Varonis SaaS
Varonis SaaS Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
Streamline alerts and related forensic information from Varonis SaaS
#
Configure Varonis SaaS in CortexParameter | Description | Required |
---|---|---|
Fetch incidents | False | |
Incident type | False | |
The FQDN/IP the integration should connect to | True | |
X-API-Key | True | |
Use system proxy settings | False | |
Trust any certificate (not secure) | False | |
First fetch time | False | |
Minimum severity of alerts to fetch | False | |
Varonis threat model name | Comma-separated list of threat model names of alerts to fetch | False |
Varonis alert status | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
varonis-get-threat-modelsGet Varonis threat models
#
Base Commandvaronis-get-threat-models
#
InputArgument Name | Description | Required |
---|---|---|
name | List of requested threat model names. Pipe (\| ) separated and wildcards (* ) supported. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
ID | Number | ID of the threat model |
Name | String | Name of the threat model |
#
Command example!varonis-get-threat-models
!varonis-get-threat-models name="*access to*|Domain controller*"
#
Context Example#
Human Readable Output#
Varonis Alerts
ID Name Category Severity Source 1 Abnormal service behavior: access to atypical folders Exfiltration 3 - Error Predefined
#
varonis-get-alertsGet alerts from Varonis DA
#
Base Commandvaronis-get-alerts
#
InputArgument Name | Description | Required |
---|---|---|
threat_model_name | List of requested threat models to retrieve. | Optional |
start_time | Start time (UTC) of alert range. | Optional |
end_time | End time (UTC) of alert range. | Optional |
alert_status | List of required alerts status. | Optional |
alert_severity | List of required alerts severity. | Optional |
device_name | List of required alerts device name. | Optional |
user_name | User domain name (cannot be provided without user_name). | Optional |
last_days | Number of days you want the search to go back to. | Optional |
extra_fields | Extra fields. | Optional |
descending_order | Indicates whether alerts should be ordered in newest to oldest order. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Varonis.Alert.ID | Number | Varonis ID for alert |
Varonis.Alert.Rule.Name | String | Name of retrieved alert |
Varonis.Alert.TimeUTC | Date | When was the alert triggered |
Varonis.Alert.Rule.Severity.Name | String | Alert severity |
Varonis.Alert.Rule.Category.Name | String | Alert category. Options are: - Reconnaissance - Intrusion - Exploitation - Privilege Escalation - Lateral Movement |
Varonis.Alert.Location.CountryName | String | Name of the country from which the event occurred |
Varonis.Alert.Location.SubdivisionName | String | Name of the state or regional subdivision from which the event occurred |
Varonis.Alert.Status.Name | String | Alert state. Options are: - New - Under investigation - Closed - Action Required - Auto-Resolved |
Varonis.Alert.CloseReason.Name | String | Reason the alert was closed. Options are: - Other - Benign activity - True positive - Environment misconfiguration - Alert recently customized - Inaccurate alert logic - Authorized activity |
Varonis.Alert.Location.BlacklistedLocation | Boolean | Whether any of the geographical locations from which an alerted activity originated was on the blacklist at the time the activity occurred |
Varonis.Alert.Location.AbnormalLocation | Boolean | Whether any of the geographical locations from which an alerted activity originated is new or abnormal to the organization, the user and peers, or only the user |
Varonis.Alert.EventsCount | Number | Number of events with alerts |
Varonis.Alert.User.Name | String | Name of the users triggered alerts |
Varonis.Alert.User.SamAccountName | String | Logon name used to support clients and servers running earlier versions of Windows operating system, such as Windows NT 4.0. In the dashboards (other than the Alert dashboard), this is the SAM account name of the user or group |
Varonis.Alert.User.AccountType.Name | String | Privileged account associated with the user in the alert. Options are: - Service accounts - Admin accounts - Executive accounts |
Varonis.Alert.Data.IsFlagged | Boolean | Whether the data affected by the alerted events has global flags |
Varonis.Alert.Data.IsSensitive | Boolean | Filters according to whether the resource on which the event was performed is sensitive (including subfolders) |
Varonis.Alert.Filer.Platform.Name | String | Type of platform on which the server resides. For example, Windows, Exchange, or SharePoint |
Varonis.Alert.Asset.Path | String | Path of the alerted asset |
Varonis.Alert.Filer.Name | String | Associated file server/domain |
Varonis.Alert.Device.HostName | String | Name of the device from which the user generated the event |
