Threat Detection and Investigation with Splunk & Varonis
Author: Charlotte Fletcher
Release Date: 21/05/2021
Ultimately, we want to reduce the mean time to detection and, more importantly, mean time to response. We need human resources for other tasks and that’s why we rely on technologies like Splunk and Varonis to integrate and provide a holistic view of our security environment
That holistic view provides a lens of your architecture through which you can quickly and easily pinpoint problems as they happen and have a single pane of glass view for investigations and remediations.
You can plug in your logs from the DatAdvantage, DatAlert and Edge functions of Varonis into Splunk and here’s what this can look like.
Out of the box dashboards:
Splunk will knit together the data from Varonis with additional Splunk native data (host, source etc.) to provide insight and complete the bigger picture.
The out of the box dashboards include:
- Alerts over time
- Alerts can be searched across different times to suit your particular needs. This dashboard gives a high-level overview of what’s going on in your security environment over a selected time frame. Are you needing to drill down into an incident that you see happening at this moment in time? You can search in real time. Are you looking to present back to the business on alerts over a specific date or time range? You can search across a date or date and time range.
- Top alerted users
- Having used Varonis’ UBA ability, this dashboard will alert on any abnormalities in user behaviour picked up.
- Top alerted devices
- Know exactly which devices are being used when suspicious activity is occurring. Is it a known device, a personal device or a device that has never been accessed before?
- Top alerted assets
- Varonis’ understanding of access and behaviour around access to particular files and folders means that you can be alerted on your assets
- Top alerted threat models
- Threat models give context around what is going on within your security environment. Through analysing behaviour, you will be alerted on what is going on that could be a threat to you.
Drill downs can work either way, so you can use Splunk to drill down into events found in Varonis or Varonis to drill down into events picked up in Splunk.
Ref.1 shows you a drill down of Varonis alerts within Splunk using the Varonis app for Splunk.
From the pre-built dashboards in Splunk, you can drill down into threats and alerts. From these you can then drill down further to understand the events that have triggered these. This is a seamless transition and linkup between the two technologies and you won’t even realise you are viewing a different alert screen.
Searching over time and providing visuals:
Quite often you may be asked to report back to the business on topics such as levels of global access on files and folders to ascertain whether this problem is getting better or in fact it’s being remediated. Users au fait with Splunk will know that there are a plethora of ways to present data back. Taking the logs from Varonis and including additional data from Splunk you can present back detailed information upon request over whatever time you specify.
Not only can you search upon request, but the beauty of using Splunk to analyse Varonis alerts means you can set up scheduled searches and reports that can help to support regular business reporting for the relevant stakeholders. In addition you can even leverage the new AR functionality of Splunk, to visualise this data in augmented reality or via the Apple TV app.
If you are already a Varonis and Splunk customer and do not already have the Varonis app for Splunk installed, it can be found here: https://splunkbase.splunk.com/app/3553/
Configuration within Varonis is done in the DatAdvantage interface and takes minutes to install. There is a Varonis app for Splunk alert template already set up to make things really simple and quick for you.