Varonis SaaS for SOAR

Publisher: Varonis
Connector Version: 1.0.2
Product Vendor: Varonis
Product Name: Varonis SaaS
Product Version Supported (regex): ".*"
Minimum Product Version: 6.2.1

Varonis SaaS for Splunk SOAR

Provide the following configuration settings for the integration setup to establish a successful connection:

Varonis FQDN - Enter the Varonis Web Interface address. This is the Fully Qualified Domain Name (FQDN) or IP address of the Varonis server to which you want to connect.
Varonis Api Key - API key generation.
Alert Retrieval Start Point - Enter the past number of days from which to start retrieving alerts. Up to 30 days and 1,000 alerts are supported.
Threat Detection Policies - To retrieve alerts related to specific threat detection policies, enter the relevant policy names. Recomended: Leave this blank to retrive all Alerts (default).
Alert Status - Specify the Varonis alert status.
Alert Severity - Specify the alert severity.

For additional information, please check: Our General documentation.
Have a general inquiry or want to contact Varonis? Contact us.

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Varonis SaaS asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
base_url	required	string	Varonis FQDN/IP the integration should connect to
api_key	required	password	Varonis API Key
verify_server_cert	optional	boolean	Whether to verify the server certificate
ingest_artifacts	required	boolean	Should artifacts be ingested
ingest_period	required	string	Alert Retrieval Start (Days Ago)
severity	optional	string	Alert Severity
threat_model	optional	string	Threat Detection Policies
alert_status	optional	string	Alert Status

Supported Actions

test connectivity - Validate the asset configuration for connectivity using supplied configuration
get alerts - Get alerts from Varonis SaaS
update alert status - Update Varonis alert status command
close alert - Close Varonis alert command
get alerted events - Get alerted events from Varonis SaaS
on poll - Callback action for the on_poll ingest functionality

action: 'test connectivity'

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'get alerts'

Get alerts from Varonis SaaS

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
threat_model_name	optional	List of requested threat models to retrieve	string
page	optional	Page number (default 1)	numeric
max_results	optional	The max number of alerts to retrieve (up to 50)	numeric
start_time	optional	Start time of the range of alerts	string
end_time	optional	End time of the range of alerts	string
alert_status	optional	List of required alerts status	string
alert_severity	optional	List of alerts severity	string
device_name	optional	List of device names	string
user_name	optional	List of user names	string	`user name`
last_days	optional	Number of days you want the search to go back to	numeric
descending_order	optional	Indicates whether alerts should be ordered in newest to oldest order	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.data.*.ID	string	`varonis alert id`
action_result.data.*.Name	string
action_result.data.*.Time	string		2022-11-11T19:35:00
action_result.data.*.Severity	string		High
action_result.data.*.Category	string
action_result.data.*.Country	string
action_result.data.*.State	string
action_result.data.*.Status	string		Open
action_result.data.*.CloseReason	string
action_result.data.*.BlacklistLocation	boolean
action_result.data.*.AbnormalLocation	string
action_result.data.*.NumOfAlertedEvents	numeric
action_result.data.*.UserName	string	`user name`
action_result.data.*.EventUTC	string
action_result.data.*.SamAccountName	string
action_result.data.*.PrivilegedAccountType	string
action_result.data.*.EventUTC	string		2022-11-11T19:35:00
action_result.data.*.DeviceName	string
action_result.data.*.ContainMaliciousExternalIP	string
action_result.data.*.IPThreatTypes	string
action_result.data.*.AssetContainsFlaggedData	string
action_result.data.*.AssetContainsSensitiveData	string
action_result.data.*.Platform	string		DNS
action_result.data.*.Asset	string		DNS
action_result.data.*.FileServerOrDomain	string		DNS
action_result.status	string		success failed
action_result.parameter.alert_severity	string
action_result.parameter.alert_status	string
action_result.parameter.descending_order	boolean
action_result.parameter.device_name	string
action_result.parameter.end_time	string
action_result.parameter.last_days	numeric
action_result.parameter.max_results	numeric
action_result.parameter.page	numeric
action_result.parameter.start_time	string
action_result.parameter.threat_model_name	string
action_result.parameter.user_name	string	`user name`
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'update alert status'

Update Varonis alert status command

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
status	required	Alert's new status	string
alert_id	required	Array of alert IDs to be updated	string	`varonis alert id`

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.status	string
action_result.data	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'close alert'

Close Varonis alert command

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
close_reason	required	Alert's close reason	string
alert_id	required	Array of alert IDs to be closed	string	`varonis alert id`

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.close_reason	string
action_result.data	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'get alerted events'

Get alerted events from Varonis SaaS

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
alert_id	required	List of alert IDs	string	`varonis alert id`
page	optional	Page number (default 1)	numeric
max_results	optional	The max number of events to retrieve (up to 5k)	numeric
descending_order	optional	Indicates whether events should be ordered in newest to oldest order	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.alert_id	string	`varonis alert id`
action_result.parameter.descending_order	boolean
action_result.parameter.max_results	numeric
action_result.parameter.page	numeric
action_result.data.*.IsDisabledAccount	boolean
action_result.data.*.ByUserAccountDomain	string	`domain`
action_result.data.*.IsLockoutAccount	boolean
action_result.data.*.ByUserAccount	string	`user name`
action_result.data.*.BySamAccountName	string
action_result.data.*.IsStaleAccount	boolean
action_result.data.*.ByUserAccountType	string
action_result.data.*.AlertId	string
action_result.data.*.Country	string
action_result.data.*.Description	string
action_result.data.*.BlacklistedLocation	boolean
action_result.data.*.EventOperation	string
action_result.data.*.ExternalIP	string	`ip`
action_result.data.*.ID	string
action_result.data.*.ExternalIPReputation	string
action_result.data.*.ExternalIPThreatTypes	string
action_result.data.*.IsMaliciousIP	boolean
action_result.data.*.DestinationDevice	string
action_result.data.*.DestinationIP	string	`ip`
action_result.data.*.Filer	string
action_result.data.*.OnAccountIsDisabled	boolean
action_result.data.*.OnAccountIsLockout	boolean
action_result.data.*.IsSensitive	boolean
action_result.data.*.OnObjectName	string
action_result.data.*.OnObjectType	string
action_result.data.*.Path	string
action_result.data.*.Platform	string
action_result.data.*.OnSamAccountName	string
action_result.data.*.SourceDevice	string
action_result.data.*.SourceIP	string	`ip`
action_result.data.*.State	string
action_result.data.*.Status	string
action_result.data.*.Type	string
action_result.data.*.TimeUTC	string
action_result.summary	string
action_result.message	string
summary.total_objects	numeric
summary.total_objects_successful	numeric

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

The default start_time is the past 5 days. The default end_time is now.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE
container_id	optional	Parameter ignored for this app	string
start_time	optional	Parameter ignored for this app	numeric
end_time	optional	Parameter ignored for this app	numeric
container_count	optional	Maximum number of containers to create	numeric
artifact_count	optional	Maximum number of artifacts to create per container	numeric

Action Output

No Output

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
.github/workflows		.github/workflows
release_notes		release_notes
test_data		test_data
wheels		wheels
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
README.md		README.md
__init__.py		__init__.py
logo_varonissaas.svg		logo_varonissaas.svg
logo_varonissaas_dark.svg		logo_varonissaas_dark.svg
manual_readme_content.md		manual_readme_content.md
pyproject.toml		pyproject.toml
requirements.txt		requirements.txt
tox.ini		tox.ini
varonissaas.json		varonissaas.json
varonissaas_connector.py		varonissaas_connector.py
varonissaas_consts.py		varonissaas_consts.py
varonissaas_search.py		varonissaas_search.py
varonissaas_test.py		varonissaas_test.py
varonissaas_tools.py		varonissaas_tools.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Varonis SaaS for SOAR

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'get alerts'

Action Parameters

Action Output

action: 'update alert status'

Action Parameters

Action Output

action: 'close alert'

Action Parameters

Action Output

action: 'get alerted events'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output

About

Releases 2

Packages

Contributors 3

Languages

License

splunk-soar-connectors/varonissaas

Folders and files

Latest commit

History

Repository files navigation

Varonis SaaS for SOAR

Configuration Variables

Supported Actions

action: 'test connectivity'

Action Parameters

Action Output

action: 'get alerts'

Action Parameters

Action Output

action: 'update alert status'

Action Parameters

Action Output

action: 'close alert'

Action Parameters

Action Output

action: 'get alerted events'

Action Parameters

Action Output

action: 'on poll'

Action Parameters

Action Output

About

Resources

License

Stars

Watchers

Forks

Releases 2

Packages 0

Contributors 3

Languages

Packages