Varonis DSP

Publisher: Varonis
Connector Version: 1.0.1
Product Vendor: Varonis
Product Name: Data Security Platform
Product Version Supported (regex): ".*"
Minimum Product Version: 5.4.0

Varonis DSP for Splunk SOAR

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Data Security Platform asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
username	required	string	Name of Varonis user
password	required	password	Password
base_url	required	string	The Base URL to connect to Search service
ingest_artifacts	required	boolean	Should artifacts be ingested?
ingest_period	required	string	First fetch time
severity	optional	string	Minimum severity of alerts to fetch
threat_model	optional	string	Varonis threat model name
alert_status	optional	string	Varonis alert status

Supported Actions

test connectivity - Validate the asset configuration for connectivity using supplied configuration
get alerts - Get alerts from Varonis DA
update alert status - Update Varonis alert status command
close alert - Close Varonis alert command
get alerted events - Get alerted events from Varonis DA
on poll - Callback action for the on_poll ingest functionality

action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'get alerts'

Get alerts from Varonis DA

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
threat_model_name	optional	List of requested threat models to retrieve	string
page	optional	Page number (default 1)	numeric
max_results	optional	The max number of alerts to retrieve (up to 50)	numeric
start_time	optional	Start time of the range of alerts	string
end_time	optional	End time of the range of alerts	string
alert_status	optional	List of required alerts status	string
alert_severity	optional	List of alerts severity	string
device_name	optional	List of device names	string
user_domain_name	optional	User domain name	string
user_name	optional	List of user names	string	`user name`
sam_account_name	optional	List of sam account names	string
email	optional	List of emails	string	`email`
last_days	optional	Number of days you want the search to go back to	numeric
descending_order	optional	Indicates whether alerts should be ordered in newest to oldest order	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_severity	string
action_result.parameter.alert_status	string
action_result.parameter.descending_order	boolean
action_result.parameter.device_name	string
action_result.parameter.email	string	`email`
action_result.parameter.end_time	string
action_result.parameter.last_days	numeric
action_result.parameter.max_results	numeric
action_result.parameter.page	numeric
action_result.parameter.sam_account_name	string
action_result.parameter.start_time	string
action_result.parameter.threat_model_name	string
action_result.parameter.user_domain_name	string
action_result.parameter.user_name	string	`user name`
action_result.data.*.AbnormalLocation	string
action_result.data.*.BlacklistLocation	boolean
action_result.data.*.By.Department	string
action_result.data.*.By.PrivilegedAccountType	string
action_result.data.*.By.SamAccountName	string
action_result.data.*.Category	string
action_result.data.*.CloseReason	string
action_result.data.*.Country	string
action_result.data.*.Device.ContainMaliciousExternalIP	boolean
action_result.data.*.Device.IPThreatTypes	string
action_result.data.*.Device.Name	string
action_result.data.*.EventUTC	string
action_result.data.*.ID	string	`varonis alert id`
action_result.data.*.Name	string
action_result.data.*.NumOfAlertedEvents	numeric
action_result.data.*.On.Asset	string		DNS
action_result.data.*.On.ContainsFlaggedData	boolean
action_result.data.*.On.ContainsSensitiveData	boolean
action_result.data.*.On.FileServerOrDomain	string		DNS
action_result.data.*.On.Platform	string		DNS
action_result.data.*.Severity	string		High
action_result.data.*.State	string
action_result.data.*.Status	string		Open
action_result.data.*.Time	string		2022-11-11T19:35:00
action_result.data.*.UserName	string	`user name`
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'update alert status'

Update Varonis alert status command

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
status	required	Alert's new status	string
alert_id	required	Array of alert IDs to be updated	string	`varonis alert id`

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.status	string
action_result.data	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'close alert'

Close Varonis alert command

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
close_reason	required	Alert's close reason	string
alert_id	required	Array of alert IDs to be closed	string	`varonis alert id`

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.close_reason	string
action_result.data	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'get alerted events'

Get alerted events from Varonis DA

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
alert_id	required	List of alert IDs	string	`varonis alert id`
page	optional	Page number (default 1)	numeric
max_results	optional	The max number of events to retrieve (up to 5k)	numeric
descending_order	optional	Indicates whether events should be ordered in newest to oldest order	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.descending_order	boolean
action_result.parameter.max_results	numeric
action_result.parameter.page	numeric
action_result.data.*.ByUser.DisabledAccount	boolean
action_result.data.*.ByUser.Domain	string	`domain`
action_result.data.*.ByUser.LockoutAccounts	boolean
action_result.data.*.ByUser.Name	string	`user name`
action_result.data.*.ByUser.SAMAccountName	string
action_result.data.*.ByUser.StaleAccount	boolean
action_result.data.*.ByUser.UserAccountType	string
action_result.data.*.ByUser.UserType	string
action_result.data.*.Country	string
action_result.data.*.Description	string
action_result.data.*.Details.IsBlacklist	boolean
action_result.data.*.Details.Operation	string
action_result.data.*.ExternalIP	string	`ip`
action_result.data.*.ID	string
action_result.data.*.IPReputation	string
action_result.data.*.IPThreatType	string
action_result.data.*.IsMaliciousIP	boolean
action_result.data.*.OnObject.DestinationDevice	string
action_result.data.*.OnObject.DestinationIP	string	`ip`
action_result.data.*.OnObject.FileServerOrDomain	string
action_result.data.*.OnObject.IsDisabledAccount	boolean
action_result.data.*.OnObject.IsLockOutAccount	boolean
action_result.data.*.OnObject.IsSensitive	boolean
action_result.data.*.OnObject.Name	string
action_result.data.*.OnObject.ObjectType	string
action_result.data.*.OnObject.Path	string
action_result.data.*.OnObject.Platform	string
action_result.data.*.OnObject.SAMAccountName	string
action_result.data.*.OnObject.UserAccountType	string
action_result.data.*.SourceIP	string	`ip`
action_result.data.*.State	string
action_result.data.*.Status	string
action_result.data.*.Type	string
action_result.data.*.UTCTime	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

The default start_time is the past 5 days. The default end_time is now.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE
container_id	optional	Parameter ignored for this app	string
start_time	optional	Parameter ignored for this app	numeric
end_time	optional	Parameter ignored for this app	numeric
container_count	optional	Maximum number of containers to create	numeric
artifact_count	optional	Maximum number of artifacts to create per container	numeric

Action Output

No Output

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Varonis DSP

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'get alerts'

Action Parameters

Action Output

action: 'update alert status'

Action Parameters

Action Output

action: 'close alert'

Action Parameters

Action Output

action: 'get alerted events'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output

Files

README.md

Latest commit

History

README.md

File metadata and controls

Varonis DSP

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'get alerts'

Action Parameters

Action Output

action: 'update alert status'

Action Parameters

Action Output

action: 'close alert'

Action Parameters

Action Output

action: 'get alerted events'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output