Varonis SaaS
This Integration is part of the Varonis SaaS Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
Streamline alerts and related forensic information from Varonis SaaS
Configure Varonis SaaS on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Varonis SaaS.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Fetch incidents False Incident type False The FQDN/IP the integration should connect to True X-API-Key True Use system proxy settings False Trust any certificate (not secure) False First fetch time False Minimum severity of alerts to fetch False Varonis threat model name Comma-separated list of threat model names of alerts to fetch False Varonis alert status False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
varonis-get-threat-models#
Get Varonis threat models
Base Command#
varonis-get-threat-models
Input#
| Argument Name | Description | Required |
|---|---|---|
| name | List of requested threat model names. Pipe (\|) separated and wildcards (*) supported. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| ID | Number | ID of the threat model |
| Name | String | Name of the threat model |
Command example#
!varonis-get-threat-models
!varonis-get-threat-models name="*access to*|Domain controller*"
Context Example#
Human Readable Output#
Varonis Alerts#
ID Name Category Severity Source 1 Abnormal service behavior: access to atypical folders Exfiltration 3 - Error Predefined
varonis-get-alerts#
Get alerts from Varonis DA
Base Command#
varonis-get-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| threat_model_name | List of requested threat models to retrieve. | Optional |
| start_time | Start time (UTC) of alert range. | Optional |
| end_time | End time (UTC) of alert range. | Optional |
| alert_status | List of required alerts status. | Optional |
| alert_severity | List of required alerts severity. | Optional |
| device_name | List of required alerts device name. | Optional |
| user_name | User domain name (cannot be provided without user_name). | Optional |
| last_days | Number of days you want the search to go back to. | Optional |
| extra_fields | Extra fields. | Optional |
| descending_order | Indicates whether alerts should be ordered in newest to oldest order. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Varonis.Alert.ID | Number | Varonis ID for alert |
| Varonis.Alert.Rule.Name | String | Name of retrieved alert |
| Varonis.Alert.TimeUTC | Date | When was the alert triggered |
| Varonis.Alert.Rule.Severity.Name | String | Alert severity |
| Varonis.Alert.Rule.Category.Name | String | Alert category. Options are: - Reconnaissance - Intrusion - Exploitation - Privilege Escalation - Lateral Movement |
| Varonis.Alert.Location.CountryName | String | Name of the country from which the event occurred |
| Varonis.Alert.Location.SubdivisionName | String | Name of the state or regional subdivision from which the event occurred |
| Varonis.Alert.Status.Name | String | Alert state. Options are: - New - Under investigation - Closed - Action Required - Auto-Resolved |
| Varonis.Alert.CloseReason.Name | String | Reason the alert was closed. Options are: - Other - Benign activity - True positive - Environment misconfiguration - Alert recently customized - Inaccurate alert logic - Authorized activity |
| Varonis.Alert.Location.BlacklistedLocation | Boolean | Whether any of the geographical locations from which an alerted activity originated was on the blacklist at the time the activity occurred |
| Varonis.Alert.Location.AbnormalLocation | Boolean | Whether any of the geographical locations from which an alerted activity originated is new or abnormal to the organization, the user and peers, or only the user |
| Varonis.Alert.EventsCount | Number | Number of events with alerts |
| Varonis.Alert.User.Name | String | Name of the users triggered alerts |
| Varonis.Alert.User.SamAccountName | String | Logon name used to support clients and servers running earlier versions of Windows operating system, such as Windows NT 4.0. In the dashboards (other than the Alert dashboard), this is the SAM account name of the user or group |
| Varonis.Alert.User.AccountType.Name | String | Privileged account associated with the user in the alert. Options are: - Service accounts - Admin accounts - Executive accounts |
| Varonis.Alert.Data.IsFlagged | Boolean | Whether the data affected by the alerted events has global flags |
