonis.Alert.NameStringName of retrieved alert
Varonis.Alert.TimeDateWhen was the alert triggered
Varonis.Alert.SeverityStringAlert severity
Varonis.Alert.CategoryStringAlert category.
Options are:
- Reconnaissance
- Intrusion
- Exploitation
- Privilege Escalation
- Lateral Movement
Varonis.Alert.CountryStringName of the country from which the event occurred
Varonis.Alert.StateStringName of the state or regional subdivision from which the event occurred
Varonis.Alert.StatusStringAlert state. Options are:
- Open
- Under investigation
- Closed
Varonis.Alert.CloseReasonStringReason the alert was closed. Options are:
- Resolved
- Misconfiguration
- Threat model disabled or deleted
- Account misclassification
- Legitimate activity
- Other
Varonis.Alert.BlacklistLocationBooleanWhether any of the geographical locations from which an alerted activity originated was on the blacklist at the time the activity occurred
Varonis.Alert.AbnormalLocationBooleanWhether any of the geographical locations from which an alerted activity originated is new or abnormal to the organization, the user and peers, or only the user
Varonis.Alert.NumOfAlertedEventsNumberNumber of events with alerts
Varonis.Alert.UserNameStringName of the users triggered alerts
Varonis.Alert.By.SamAccountNameStringLogon name used to support clients and servers running earlier versions of Windows operating system, such as Windows NT 4.0. In the dashboards (other than the Alert dashboard), this is the SAM account name of the user or group
Varonis.Alert.By.PrivilegedAccountTypeStringPrivileged account. Options are:
- Service accounts
- Admin accounts
- Executive accounts
Varonis.Alert.By.DepartmentStringUser`s department
Varonis.Alert.On.ContainsFlaggedDataBooleanWhether the data affected by the alerted events has global flags
Varonis.Alert.On.ContainsSensitiveDataBooleanFilters according to whether the resource on which the event was performed is sensitive (including subfolders)
Varonis.Alert.On.PlatformStringType of platform on which the server resides. For example, Windows, Exchange, or SharePoint
Varonis.Alert.On.AssetStringPath of the alerted asset
Varonis.Alert.On.FileServerOrDomainStringAssociated file server/domain
Varonis.Alert.Device.NameStringName of the device from which the user generated the event
Varonis.Alert.Device.ContainMaliciousExternalIPBooleanWhether the alert contains IPs known to be malicious
Varonis.Alert.Device.IPThreatTypesStringWhether the alert contains IPs known to be malicious
Varonis.Pagination.PageNumberCurrent page number requested by user
Varonis.Pagination.PageSizeNumberNumber of records on the page

Command example#

!varonis-get-alerts page=1 alert_status=Open max_results=1 start_time=2022-02-16T13:00:00+02:00

Context Example#

{
"Varonis": {
"Alert": [
{
"AbnormalLocation": "",
"BlacklistLocation": "",
"By": {
"Department": "",
"PrivilegedAccountType": "",
"SamAccountName": ""
},
"Category": "Privilege Escalation",
"CloseReason": "",
"Country": "",
"Device": {
"ContainMaliciousExternalIP": "No",
"IPThreatTypes": "",
"Name": "l1839-zkpr1"
},
"ID": "D366A9C5-EF82-413D-BABB-7F04AB358D11",
"Name": "dns aaaaaalert",
"NumOfAlertedEvents": "1",
"On": {
"Asset": "",
"ContainsFlaggedData": "",
"ContainsSensitiveData": "",
"FileServerOrDomain": "DNS",
"Platform": "DNS"
},
"Severity": "Medium",
"State": "",
"Status": "Open",
"Time": "2022-02-15T16:02:00",
"UserName": ""
}
],
"Pagination": {
"Page": 1,
"PageSize": 1
}
}
}

Human Readable Output#

Varonis Alerts#

NameSeverityTimeCategoryUserNameStatus
dns aaaaaalertMedium2022-02-15T16:02:00Privilege EscalationOpen

varonis-update-alert-status#


Update alert status

Base Command#

varonis-update-alert-status

Input#

Argument NameDescriptionRequired
alert_idRequested alerts.Required
statusAlert new status. Possible values are: Open, Under Investigation.Required

Context Output#

There is no context output for this command.

Command example#

!varonis-update-alert-status alert_id=72D0D925-0937-4111-AB4A-FFFD4A529A3C status="Under Investigation"

Human Readable Output#

True

varonis-close-alert#


Close the alert

Base Command#

varonis-close-alert

Input#

Argument NameDescriptionRequired
alert_idRequested alerts.Required
close_reasonThe reason the alert was closed. Possible values are: Resolved, Misconfiguration, Threat model disabled or deleted, Account misclassification, Legitimate activity, Other.Required

Context Output#

There is no context output for this command.