Varonis.Alert.Device.IsMaliciousExternalIP | Boolean | Whether the alert contains IPs known to be malicious |
Varonis.Alert.Device.ExternalIPThreatTypesName | String | Whether the alert contains IPs known to be malicious |
Varonis.Alert.Status.ID | String | Id for the status of the alert |
Varonis.Alert.Rule.ID | String | Id for the rule that triggered the alert |
Varonis.Alert.Rule.Severity.ID | String | Severity level identifier |
Varonis.Alert.Initial.Event.TimeUTC | Date | UTC time of the initial event that triggered the alert |
Varonis.Alert.User.SidID | String | Security Identifier (SID) of the user associated with the alert |
Varonis.Alert.IngestTime | Date | Time when the alert was ingested into the system |
#
Command example!varonis-get-alerts start_time="2023-12-01T09:58:00" end_time="2023-12-07T04:16:00" alert_status="New" alert_severity="High" device_name="intfc35adh" threat_model_name="Deletion: Active Directory containers, Foreign Security Principal, or GPO" extra_fields="Alert.MitreTactic.*"
#
Context Example#
Human Readable Output#
Varonis Alerts
Alert.Rule.Name Alert.Rule.Severity.Name Alert.TimeUTC Alert.Rule.Category.Name Alert.User.Name Alert.Status.Name Alert.ID Deletion: Multiple directory service objects Medium 2023-12-11T03:50:00 Denial of Service varadm (intaf6fb.com) New A5F4B69A-F5C0-494F-B5B4-185185BC3FBE
#
varonis-get-alerted-eventsGet events applied to specific alerts
#
Base Commandvaronis-get-alerted-events
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | List of alert IDs. | Required |
start_time | Start UTC time of alert range. | Optional |
end_time | End UTC time of alert range. | Optional |
last_days | Number of days you want the search to go back to. | Optional |
extra_fields | Extra fields. | Optional |
descending_order | Indicates whether events should be ordered in newest to oldest order. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Varonis.Event.ID | String | Event ID |
Varonis.Event.Alert.ID | String | Alert ID |
Varonis.Event.Type.Name | String | Event type |
Varonis.Event.TimeUTC | Date | Event time in UTC format |
Varonis.Event.Status.Name | String | Filters according to the status of the event. Options are: - Fail - Success |
Varonis.Event.Description | String | Description of the activity |
Varonis.Event.Location.Country.Name | String | Name of the country from which the event occurred |
Varonis.Event.Location.Subdivision.Name | String | Name of the state or regional subdivision from which the event occurred |
Varonis.Event.Device.ExternalIP.IP | String | Device external IP address |
Varonis.Event.Location.BlacklistedLocation | Boolean | Indicates whether the geographical location from which the event originated was blacklisted |
Varonis.Event.Operation.Name | String | Type of operation that occurred during the event. Options are: - Accessed - Added - Changed - Removed - Sent - Received - Requested |
Varonis.Event.ByAccount.Identity.Name | String | Name of the user that triggered the event |
Varonis.Event.ByAccount.Type.Name | String | Type of account, i.e., user or computer |
Varonis.Event.ByAccount.SamAccountName | String | SAM account name of the user or group for clients and servers running earlier versions of Windows |
Varonis.Event.ByAccount.Domain.Name | String | Domain of the user that triggered the event |
Varonis.Event.ByAccount.IsDisabled | Boolean | Indicates whether the account is disabled |
Varonis.Event.ByAccount.IsStale | Boolean | Indicates whether the account is stale |
Varonis.Event.ByAccount.IsLockout | Boolean | Indicates whether the account is locked out |
Varonis.Event.IP | String | Source IP address of the device that triggered the event |
Varonis.Event.Device.ExternalIP.IsMalicious | Boolean | Indicates whether the external IP is known to be malicious |
Varonis.Event.Device.ExternalIP.Reputation.Name | Number | Reputation score of the external IP, a numeric value from 1-100 |
Varonis.Event.Device.ExternalIP.ThreatTypes.Name | String | List of threat types associated with the external IP |
Varonis.Event.OnObjectName | String | Name of the object on which the event was performed |
Varonis.Event.OnResource.ObjectType.Name | String | Type of the object on which the event was performed |
Varonis.Event.Filer.Platform.Name | String | Type of platform on which the server resides, like Windows, Exchange, SharePoint |
Varonis.Event.OnResource.IsSensitive | Boolean | Indicates whether the resource on which the event was performed is sensitive |
Varonis.Event.Filer.Name | String | File server of the object on which the event was performed |
Varonis.Event.OnAccount.IsDisabled | Boolean | Indicates whether the account is disabled |
Varonis.Event.OnAccount.IsLockout | Boolean | Indicates whether the account is locked out |