| Varonis.Alert.Data.IsSensitive | Boolean | Filters according to whether the resource on which the event was performed is sensitive (including subfolders) |
| Varonis.Alert.Filer.Platform.Name | String | Type of platform on which the server resides. For example, Windows, Exchange, or SharePoint |
| Varonis.Alert.Asset.Path | String | Path of the alerted asset |
| Varonis.Alert.Filer.Name | String | Associated file server/domain |
| Varonis.Alert.Device.HostName | String | Name of the device from which the user generated the event |
| Varonis.Alert.Device.IsMaliciousExternalIP | Boolean | Whether the alert contains IPs known to be malicious |
| Varonis.Alert.Device.ExternalIPThreatTypesName | String | Whether the alert contains IPs known to be malicious |
| Varonis.Alert.Status.ID | String | Id for the status of the alert |
| Varonis.Alert.Rule.ID | String | Id for the rule that triggered the alert |
| Varonis.Alert.Rule.Severity.ID | String | Severity level identifier |
| Varonis.Alert.Initial.Event.TimeUTC | Date | UTC time of the initial event that triggered the alert |
| Varonis.Alert.User.SidID | String | Security Identifier (SID) of the user associated with the alert |
| Varonis.Alert.IngestTime | Date | Time when the alert was ingested into the system |
Command example#
!varonis-get-alerts start_time="2023-12-01T09:58:00" end_time="2023-12-07T04:16:00" alert_status="New" alert_severity="High" device_name="intfc35adh" threat_model_name="Deletion: Active Directory containers, Foreign Security Principal, or GPO" extra_fields="Alert.MitreTactic.*"
Context Example#
Human Readable Output#
Varonis Alerts#
Alert.Rule.Name Alert.Rule.Severity.Name Alert.TimeUTC Alert.Rule.Category.Name Alert.User.Name Alert.Status.Name Alert.ID Deletion: Multiple directory service objects Medium 2023-12-11T03:50:00 Denial of Service varadm (intaf6fb.com) New A5F4B69A-F5C0-494F-B5B4-185185BC3FBE
varonis-get-alerted-events#
Get events applied to specific alerts
Base Command#
varonis-get-alerted-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | List of alert IDs. | Required |
| start_time | Start UTC time of alert range. | Optional |
| end_time | End UTC time of alert range. | Optional |
| last_days | Number of days you want the search to go back to. | Optional |
| extra_fields | Extra fields. | Optional |
| descending_order | Indicates whether events should be ordered in newest to oldest order. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Varonis.Event.ID | String | Event ID |
| Varonis.Event.Alert.ID | String | Alert ID |
| Varonis.Event.Type.Name | String | Event type |
| Varonis.Event.TimeUTC | Date | Event time in UTC format |
| Varonis.Event.Status.Name | String | Filters according to the status of the event. Options are: - Fail - Success |
| Varonis.Event.Description | String | Description of the activity |
| Varonis.Event.Location.Country.Name | String | Name of the country from which the event occurred |
| Varonis.Event.Location.Subdivision.Name | String | Name of the state or regional subdivision from which the event occurred |
| Varonis.Event.Device.ExternalIP.IP | String | Device external IP address |
| Varonis.Event.Location.BlacklistedLocation | Boolean | Indicates whether the geographical location from which the event originated was blacklisted |
| Varonis.Event.Operation.Name | String | Type of operation that occurred during the event. Options are: - Accessed - Added - Changed - Removed - Sent - Received - Requested |
| Varonis.Event.ByAccount.Identity.Name | String | Name of the user that triggered the event |
| Varonis.Event.ByAccount.Type.Name | String | Type of account, i.e., user or computer |
| Varonis.Event.ByAccount.SamAccountName | String | SAM account name of the user or group for clients and servers running earlier versions of Windows |
| Varonis.Event.ByAccount.Domain.Name | String | Domain of the user that triggered the event |
| Varonis.Event.ByAccount.IsDisabled | Boolean | Indicates whether the account is disabled |
| Varonis.Event.ByAccount.IsStale | Boolean | Indicates whether the account is stale |
| Varonis.Event.ByAccount.IsLockout | Boolean | Indicates whether the account is locked out |
| Varonis.Event.IP | String | Source IP address of the device that triggered the event |
| Varonis.Event.Device.ExternalIP.IsMalicious | Boolean | Indicates whether the external IP is known to be malicious |
| Varonis.Event.Device.ExternalIP.Reputation.Name | Number | Reputation score of the external IP, a numeric value from 1-100 |
