Skip to main content

Varonis SaaS

This Integration is part of the Varonis SaaS Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Streamline alerts and related forensic information from Varonis SaaS

Configure Varonis SaaS in Cortex#

ParameterDescriptionRequired
Fetch incidentsFalse
Incident typeFalse
The FQDN/IP the integration should connect toTrue
X-API-KeyTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False
First fetch timeFalse
Minimum severity of alerts to fetchFalse
Varonis threat model nameComma-separated list of threat model names of alerts to fetchFalse
Varonis alert statusFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

varonis-get-threat-models#


Get Varonis threat models

Base Command#

varonis-get-threat-models

Input#

Argument NameDescriptionRequired
nameList of requested threat model names. Pipe (\|) separated and wildcards (*) supported.Optional

Context Output#

PathTypeDescription
IDNumberID of the threat model
NameStringName of the threat model

Command example#

!varonis-get-threat-models
!varonis-get-threat-models name="*access to*|Domain controller*"

Context Example#

[
{
"ThreatModel.Name": "Abnormal service behavior: access to atypical folders",
"ThreatModel.Category": "Exfiltration",
"ThreatModel.Severity": "3 - Error",
"ThreatModel.Source": "Predefined",
"ThreatModel.ID": 1
},
{
"ThreatModel.Name": "Abnormal service behavior: access to atypical files",
"ThreatModel.Category": "Exfiltration",
"ThreatModel.Severity": "3 - Error",
"ThreatModel.Source": "Predefined",
"ThreatModel.ID": 2
}
]

Human Readable Output#

Varonis Alerts#

IDNameCategorySeveritySource
1Abnormal service behavior: access to atypical foldersExfiltration3 - ErrorPredefined

varonis-get-alerts#


Get alerts from Varonis DA

Base Command#

varonis-get-alerts

Input#

Argument NameDescriptionRequired
threat_model_nameList of requested threat models to retrieve.Optional
start_timeStart time (UTC) of alert range.Optional
end_timeEnd time (UTC) of alert range.Optional
alert_statusList of required alerts status.Optional
alert_severityList of required alerts severity.Optional
device_nameList of required alerts device name.Optional
user_nameUser domain name (cannot be provided without user_name).Optional
last_daysNumber of days you want the search to go back to.Optional
extra_fieldsExtra fields.Optional
descending_orderIndicates whether alerts should be ordered in newest to oldest order.Optional

Context Output#

PathTypeDescription
Varonis.Alert.IDNumberVaronis ID for alert
Varonis.Alert.Rule.NameStringName of retrieved alert
Varonis.Alert.TimeUTCDateWhen was the alert triggered
Varonis.Alert.Rule.Severity.NameStringAlert severity
Varonis.Alert.Rule.Category.NameStringAlert category.
Options are:
- Reconnaissance
- Intrusion
- Exploitation
- Privilege Escalation
- Lateral Movement
Varonis.Alert.Location.CountryNameStringName of the country from which the event occurred
Varonis.Alert.Location.SubdivisionNameStringName of the state or regional subdivision from which the event occurred
Varonis.Alert.Status.NameStringAlert state. Options are:
- New
- Under investigation
- Closed
- Action Required
- Auto-Resolved
Varonis.Alert.CloseReason.NameStringReason the alert was closed. Options are:
- Other
- Benign activity
- True positive
- Environment misconfiguration
- Alert recently customized
- Inaccurate alert logic
- Authorized activity
Varonis.Alert.Location.BlacklistedLocationBooleanWhether any of the geographical locations from which an alerted activity originated was on the blacklist at the time the activity occurred
Varonis.Alert.Location.AbnormalLocationBooleanWhether any of the geographical locations from which an alerted activity originated is new or abnormal to the organization, the user and peers, or only the user
Varonis.Alert.EventsCountNumberNumber of events with alerts
Varonis.Alert.User.NameStringName of the users triggered alerts
Varonis.Alert.User.SamAccountNameStringLogon name used to support clients and servers running earlier versions of Windows operating system, such as Windows NT 4.0. In the dashboards (other than the Alert dashboard), this is the SAM account name of the user or group
Varonis.Alert.User.AccountType.NameStringPrivileged account associated with the user in the alert. Options are:
- Service accounts
- Admin accounts
- Executive accounts
Varonis.Alert.Data.IsFlaggedBooleanWhether the data affected by the alerted events has global flags
Varonis.Alert.Data.IsSensitiveBooleanFilters according to whether the resource on which the event was performed is sensitive (including subfolders)
Varonis.Alert.Filer.Platform.NameStringType of platform on which the server resides. For example, Windows, Exchange, or SharePoint
Varonis.Alert.Asset.PathStringPath of the alerted asset
Varonis.Alert.Filer.NameStringAssociated file server/domain
Varonis.Alert.Device.HostNameStringName of the device from which the user generated the event
Varonis.Alert.Device.IsMaliciousExternalIPBooleanWhether the alert contains IPs known to be malicious
Varonis.Alert.Device.ExternalIPThreatTypesNameStringWhether the alert contains IPs known to be malicious
Varonis.Alert.Status.IDStringId for the status of the alert
Varonis.Alert.Rule.IDStringId for the rule that triggered the alert
Varonis.Alert.Rule.Severity.IDStringSeverity level identifier
Varonis.Alert.Initial.Event.TimeUTCDateUTC time of the initial event that triggered the alert
Varonis.Alert.User.SidIDStringSecurity Identifier (SID) of the user associated with the alert
Varonis.Alert.IngestTimeDateTime when the alert was ingested into the system

