Detect Threats at the Perimeter

Our best-in-class security analytics combines perimeter telemetry with data access activity to detect and stop malware, APT intrusions, and data exfiltration.

Get A Demo

Track suspicious activity from the core to the edge

Edge analyzes metadata from perimeter technologies like DNS, VPN, and web proxies to spot signs of attack at the perimeter. We put perimeter activity in context with a user’s core data access activity, geolocation, security group memberships and more -- giving your SOC analysts cleaner, more meaningful alerts.

Analyze activity on perimeter devices including DNS, VPN, and web proxies.
Apply geolocation and threat intelligence to your security telemetry.
Track potential data leaks at the edge and attacks at the point of entry.
Request Demo

Simplify security investigations

Edge takes the manual work out of investigations. Get everything you need for incident response in a single intuitive investigation screen.

Analysts can quickly see whether the user is accessing the network from a normal location (for them), if the account is privileged, if sensitive data was accessed, and if the event occurred during a user’s normal time window and more.

This context helps them determine whether an alert represents a real compromise or an insignificant anomaly.

Risk Assessment Insights

corp.local/ Disgruntled Dan

Is a privileged account: Dan is an admin.
Account was not changed
New Location to the user
User issued a geohopping alert

1 Additional Insights

1 device

First-time use of Dan-PC in the 90 days prior to the current alert.

0 Additional Insights

24 Files

100% data accessed for the first time by Disgruntled Dan in the past 90 days.

24 sensitive objects were affected.

0 Additional Insights

10/04/16 16:24
10/04/16 18:56

100% of events are outside Disgruntled Dan working hours

0 Additional Insights


Edge normalizes raw events so you don't have to

Perimeter devices are verbose, usually out of order, and each device type and vendor writes logs in their own way. Security analysts should be spending time hunting threats, not fighting with log data. Edge cuts away the noise, giving you clean, human-readable events.


Security analytics for the entire kill chain

Automated threat models with DatAlert help detect brute force attacks, privilege escalation, lateral movement, malware, APTs, and more.

Successful brute-force attack targeting a specific account
DNS cache poisoning
Data exfiltration via DNS tunneling
Unusual amount of data uploaded to an external website after accessing GDPR data
Atypical access to platform from geolocation
Abnormal behavior: activity from blacklisted geolocation
Abnormal service behavior: upload of data to external websites
Abnormal DNS reverse lookup requests to different IPs
Unusual number of failed DNS Queries
Unusual number of users attempted to connect from a single external IP
Credentials stuffing attack from an external source
Encryption downgrade attack
Rapid brute-force attack targeting a specific account
Potential brute-force attack targeting a specific account
Abnormal service behavior: upload of data to external websites
Abnormal behavior: activity from new geolocation to the organization
Abnormal behavior: unreasonable geo-hopping

Track potential data leaks at the edge and attacks at the point of entry

Edge can enrich abnormal data access alerts generated by DatAlert threat models by adding extra context from perimeter telemetry:

  • Helen is accessing an abnormal amount of sensitive data on a file server
  • She’s connected remotely from a device she’s never used before
  • Her IP address indicates a suspicious geolocation
  • Proxy events indicate she’s uploading large amounts of data to mega.co.nz
  • Active Directory events point to a privilege escalation attempt

Integrate Seamlessly with your SIEM

How it works
  • You send perimeter telemetry from your SIEM into Edge with one of our out-of-the-box connectors.
  • Edge sends context-rich alerts back into your SIEM when a threat model is triggered.
  • Your SIEM alert will have a deep link back to Varonis investigations screen.

No SIEM? No problem. Edge can collect perimeter activity directly via syslog. Analysts can leverage DatAlert’s security analytics dashboards and security investigations features.


5 Security Analytics Pitfalls And How To Avoid Them

Discover how security analytics can overcome common pitfalls to reduce false positives, accelerate investigations, and stop more attacks more quickly.

Read Now

FAQFrequently Asked Questions

General Information

  • What Proxies do you support?

    • Symantec (Bluecoat) ProxySG
    • McAfee Web Proxy
    • Forcepoint (Websense) Web Security
    • Palo Alto URL Filtering
    • Cisco (IronPort) Web Security Appliance AsyncOS
    • Squid version 3.x
    • Apache HTTP Server version 2.x
    • Zscaler Proxy version 5.x
  • What VPNs do you support?

    • F5 Access Policy Manager (APM)
    • Palo Alto GlobalProtect
    • Fortinet Forticlient
    • Cisco ASA
    • Pulse Secure
    • Checkpoint
  • What DNS do you support?

    • Microsoft DNS Server
  • Do you integrate with SIEM?

    Yes - Edge integrates directly with Splunk, or from your SIEM via one of our connectors.

  • How do you collect the events?

    Edge collects events directly from the source devices using Syslog, Splunk, or from your SIEM via one of our connectors.

    Those events can be searched and reported, and are used by new DatAlert Analytics threat models, alert page indicators, and in DatAlert threat models.

    Syslog is the most common protocol for sending log data to a central server. Uses either UDP, TCP or TLS (encrypted TCP) as the communication protocol. The Varonis collector serves as a Syslog Server listening to log messages from the devices.

  • What stages of the kill chain do you cover?

    Varonis Edge analyzes user activity that covers the entire kill chain, from early infiltration through lateral movement and privilege escalation to command and control and exfiltration. Our threat models analyze both the Varonis Edge data with the file and AD activity to build a full picture of exactly what attackers are doing.

Interested in seeing Varonis in action?

Request a demo or contact sales at 877-292-8767