| Varonis.Event.Device.ExternalIP.ThreatTypes.Name | String | List of threat types associated with the external IP |
| Varonis.Event.OnObjectName | String | Name of the object on which the event was performed |
| Varonis.Event.OnResource.ObjectType.Name | String | Type of the object on which the event was performed |
| Varonis.Event.Filer.Platform.Name | String | Type of platform on which the server resides, like Windows, Exchange, SharePoint |
| Varonis.Event.OnResource.IsSensitive | Boolean | Indicates whether the resource on which the event was performed is sensitive |
| Varonis.Event.Filer.Name | String | File server of the object on which the event was performed |
| Varonis.Event.OnAccount.IsDisabled | Boolean | Indicates whether the account is disabled |
| Varonis.Event.OnAccount.IsLockout | Boolean | Indicates whether the account is locked out |
| Varonis.Event.OnAccount.SamAccountName | Boolean | SAM account name of the user or group for clients and servers running earlier versions of Windows |
| Varonis.Event.Destination.IP | String | Destination IP address within the organization |
| Varonis.Event.Device.Name | String | Name of the device that triggered the event |
| Varonis.Event.Destination.DeviceName | String | Destination host name for relevant services |
| Varonis.Event.OnResource.Path | String | Path of the resource |
Command example#
varonis-get-alerted-events alert_id="C98A3E72-99E9-4E5C-A560-7D04FA60686E,C83D55F0-EC63-41FC-B8C6-A5A66CB51372" last_days=7 extra_fields="Event.ByAccount.DistinguishedName"
Context Example#
Human Readable Output#
Varonis Alerted Events#
Event.Type.Name Event.Description Event.Filer.Platform.Name Event.Filer.Name Event.ByAccount.SamAccountName Event.OnObjectName Event.Alert.ID Event.ID Event.TimeUTC Event.Status.Name Event.Location.Country.Name Event.Location.Subdivision.Name Event.Location.BlacklistedLocation Event.Operation.Name Event.ByAccount.Type.Name Event.ByAccount.Domain.Name Event.ByAccount.Identity.Name Event.IP Event.Device.ExternalIP.IP Event.Destination.IP Event.Device.Name Event.Destination.DeviceName Event.ByAccount.IsDisabled Event.ByAccount.IsStale Event.ByAccount.IsLockout Event.Device.ExternalIP.ThreatTypes.Name Event.Device.ExternalIP.IsMalicious Event.Device.ExternalIP.Reputation.Name Event.OnResource.ObjectType.Name Event.OnAccount.SamAccountName Event.OnResource.IsSensitive Event.OnAccount.IsDisabled Event.OnAccount.IsLockout Event.OnResource.Path DS object deleted Organizational Unit "CommitOu_a9c42" was deleted Active Directory AD-intaf6fb.com varadm CommitOu_a9c42 A5F4B69A-F5C0-494F-B5B4-185185BC3FBE 7D87B6A2-C9C2-4859-A076-DD4D0EFC8276 2023-12-11T03:41:08.000Z Success Deleted User intaf6fb.com varadm intaf6fbdh No No No Organizational unit 51d4ee86-db4a-4d4a-baaa-1b84e02afd59 intaf6fb.com\CommitOu_a9c42
varonis-alert-add-note#
Add note to alerts
Base Command#
varonis-alert-add-note
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Requested alerts. | Required |
| note | Note. | Required |
Context Output#
There is no context output for this command.
Command example#
!varonis-alert-add-note alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E note="This needs to be invested ASAP"
varonis-update-alert-status#
Update alert status
Base Command#
varonis-update-alert-status
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Requested alerts. | Required |
| status | Alert new status. Possible values are: New, Under Investigation, Action Required, Auto-Resolved. | Required |
| note | Note. | Optional |
Context Output#
There is no context output for this command.
Command example#
!varonis-update-alert-status alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E status="Action Required" note="Waiting for feedback from security team"
varonis-close-alert#
Close the alert
Base Command#
varonis-close-alert
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_id | Requested alerts. | Required |
| close_reason | The reason the alert was closed. Possible values are: Other, Benign activity, True positive, Environment misconfiguration, Alert recently customized, Inaccurate alert logic, Authorized activity. | Required |
| note | Note. | Optional |
Context Output#
There is no context output for this command.
Command example#
!varonis-close-alert alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E close_reason="Inaccurate alert logic" note="Alert is irrelevant. Closed"