Command example#

!varonis-get-alerts start_time="2023-12-01T09:58:00" end_time="2023-12-07T04:16:00" alert_status="New" alert_severity="High" device_name="intfc35adh" threat_model_name="Deletion: Active Directory containers, Foreign Security Principal, or GPO" extra_fields="Alert.MitreTactic.*"

Context Example#

[
{
"Alert.Rule.Name": "Deletion: Multiple directory service objects",
"Alert.Rule.Severity.Name": "Medium",
"Alert.TimeUTC": "2023-12-11T03:50:00",
"Alert.Rule.Category.Name": "Denial of Service",
"Alert.User.Name": "varadm (intaf6fb.com)",
"Alert.Status.Name": "New",
"Alert.ID": "A5F4B69A-F5C0-494F-B5B4-185185BC3FBE",
"Alert.Rule.ID": "140",
"Alert.Rule.Severity.ID": "1",
"Alert.Location.CountryName": "",
"Alert.Location.SubdivisionName": "",
"Alert.Status.ID": "1",
"Alert.EventsCount": "14",
"Alert.Initial.Event.TimeUTC": "2023-12-11T03:41:00",
"Alert.User.SamAccountName": "varadm",
"Alert.User.AccountType.Name": "Admin,Executive",
"Alert.Device.HostName": "intaf6fbdh",
"Alert.Device.IsMaliciousExternalIP": "",
"Alert.Device.ExternalIPThreatTypesName": "",
"Alert.Data.IsFlagged": "0",
"Alert.Data.IsSensitive": "0",
"Alert.Filer.Platform.Name": "Active Directory",
"Alert.Asset.Path": "intaf6fb.com(AD-intaf6fb.com)",
"Alert.Filer.Name": "AD-intaf6fb.com",
"Alert.CloseReason.Name": "",
"Alert.Location.BlacklistedLocation": "",
"Alert.Location.AbnormalLocation": "",
"Alert.User.SidID": "971",
"Alert.IngestTime": "2023-12-11T03:52:46",
"Url": "/#/app/analytics/entity/Alert/A5F4B69A-F5C0-494F-B5B4-185185BC3FBE"
}
]

Human Readable Output#

Varonis Alerts#

Alert.Rule.NameAlert.Rule.Severity.NameAlert.TimeUTCAlert.Rule.Category.NameAlert.User.NameAlert.Status.NameAlert.ID
Deletion: Multiple directory service objectsMedium2023-12-11T03:50:00Denial of Servicevaradm (intaf6fb.com)NewA5F4B69A-F5C0-494F-B5B4-185185BC3FBE

varonis-get-alerted-events#


Get events applied to specific alerts

Base Command#

varonis-get-alerted-events

Input#

Argument NameDescriptionRequired
alert_idList of alert IDs.Required
start_timeStart UTC time of alert range.Optional
end_timeEnd UTC time of alert range.Optional
last_daysNumber of days you want the search to go back to.Optional
extra_fieldsExtra fields.Optional
descending_orderIndicates whether events should be ordered in newest to oldest order.Optional

