Varonis DSP

Publisher: Varonis
Connector Version: 1.0.1
Product Vendor: Varonis
Product Name: Data Security Platform
Product Version Supported (regex): ".*"
Minimum Product Version: 5.4.0

Varonis DSP for Splunk SOAR

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Data Security Platform asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
username	required	string	Name of Varonis user
password	required	password	Password
base_url	required	string	The Base URL to connect to Search service
ingest_artifacts	required	boolean	Should artifacts be ingested?
ingest_period	required	string	First fetch time
severity	optional	string	Minimum severity of alerts to fetch
threat_model	optional	string	Varonis threat model name
alert_status	optional	string	Varonis alert status

Supported Actions

test connectivity - Validate the asset configuration for connectivity using supplied configuration
get alerts - Get alerts from Varonis DA
update alert status - Update Varonis alert status command
close alert - Close Varonis alert command
get alerted events - Get alerted events from Varonis DA
on poll - Callback action for the on_poll ingest functionality

action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'get alerts'

Get alerts from Varonis DA

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
threat_model_name	optional	List of requested threat models to retrieve	string
page	optional	Page number (default 1)	numeric
max_results	optional	The max number of alerts to retrieve (up to 50)	numeric
start_time	optional	Start time of the range of alerts	string
end_time	optional	End time of the range of alerts	string
alert_status	optional	List of required alerts status	string
alert_severity	optional	List of alerts severity	string
device_name	optional	List of device names	string
user_domain_name	optional	User domain name	string
user_name	optional	List of user names	string	`user name`
sam_account_name	optional	List of sam account names	string
email	optional	List of emails	string	`email`
last_days	optional	Number of days you want the search to go back to	numeric
descending_order	optional	Indicates whether alerts should be ordered in newest to oldest order	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_severity	string
action_result.parameter.alert_status	string
action_result.parameter.descending_order	boolean
action_result.parameter.device_name	string
action_result.parameter.email	string	`email`
action_result.parameter.end_time	string
action_result.parameter.last_days	numeric
action_result.parameter.max_results	numeric
action_result.parameter.page	numeric
action_result.parameter.sam_account_name	string
action_result.parameter.start_time	string
action_result.parameter.threat_model_name	string
action_result.parameter.user_domain_name	string
action_result.parameter.user_name	string	`user name`
action_result.data.*.AbnormalLocation	string
action_result.data.*.BlacklistLocation	boolean
action_result.data.*.By.Department	string
action_result.data.*.By.PrivilegedAccountType	string
action_result.data.*.By.SamAccountName	string
action_result.data.*.Category	string
action_result.data.*.CloseReason	string
action_result.data.*.Country	string
action_result.data.*.Device.ContainMaliciousExternalIP	boolean
action_result.data.*.Device.IPThreatTypes	string
action_result.data.*.Device.Name	string
action_result.data.*.EventUTC	string
action_result.data.*.ID	string	`varonis alert id`
action_result.data.*.Name	string
action_result.data.*.NumOfAlertedEvents	numeric
action_result.data.*.On.Asset	string		DNS
action_result.data.*.On.ContainsFlaggedData	boolean
action_result.data.*.On.ContainsSensitiveData	boolean
action_result.data.*.On.FileServerOrDomain	string		DNS
action_result.data.*.On.Platform	string		DNS
action_result.data.*.Severity	string		High
action_result.data.*.State	string
action_result.data.*.Status	string		Open
action_result.data.*.Time	string		2022-11-11T19:35:00
action_result.data.*.UserName	string	`user name`
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'update alert status'

Update Varonis alert status command

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
status	required	Alert's new status	string
alert_id	required	Array of alert IDs to be updated	string	`varonis alert id`

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.status	string
action_result.data	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'close alert'

Close Varonis alert command

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
close_reason	required	Alert's close reason	string
alert_id	required	Array of alert IDs to be closed	string	`varonis alert id`

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.close_reason	string
action_result.data	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'get alerted events'

Get alerted events from Varonis DA

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
alert_id	required	List of alert IDs	string	`varonis alert id`
page	optional	Page number (default 1)	numeric
max_results	optional	The max number of events to retrieve (up to 5k)	numeric
descending_order	optional	Indicates whether events should be ordered in newest to oldest order	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.descending_order	boolean
action_result.parameter.max_results	numeric
action_result.parameter.page	numeric
action_result.data.*.ByUser.DisabledAccount	boolean
action_result.data.*.ByUser.Domain	string	`domain`
action_result.data.*.ByUser.LockoutAccounts	boolean
action_result.data.*.ByUser.Name	string	`user name`
action_result.data.*.ByUser.SAMAccountName	string
action_result.data.*.ByUser.StaleAccount	boolean
action_result.data.*.ByUser.UserAccountType	string
action_result.data.*.ByUser.UserType	string
action_result.data.*.Country	string
action_result.data.*.Description	string
action_result.data.*.Details.IsBlacklist	boolean
action_result.data.*.Details.Operation	string
action_result.data.*.ExternalIP	string	`ip`
action_result.data.*.ID	string
action_result.data.*.IPReputation	string
action_result.data.*.IPThreatType	string
action_result.data.*.IsMaliciousIP	boolean
action_result.data.*.OnObject.DestinationDevice	string
action_result.data.*.OnObject.DestinationIP	string	`ip`
action_result.data.*.OnObject.FileServerOrDomain	string
action_result.data.*.OnObject.IsDisabledAccount	boolean
action_result.data.*.OnObject.IsLockOutAccount	boolean
action_result.data.*.OnObject.IsSensitive	boolean
action_result.data.*.OnObject.Name	string
action_result.data.*.OnObject.ObjectType	string
action_result.data.*.OnObject.Path	string
action_result.data.*.OnObject.Platform	string
action_result.data.*.OnObject.SAMAccountName	string
action_result.data.*.OnObject.UserAccountType	string
action_result.data.*.SourceIP	string	`ip`
action_result.data.*.State	string
action_result.data.*.Status	string
action_result.data.*.Type	string
action_result.data.*.UTCTime	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

The default start_time is the past 5 days. The default end_time is now.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE
container_id	optional	Parameter ignored for this app	string
start_time	optional	Parameter ignored for this app	numeric
end_time	optional	Parameter ignored for this app	numeric
container_count	optional	Maximum number of containers to create	numeric
artifact_count	optional	Maximum number of artifacts to create per container	numeric

Action Output

No Output

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
.github/workflows		.github/workflows
release_notes		release_notes
wheels		wheels
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
__init__.py		__init__.py
logo_varonisdsp.svg		logo_varonisdsp.svg
logo_varonisdsp_dark.svg		logo_varonisdsp_dark.svg
readme.html		readme.html
requirements.txt		requirements.txt
tox.ini		tox.ini
varonisdsp.json		varonisdsp.json
varonisdsp_connector.py		varonisdsp_connector.py
varonisdsp_consts.py		varonisdsp_consts.py
varonisdsp_test.py		varonisdsp_test.py
varonisdsp_tools.py		varonisdsp_tools.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Varonis DSP

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'get alerts'

Action Parameters

Action Output

action: 'update alert status'

Action Parameters

Action Output

action: 'close alert'

Action Parameters

Action Output

action: 'get alerted events'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output

About

Releases

Packages

Languages

License

vkorenkov-varonis/varonisdsp

Folders and files

Latest commit

History

Repository files navigation

Varonis DSP

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'get alerts'

Action Parameters

Action Output

action: 'update alert status'

Action Parameters

Action Output

action: 'close alert'

Action Parameters

Action Output

action: 'get alerted events'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages