Threat Detection & Response

Simplify security investigations: detect suspicious activity on your data, get insight into privileged account behavior, and investigate security incidents directly in your dashboard.

Request a Demo

The ultimate correlation engine

Confidently answer the question “Is my data safe?” with continuous monitoring and alerting on your core data and systems. Varonis is the only solution that combines data classification, advanced security analytics, and access governance with UEBA, giving our threat models richer context and more accurate alerts.

Detect unusual file and email activity across cloud and on-premises data stores, suspicious account and computer behavior in Active Directory, and other indicators of compromise to protect your data before it’s too late. Automatically monitor privileged and executive account behavior, get deep insight on potential security incidents with threat intelligence and behavioral context, and reduce investigation time with security risk dashboards and incident response playbooks.

Can you see what's happening with your data?

Get a Demo

Protect your data wherever it lives

DatAlert gives you actionable intelligence and security analytics on your data: analyze behavioral patterns to see when a user is acting suspiciously - and compare their activity against their peers, their normal working hours, and their typical behavior.

Incident response playbooks

Get actionable steps to investigate and respond to cyberattacks before it’s too late: leverage incident response playbooks that cover everything from incident notification to containment to recovery, all directly in the web UI.

Investigations & forensics

Visualize security threats with an intuitive dashboard, investigate security incidents - even track alerts and assign them to team members for closure. Rewind to see incidents from the past, identify breaches that may have already occurred, and pre-emptively tune out false positives.

Out-of-the-box threat intelligence

Monitor and track malicious (or suspicious) connections with out-of-the-box threat intelligence – so you can get external IP and URL enrichment in context with suspicious behavior and unusual activity for deeper insight on potential security incidents. 

Don't rely on signatures

Our dedicated team of security experts and data scientists continually introduce new behavior-based threat models to monitor patterns, track the latest APTs, and keep your data safe.

Achieve regulatory compliance

Prove to auditors that you’re not just watching regulated data, but proactively protecting it. Track, monitor, and automatically alert on regulated data to pass audits for PCI-DSS, GDPR, HIPAA, SOX, GLBA, FISMA, and more.

Get the big picture

Knowing something’s amiss isn’t enough - so get the full picture with context: see how unusual behavior maps to incidents and activity across platforms.

Get a holistic view of what’s going on: see user actions, monitor their behavior, and automatically compare against peer behavior.

Request a Demo

100+ threat models and growing

Unauthorized privilege escalations
Mass delete behaviors
Abnormal lockout behaviors
Attempts to damage and destroy operational files
Exploitation tools
Membership changes
Modifications to critical files and units
Modifications to critical GPOs
Suspicious access activity
Permission changes
Brute force attacks
Attempted data exfiltration
Ransomware behavior
Unusual file activity
Unusual mailbox and email activity
Access to sensitive data
Unauthorized access attempts
Unusual encryption activity
Accumulative analysis on idle and sensitive data
Unusual access to system files
Unauthorized data access
Unusual encryption activity
System intrusion

Sends alerts to your favorite apps

Take it a step further, and send alerts to your inbox, a SIEM, syslog, and more. Incorporate rich context and data security intelligence from DatAlert into your favorite SIEM for better breach detection.

In the last year, we’ve gone from averaging five ransomware attacks a month to now around 10-15 times a day – all because someone clicks on something they shouldn’t have.

Varonis DatAlert helps us to identify and stop these breaches.

Gary Hayslip, Chief Information Security Officer at City of San Diego, City of San Diego

A week into our implementation we had a brush with ransomware. One of the employees remotely connected and went on a site that started downloading Locky. Luckily DatAlert immediately told me when the individual started encrypting the file, so we disabled the account and restored the files.

Lee Powe, CIO, Hugh Chatham Memorial Hospital

We have it installed on 19 file servers. [We use it for] monitoring for unusual file activity, PII information, and unusual user activity.

It’s like having an extra staff member that never sleeps always watching over our data.

Jay Attiya, Director of IT, Tom's River Regional Schools

FAQFrequently Asked Questions

General Information

  • Is it scalable? How much can I monitor?

    DatAlert is extremely scalable - it's engineered from the ground up to be scalable, responsive, and adaptable. It's set up to scale to as many servers as needed: we have customers monitoring over 20PB of data at once; others are running Varonis on over 40 servers.

  • Will it affect/slow down/impact my systems?

    Nope. Varonis leverages collectors to manage all of the data processing for DatAlert, so there is zero additional load on your data stores.

  • Can I create my own alerts?

    Creating your own alerts is one of the highlights of DatAlert: you can leverage out-of-the-box threat models as well as custom alerts that are specifically designed for your data and your environment.

    Creating your own alerts is a simple point-and-click process in the UI: it takes just a few minutes to create and deploy your custom alert.

  • How do I create my own alerts?

    To create a new alert:

    • Select the folder or files you want to monitor
    • Select who will trigger or not trigger the alert
    • Specify what kind of file actions will trigger an alert
  • Can I automate threat responses?

    DatAlert comes with a set of pre-configured threat responses, including integrations with Event logs, SIEMs, and email alerts. You can also automatically execute an exe or PowerShell script as part of the alert itself.

    Some of our customers, for example, use a basic PowerShell script to disable a user’s account and then power down their computer when DatAlert recognizes a malware attack in-progress.

  • How does geolocation affect alerts?

    Understanding the geographic details of where an event occurs has become an increasingly critical component in identifying and analyzing potential threats. The right information can reduce incident response times, enabling you to quickly detect and preempt attacks in real-time.

    Varonis maps the external IP address of supported platforms to the country and regional subdivision from which the alerts and events are generated. If geolocation is found, the geographic information is added to the event and alert data. This information can be used to trace back an attacker and prevent intrusions.

  • Does it integrate with X?

    DatAlert integrates with LogRhythm, Splunk, and QRadar, and supports other integrations via syslog or SNMP.

    You can also code your own integrated threat response using any exposed API. Not sure if your integration is supported? Get in touch and we'll work with you to find out.

  • How easy are threat models to deploy?

    With just a few clicks, threat models are fully deployed and enabled in just a few minutes.

  • Is the learning period different for different threat models?

    Absolutely. Many of our threat models work by building behavioral profiles. Each profile is a collection of metadata that Varonis gathers for all users and their activities in the computing environment over a number of days called the learning period.

    At the end of this period, user behavior analysis (UBA) can identify atypical user behavior, which may indicate malicious intent. Some behaviors make sense to respond immediately, while others require a longer period of time to determine a baseline of what's normal and what's not.

    Different threat models look at different types of activities: for example, the learning period for establishing a user's working hours might be as little as 10 days; the learning period to establish what's normal for peer behavior is a minimum of 30 days; and to establish an accumulative increase in accessing stale data requires a minimum of 60 days.

Interested in seeing Varonis in action?

Request a demo or contact sales at 877-292-8767