Context Output#

PathTypeDescription
Varonis.Event.IDStringEvent ID
Varonis.Event.Alert.IDStringAlert ID
Varonis.Event.Type.NameStringEvent type
Varonis.Event.TimeUTCDateEvent time in UTC format
Varonis.Event.Status.NameStringFilters according to the status of the event. Options are:
- Fail
- Success
Varonis.Event.DescriptionStringDescription of the activity
Varonis.Event.Location.Country.NameStringName of the country from which the event occurred
Varonis.Event.Location.Subdivision.NameStringName of the state or regional subdivision from which the event occurred
Varonis.Event.Device.ExternalIP.IPStringDevice external IP address
Varonis.Event.Location.BlacklistedLocationBooleanIndicates whether the geographical location from which the event originated was blacklisted
Varonis.Event.Operation.NameStringType of operation that occurred during the event. Options are:
- Accessed
- Added
- Changed
- Removed
- Sent
- Received
- Requested
Varonis.Event.ByAccount.Identity.NameStringName of the user that triggered the event
Varonis.Event.ByAccount.Type.NameStringType of account, i.e., user or computer
Varonis.Event.ByAccount.SamAccountNameStringSAM account name of the user or group for clients and servers running earlier versions of Windows
Varonis.Event.ByAccount.Domain.NameStringDomain of the user that triggered the event
Varonis.Event.ByAccount.IsDisabledBooleanIndicates whether the account is disabled
Varonis.Event.ByAccount.IsStaleBooleanIndicates whether the account is stale
Varonis.Event.ByAccount.IsLockoutBooleanIndicates whether the account is locked out
Varonis.Event.IPStringSource IP address of the device that triggered the event
Varonis.Event.Device.ExternalIP.IsMaliciousBooleanIndicates whether the external IP is known to be malicious
Varonis.Event.Device.ExternalIP.Reputation.NameNumberReputation score of the external IP, a numeric value from 1-100
Varonis.Event.Device.ExternalIP.ThreatTypes.NameStringList of threat types associated with the external IP
Varonis.Event.OnObjectNameStringName of the object on which the event was performed
Varonis.Event.OnResource.ObjectType.NameStringType of the object on which the event was performed
Varonis.Event.Filer.Platform.NameStringType of platform on which the server resides, like Windows, Exchange, SharePoint
Varonis.Event.OnResource.IsSensitiveBooleanIndicates whether the resource on which the event was performed is sensitive
Varonis.Event.Filer.NameStringFile server of the object on which the event was performed
Varonis.Event.OnAccount.IsDisabledBooleanIndicates whether the account is disabled
Varonis.Event.OnAccount.IsLockoutBooleanIndicates whether the account is locked out
Varonis.Event.OnAccount.SamAccountNameBooleanSAM account name of the user or group for clients and servers running earlier versions of Windows
Varonis.Event.Destination.IPStringDestination IP address within the organization
Varonis.Event.Device.NameStringName of the device that triggered the event
Varonis.Event.Destination.DeviceNameStringDestination host name for relevant services
Varonis.Event.OnResource.PathStringPath of the resource

Command example#

varonis-get-alerted-events alert_id="C98A3E72-99E9-4E5C-A560-7D04FA60686E,C83D55F0-EC63-41FC-B8C6-A5A66CB51372" last_days=7 extra_fields="Event.ByAccount.DistinguishedName"

Context Example#

[
{
"Event.Type.Name": "DS object deleted",
"Event.Description": "Organizational Unit \"CommitOu_a9c42\" was deleted",
"Event.Filer.Platform.Name": "Active Directory",
"Event.Filer.Name": "AD-intaf6fb.com",
"Event.ByAccount.SamAccountName": "varadm",
"Event.OnObjectName": "CommitOu_a9c42",
"Event.Alert.ID": "A5F4B69A-F5C0-494F-B5B4-185185BC3FBE",
"Event.ID": "7D87B6A2-C9C2-4859-A076-DD4D0EFC8276",
"Event.TimeUTC": "2023-12-11T03:41:08.000Z",
"Event.Status.Name": "Success",
"Event.Location.Country.Name": "",
"Event.Location.Subdivision.Name": "",
"Event.Location.BlacklistedLocation": "",
"Event.Operation.Name": "Deleted",
"Event.ByAccount.Type.Name": "User",
"Event.ByAccount.Domain.Name": "intaf6fb.com",
"Event.ByAccount.Identity.Name": "varadm",
"Event.IP": "",
"Event.Device.ExternalIP.IP": "",
"Event.Destination.IP": "",
"Event.Device.Name": "intaf6fbdh",
"Event.Destination.DeviceName": "",
"Event.ByAccount.IsDisabled": "No",
"Event.ByAccount.IsStale": "No",
"Event.ByAccount.IsLockout": "No",
"Event.Device.ExternalIP.ThreatTypes.Name": "",
"Event.Device.ExternalIP.IsMalicious": "",
"Event.Device.ExternalIP.Reputation.Name": "",
"Event.OnResource.ObjectType.Name": "Organizational unit",
"Event.OnAccount.SamAccountName": "51d4ee86-db4a-4d4a-baaa-1b84e02afd59",
"Event.OnResource.IsSensitive": "",
"Event.OnAccount.IsDisabled": "",
"Event.OnAccount.IsLockout": "",
"Event.OnResource.Path": "intaf6fb.com\\CommitOu_a9c42"
}
]