Command example#

!varonis-close-alert alert_id=72D0D925-0937-4111-AB4A-FFFD4A529A3C,0D9D657A-A51F-4674-B49A-FFB1EDD35D51 close_reason=Resolved

Human Readable Output#

True

varonis-get-alerted-events#


Get events applied to specific alerts

Base Command#

varonis-get-alerted-events

Input#

Argument NameDescriptionRequired
alert_idList of alert IDs.Required
max_resultsMaximum number of alerts to retrieve (up to 5k).Optional
pagePage number. Default is 1.Optional
descending_orderIndicates whether events should be ordered in newest to oldest order.Optional

Context Output#

PathTypeDescription
Varonis.Event.TypeStringEvent type
Varonis.Event.UTCTimeDateEvent time UTC format
Varonis.Event.StatusStringFilters according to the status of the event. Options are:
- Fail
- Success
Varonis.Event.DescriptionStringDescription of the activity
Varonis.Event.CountryStringName of the country from which the event occurred
Varonis.Event.StateStringName of the state or regional subdivision from which the event occurred
Varonis.Event.ExternalIPStringDevice external IP
Varonis.Event.Details.IsBlacklistBooleanWhether any of the geographical locations from which an alerted activity originated was on the blacklist at the time the activity occurred
Varonis.Event.Details.OperationStringType of operation that occurred during the event. Options are:
- Accessed
- Added
- Changed
- Removed
- Sent
- Received
- Requested
Varonis.Event.ByUser.NameStringName of the user that triggered the event
Varonis.Event.ByUser.UserTypeStringType of account, i.e., user or computer
Varonis.Event.ByUser.UserAccountTypeStringLogon name used to support clients and servers running earlier versions of the Windows operating system, such as Windows NT 4.0. In the dashboards (other than the Alert dashboard), this is the SAM account name of the user or group
Varonis.Event.ByUser.DomainStringDomain of the user that triggered the event
Varonis.Event. ByUser.DisabledAccountBooleanWhether the account is disabled
Varonis.Event.ByUser.StaleAccountBooleanWhether the account is stale
Varonis.Event.ByUser.LockoutAccountsBooleanWhether the account is lockout
Varonis.Event.SourceIPStringSource IP of the device triggered the event
Varonis.Event. IsMaliciousIPBooleanWhether the IP is known to be malicious
Varonis.Event. IPReputationNumberReputation score of the IP. The score is a numeric value from 1-100
Varonis.Event.IPThreatTypeStringList of threat types associated with the IP
Varonis.Event.OnObject.NameStringName of object on which the event was performed
Varonis.Event.OnObject.ObjectTypeStringType of object on which the event was performed
Varonis.Event.OnObject.PlatformStringType of platform on which the server resides. For example, Windows, Exchange, or SharePoint
Varonis.Event.OnObject.IsSensitiveBooleanIndicates whether the resource on which the event was performed is sensitive
Varonis.Event.OnObject.FileServerOrDomainStringFile server of object on which the event was performed
Varonis.Event.OnObject.IsDisabledAccountBooleanWhether the account is disabled
Varonis.Event.OnObject.IsLockOutAccountBooleanWhether the account is lockout
Varonis.Event.OnObject.SAMAccountNameStringLogon name used to support clients and servers running earlier versions of the Windows operating system, such as Windows NT 4.0. In the dashboards (other than the Alert dashboard), this is the SAM account name of the user or group
Varonis.Event.OnObject.UserAccountTypeStringSpecified type of privileged account.
Options are:
- Service accounts
- Admin accounts
- Executive accounts
- Test accounts
Varonis.Event.OnObject.DestinationIPStringDestination IP address within the organization
Varonis.Event.OnObject.DestinationDeviceStringDestination host name for relevant services
Varonis.Event.OnObject.PathStringPath of asset
Varonis.Pagination.PageNumberCurrent page number requested by user
Varonis.Pagination.PageSizeNumberNumber of records on the page

Command example#

!varonis-get-alerted-events page=1 alert_id=72D0D925-0937-4111-AB4A-FFFD4A529A3C max_results=1

Context Example#

{
"Varonis": {
"Event": [
{
"ByUser": {
"DisabledAccount": "",
"Domain": "",
"LockoutAccounts": "",
"Name": "",
"SAMAccountName": "",
"StaleAccount": "",
"UserAccountType": "",
"UserType": ""
},
"Country": "",
"Description": "The DNS Server has resolved successfully ",
"Details": {
"IsBlacklist": "",
"Operation": "Request"
},
"ID": "22D3EFC0-E758-4BA0-92C4-EB9566C830AD",
"IPReputation": "",
"IPThreatType": "",
"IsMaliciousIP": "",
"OnObject": {
"DestinationDevice": "",
"DestinationIP": "",
"FileServerOrDomain": "DNS",
"IsDisabledAccount": "",
"IsLockOutAccount": "",
"IsSensitive": "",
"Name": "dns.msftncsi.com",
"ObjectType": "Dns",
"Platform": "DNS",
"SAMAccountName": "",
"UserAccountType": ""
},
"SourceIP": "10.10.10.10",
"State": "",
"Status": "Success",
"Type": "Client DNS request",
"UTCTime": "2022-03-17T17:52:14Z"
}
],
"Pagination": {
"Page": 1,
"PageSize": 1
}
}
}

Human Readable Output#

Varonis Alerted Events#

ByUserCountryDescriptionDetailsIDIPReputationIPThreatTypeIsMaliciousIPOnObjectSourceIPStateStatusTypeUTCTime
Name:
UserType:
UserAccountType:
SAMAccountName:
Domain:
DisabledAccount:
StaleAccount:
LockoutAccounts:
The DNS Server has resolved successfullyIsBlacklist:
Operation: Request
22D3EFC0-E758-4BA0-92C4-EB9566C830ADName: dns.msftncsi.com
ObjectType: Dns
Platform: DNS
IsSensitive:
FileServerOrDomain: DNS
IsDisabledAccount:
IsLockOutAccount:
SAMAccountName:
UserAccountType:
DestinationIP:
DestinationDevice:
10.10.10.10SuccessClient DNS request2022-03-17T17:52:14Z