Level up your incident response with DatAlert and Varonis

Varonis offers a great product that can be used for threat detection and response. It will help you identify and handle security incidents faster and more effective and it’s called DatAlert. In this blog post I’m going to discuss some of its features.

VaronisDatAlert-logo

With the DatAlert Suite added to your existing Varonis environment you can analyze the data that is being collected in almost real-time and you get many useful features like for example the 100+ built-it threat models. Some examples on behavior that can be identified:

  • Ransomware behavior
  • Brute-force attacks
  • Attempted data exfiltration
  • Exploit tools accessed
  • Abnormal lockout behaviors
  • Unauthorized privilege escalations

When Varonis finds events that correlates to these threat models you can configure DatAlert to notify you and there are multiple notification methods to choose from:

  • Email
  • Send alert to SIEM
  • Syslog message
  • SNMP trap
  • Event log

Beyond notifying you can also configure DatAlert to automatically act when certain events occur. That means that you can configure the system to automatically execute scripts if an event occurs. You can build and customize your own scripts so there are almost unlimited possibilities. The supported script-types are .exe, .bat and .ps1. One popular use case for this can be to run a script that will disable a user’s account and shut down their computer as soon as DatAlert recognizes that a malware attack is in-progress.

In addition to these features Varonis also offer playbooks which helps you get a better understanding of threats and you get guidance on how to handle them. This feature is available from Varonis version 7 and if you are interested you can read more about the news in Varonis 7 in my previous blog post.

varonis-playbook

Another awesome feature that is included for all Varonis users is the help from Varonis in-house Incident Response Team. The IR team consist of a group of cyber security analysts that will help you respond to incidents reported by Varonis alerts. So if you need help, their help is included and that can be invaluable in a sharp situation.

If you are interested in Varonis or have any other questions, feel free to contact me at rickard.carlsson@xenit.se

 

Disclaimer: All information on this blog is offered "as is" with no warranty. It is strongly recommended that you verify all information and validate all scripts in isolated test environments before using them in production environments.