How to use the Varonis App for Splunk

This app enables integrating the Varonis DatAlert functionality into Splunk Enterprise. Using the app’s dashboards, you can locate notable Varonis alerts directly from the Splunk user interface, and then drill down into Varonis DatAlert to get additional insights into the alert and the context in which it was generated. Additionally, the app includes field extractions that assist users in querying and visualizing Varonis alerts using Splunk Enterprise and that enable correlating the Varonis alerts with other events collected by Splunk Enterprise.

Splunk App for Varonis

Prerequisites

The following must be installed and running on your company’s server:

  • Splunk Enterprise 6.5
  • DatAlert 6.3.150 and up
  • DatAlert Web UI 6.3.150 and up (optional)
  • To configure DatAlert to send alerts to Splunk (Configuring DatAlert to Send Alerts to Splunk), the user must have the DL configuration role.
  • To configure the Varonis App for Splunk (Installing and Configuring the Varonis App for Splunk), the user must be the admin user.

Understanding the Alert Dashboard Window

The Alert Dashboard enables you to view “at a glance” the top alerted users, assets, devices and threat models that match the specified search criteria/timeframe. It enables you to quickly view and detect suspicious activity for further analysis. The Top Alerted Users, Top Alerted Assets, Top Alerted Devices and Top Alerted Threat Models areas of the dashboard each display entities, sorted by the number of alerts generated for that entity. The entity with the most alerts appears at the top of each list. The color represents the alert with the highest severity on this entity.

To view the Alert Dashboard window, ensure that you have accessed the Alerts Dashboard as described in the complete user guide.

The Alert Dashboard comprises the following elements:

  • Alerts Over Time – A stacked bar chart illustrating the dispersion of alerts matching the defined timeframe.
  • Top Alerted Users – A list of the top alerted users sorted by the number of alerts.
  • Top Alerted Assets – A list of the top alerted assets sorted by the number of alerts.
  • Top Alerted Threat Models – A list of the top alerted threat models sorted by the number of alerts.
  • Top Alerted Devices – A list of up the top alerted devices sorted by the number of alerts.

Note: The elements are independent of one another. For instance, the top alerted user may not be associated with the top alerted asset or threat model.

Understanding the Time Filters

Use the time filters to set time boundaries on your searches. You can restrict a search with preset time ranges, create custom time ranges, specify time ranges based on date or date and time, or work with advanced features in the time filters.

Presets – Built-in time ranges options. You can select from a list of real-time windows, relative time ranges, or All Time (no time filtering).

Relative – Specify a custom time range for your search that is relative to the current time. You can select from the list of time range units, for example, seconds ago, minutes ago, etc.

  • Real Time – Specify the start time for your real-time time range window.
  • Date Range – Specify calendar dates in your search. You can choose among options to return events: Between a beginning and end date, Before a date, and Since a date.
  • Date and Time Range – Specify calendar dates and times for the beginning and ending of your search.

Viewing Alerts Over Time

You can view a stacked bar chart illustrating the dispersion of alerts over a specified period of time. Each bar in the chart displays up to three severities, divided into stacks. Each stack represents a different severity – high, medium or low. The color code represents the severity of the alert:

  • Red – High severity. Alerts with a severity of Emergency, Alert or Critical.
  • Orange – Medium severity. Alerts with a severity of Error or Warning.\
  • Green – Low severity. Alerts with a severity of Notice, Informational and Debug.

Viewing the Drill-Down Dashboards

Access the Varonis App for Splunk, and the Alerts Dashboard window is displayed. Click the row of an entity for which you want a closer look.

The window comprises two areas:

  • An “alerts over time” graph for the selected entity and timeframe.
  • A list of all alerts for that entity, listed with the user, severity, and rule.

If needed, change the timeframe of the alerts. To link an alert to the Varonis DatAlert Web Interface Alerts page, and view detailed information regarding the alert, click the relevant alert in the list.

Viewing Detailed Information About Alerts

The DatAlert Web Interface enables you to view relevant information regarding alerts. From the relevant drill-down dashboard, click the relevant alert.

The DatAlert Web Interface is displayed to Alerts Info. This window enables you to drill down and analyze the details of each alert that matches your search criteria. It enables you to streamline your investigation and make a quick and informed decision regarding whether the activity is malicious or legitimate.