Human Readable Output#

Varonis Alerted Events#

Event.Type.NameEvent.DescriptionEvent.Filer.Platform.NameEvent.Filer.NameEvent.ByAccount.SamAccountNameEvent.OnObjectNameEvent.Alert.IDEvent.IDEvent.TimeUTCEvent.Status.NameEvent.Location.Country.NameEvent.Location.Subdivision.NameEvent.Location.BlacklistedLocationEvent.Operation.NameEvent.ByAccount.Type.NameEvent.ByAccount.Domain.NameEvent.ByAccount.Identity.NameEvent.IPEvent.Device.ExternalIP.IPEvent.Destination.IPEvent.Device.NameEvent.Destination.DeviceNameEvent.ByAccount.IsDisabledEvent.ByAccount.IsStaleEvent.ByAccount.IsLockoutEvent.Device.ExternalIP.ThreatTypes.NameEvent.Device.ExternalIP.IsMaliciousEvent.Device.ExternalIP.Reputation.NameEvent.OnResource.ObjectType.NameEvent.OnAccount.SamAccountNameEvent.OnResource.IsSensitiveEvent.OnAccount.IsDisabledEvent.OnAccount.IsLockoutEvent.OnResource.Path
DS object deletedOrganizational Unit "CommitOu_a9c42" was deletedActive DirectoryAD-intaf6fb.comvaradmCommitOu_a9c42A5F4B69A-F5C0-494F-B5B4-185185BC3FBE7D87B6A2-C9C2-4859-A076-DD4D0EFC82762023-12-11T03:41:08.000ZSuccessDeletedUserintaf6fb.comvaradmintaf6fbdhNoNoNoOrganizational unit51d4ee86-db4a-4d4a-baaa-1b84e02afd59intaf6fb.com\CommitOu_a9c42

varonis-alert-add-note#


Add note to alerts

Base Command#

varonis-alert-add-note

Input#

Argument NameDescriptionRequired
alert_idRequested alerts.Required
noteNote.Required

Context Output#

There is no context output for this command.

Command example#

!varonis-alert-add-note alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E note="This needs to be invested ASAP"

varonis-update-alert-status#


Update alert status

Base Command#

varonis-update-alert-status

Input#

Argument NameDescriptionRequired
alert_idRequested alerts.Required
statusAlert new status. Possible values are: New, Under Investigation, Action Required, Auto-Resolved.Required
noteNote.Optional

Context Output#

There is no context output for this command.

Command example#

!varonis-update-alert-status alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E status="Action Required" note="Waiting for feedback from security team"

varonis-close-alert#


Close the alert

Base Command#

varonis-close-alert

Input#

Argument NameDescriptionRequired
alert_idRequested alerts.Required
close_reasonThe reason the alert was closed. Possible values are: Other, Benign activity, True positive, Environment misconfiguration, Alert recently customized, Inaccurate alert logic, Authorized activity.Required
noteNote.Optional

Context Output#

There is no context output for this command.

Command example#

!varonis-close-alert alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E close_reason="Inaccurate alert logic" note="Alert is irrelevant. Closed"

get-mapping-fields#


Returns the list of fields to map in outgoing mirroring. This command is only used for debugging purposes.

Base Command#

get-mapping-fields

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Incident Mirroring#

You can enable outgoing incident mirroring between Cortex XSOAR incidents and Varonis alerts (available from Cortex XSOAR version 6.0.0). To set up the mirroring:

  1. Enable Fetching incidents in your instance configuration.

  2. In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored (currently only outgoing mirroring is available):

    OptionDescription
    NoneTurns off incident mirroring.
    OutgoingAny changes in Cortex XSOAR incidents will be reflected in Varonis SaaS service (outgoing mirrored fields).

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.

Mirroring Out Notes#

The supported fields in the mirroring out process are:

  • Varonis Alert Status.
  • Varonis Close Reason
  • Incident Close Notes

Important Note: You have two options how to close Varonis Alert:

  • The first option is to change the Varonis Alert Status field in the XSOAR incident. In this case, the status of the alert in Varonis SaaS service will be change by the mirroring functionality, but the Incident in XSOAR won't be closed.
  • The second one is to close the incident in XSOAR. In this case, the Varonis Alert will be closed on the Varonis side by the post-processing script.