Varonis.Event.OnAccount.SamAccountName | Boolean | SAM account name of the user or group for clients and servers running earlier versions of Windows |
Varonis.Event.Destination.IP | String | Destination IP address within the organization |
Varonis.Event.Device.Name | String | Name of the device that triggered the event |
Varonis.Event.Destination.DeviceName | String | Destination host name for relevant services |
Varonis.Event.OnResource.Path | String | Path of the resource |
#
Command examplevaronis-get-alerted-events alert_id="C98A3E72-99E9-4E5C-A560-7D04FA60686E,C83D55F0-EC63-41FC-B8C6-A5A66CB51372" last_days=7 extra_fields="Event.ByAccount.DistinguishedName"
#
Context Example#
Human Readable Output#
Varonis Alerted Events
Event.Type.Name Event.Description Event.Filer.Platform.Name Event.Filer.Name Event.ByAccount.SamAccountName Event.OnObjectName Event.Alert.ID Event.ID Event.TimeUTC Event.Status.Name Event.Location.Country.Name Event.Location.Subdivision.Name Event.Location.BlacklistedLocation Event.Operation.Name Event.ByAccount.Type.Name Event.ByAccount.Domain.Name Event.ByAccount.Identity.Name Event.IP Event.Device.ExternalIP.IP Event.Destination.IP Event.Device.Name Event.Destination.DeviceName Event.ByAccount.IsDisabled Event.ByAccount.IsStale Event.ByAccount.IsLockout Event.Device.ExternalIP.ThreatTypes.Name Event.Device.ExternalIP.IsMalicious Event.Device.ExternalIP.Reputation.Name Event.OnResource.ObjectType.Name Event.OnAccount.SamAccountName Event.OnResource.IsSensitive Event.OnAccount.IsDisabled Event.OnAccount.IsLockout Event.OnResource.Path DS object deleted Organizational Unit "CommitOu_a9c42" was deleted Active Directory AD-intaf6fb.com varadm CommitOu_a9c42 A5F4B69A-F5C0-494F-B5B4-185185BC3FBE 7D87B6A2-C9C2-4859-A076-DD4D0EFC8276 2023-12-11T03:41:08.000Z Success Deleted User intaf6fb.com varadm intaf6fbdh No No No Organizational unit 51d4ee86-db4a-4d4a-baaa-1b84e02afd59 intaf6fb.com\CommitOu_a9c42
#
varonis-alert-add-noteAdd note to alerts
#
Base Commandvaronis-alert-add-note
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Requested alerts. | Required |
note | Note. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!varonis-alert-add-note alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E note="This needs to be invested ASAP"
#
varonis-update-alert-statusUpdate alert status
#
Base Commandvaronis-update-alert-status
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Requested alerts. | Required |
status | Alert new status. Possible values are: New, Under Investigation, Action Required, Auto-Resolved. | Required |
note | Note. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!varonis-update-alert-status alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E status="Action Required" note="Waiting for feedback from security team"
#
varonis-close-alertClose the alert
#
Base Commandvaronis-close-alert
#
InputArgument Name | Description | Required |
---|---|---|
alert_id | Requested alerts. | Required |
close_reason | The reason the alert was closed. Possible values are: Other, Benign activity, True positive, Environment misconfiguration, Alert recently customized, Inaccurate alert logic, Authorized activity. | Required |
note | Note. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!varonis-close-alert alert_id=C98A3E72-99E9-4E5C-A560-7D04FA60686E close_reason="Inaccurate alert logic" note="Alert is irrelevant. Closed"
#
get-mapping-fieldsReturns the list of fields to map in outgoing mirroring. This command is only used for debugging purposes.
#
Base Commandget-mapping-fields
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Incident MirroringYou can enable outgoing incident mirroring between Cortex XSOAR incidents and Varonis alerts (available from Cortex XSOAR version 6.0.0). To set up the mirroring:
Enable Fetching incidents in your instance configuration.
In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored (currently only outgoing mirroring is available):
Option Description None Turns off incident mirroring. Outgoing Any changes in Cortex XSOAR incidents will be reflected in Varonis SaaS service (outgoing mirrored fields).
Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.
#
Mirroring Out NotesThe supported fields in the mirroring out process are:
- Varonis Alert Status.
- Varonis Close Reason
- Incident Close Notes
Important Note: You have two options how to close Varonis Alert:
- The first option is to change the Varonis Alert Status field in the XSOAR incident. In this case, the status of the alert in Varonis SaaS service will be change by the mirroring functionality, but the Incident in XSOAR won't be closed.
- The second one is to close the incident in XSOAR. In this case, the Varonis Alert will be closed on the Varonis side by the post-processing script.