En visitant ce site, vous acceptez le fait que nous utilisons des cookies.
Accept
Akril.netAkril.net
  • Apple
  • Cloud
    • Amazon AWS
    • Google Cloud Platform
    • Microsoft Azure
  • Google
  • Microsoft
    • Microsoft Azure
    • Microsoft Office
    • Microsoft Office 365
    • Microsoft SQL Server
    • Microsoft System Center
    • Microsoft Windows
    • Microsoft Windows Server
    • PowerShell
  • Linux
  • Sécurité
    • Varonis
  • Geek
    • Bitcoin
    • Citrix
    • Hardware
    • Jeux-vidéo
    • Logiciels et Applications
    • Photographie
    • Raspberry Pi
    • Smartphone
    • Virtualisation
    • Web
    • VMware
  • English
  • A propos
  • Contact
    • Annonceurs
Notification Show More
Latest News
CyberSecurity-Logo
BreachForums : le plus gros vendeur de données illégales en ligne, arrêté par le FBI
Sécurité
Carte-Sim-Logo
Après la nano-SIM, la eSIM s’apprête à remplacer la iSIM
Smartphone
UK-Flag
Disparition de WhatsApp et Signal au Royaume-Uni
Web
Headsets-Logo
Test des casques Nuroum HP20 et Plantronics Blackwire 5220
Hardware
Pourquoi louer un studio photo pour un shooting en famille ?
Photographie
Akril.netAkril.net
Recherche
Follow US
AKRIL.NET - Copyright © 2006-2023. All Rights Reserved.
Akril.net > English > Execute a PowerShell script in Varonis DatAlert
EnglishVaronis

Execute a PowerShell script in Varonis DatAlert

thibault
Dernière mise à jour : 30/03/2019
par thibault Published 14 décembre 2018
Partager
6 Min Read
Partager

Varonis modules count several solutions such as DatAdvantage (heart of the product) but also Data Classification Engine (for sensitive content discovery and scan) or DatAlert for security analytics to protect your assets.

One of the biggest advantage of DatAlert is to enable you to create custom alerts that you can configure by yourself which is already great. But DatAlert can also analyze and understand the behaviors of your users to warn you when someone is deviating from its standard behavior (accessing to old or unusual data, deleting more documents than usual, etc.).

Introduction

DatAlert can understand many scenarios such as ransomware detection, unusual behaviors from users, and much more. For each alert, you can configure what type of notifications you want to receive: writing in the event viewers or send them directly to you syslog tool, send a standard email to IT security team but also take some actions! 😉

Yes, that’s mean you can ask to DatAlert, when an alert is triggered, to do specific actions thanks to any custom scripts that you will provide to DatAlert. It can be an executable file, bat script or any PowerShell script).

Example

Let’s see how we can do this with a short example. Imagine, you have a specific rule to monitor all the activities in a specific and strategic folder. We will configure this alert to launch automatically a PowerShell script when the alert will be detected.

Configuring the alert

In DatAdvantage application, go in Tools and then in DatAlert, DatAlert. Create a new rule or modify any rule already present. Just be sure that you can at least trigger manually your rule to test it at the end of the process. 🙂

If needed, choose a name, severity, category and a description for your new rule and parameters for Who, What, Where and When tabs. Also note that you should definitively test your rule in a test environment or at least on a reduced perimeter (not on your production environment that could potentially involve ALL your end-users…).

Now go in the Alert Method tab. Normally, it will be in this step that you will configure the type of alert you want: receive an email, write in the Event Viewers, etc. But for you test, we want to take some automatic actions ! So, check also the option Executable Script.

Be aware that you must store your script on the Varonis Collector that will manage your  monitored resource. If you don’t have any Collector, that’s mean you can store the script on your IDU/DSP server. In my example, I’ve saved my script in C:\Temp\Script.ps1 location (very creative). 😉

And here is the interesting part, my script will be composed only of a few lines (yeah, it’s very easy): 

# Importing Active Directory CmdLets
Import-Module ActiveDirectory

# Getting variable from Varonis DatAlert
$ActingUser = $env:ActingObjectSAMAccountName

# Processing my action
Disable-ADAccount $actinguser 

In my scenario, I just want to disable the concerned Active Directory account of this person because it’s something that can be checked visually after the alert has been triggered.

But as you can see, I’m using specific CmdLet that are provided by Active Directory module. That’s mean, there is no really limitation on the possibilities: I could chose to logoff the person, stopping its computer remotely or combine these 2 steps, etc. 🙂

Testing our new Alert

A few minutes before creating my alert, I’ve created plenty of test files in my test monitored folder. Let’s try to remove some of them and see what will happen…

If I’m checking the Event Viewer on my Collector (or IDU) server. I can see my alert has been triggered several times (I’ve deleted several documents in my secret test folder).

I can see the precise name of the documents which have been deleted, the moment when I’ve deleted them, the name… but more important I can see that the account responsible for this action is « itadmin« .

That’s mean that if my script has worked correctly. This Active Directory account should now be disabled in the AD. Hopefully, this account has been indeed disabled immediately after the first alert. Do not forget that the credentials you’ve used in DatAlert to run the script must be (obviously) allowed to process this action. 😉

Now, think a few minutes about the possibilities. For any monitored actions where you will setup an Alert you can setup specific and automatic answers. That’s mean for example if a ransomware attack is detected you could setup a PowerShell script to disconnect the person, shutdown its laptop remotely or maybe shutdown completely the concerned file server ?

But there is not only ransomware case. In fact, you can do any actions you want if there is some PowerShell CmdLet available (or any others possibilities to script your actions) when an alert is detected.

Finally, please note that the example in this article is provided « as is », without warranty of any kind, express or implied. You should always test an automatic answer before deploying it to your whole production.

TAGS : DatAlert, PowerShell, Varonis
Partager cet article ?
Twitter Whatsapp Whatsapp LinkedIn Telegram Email Copy Link
Vous en pensez quoi ?
Love0
Happy0
Embarrass0
Sad0
Angry0
Leave a comment

Publicités

Auteur

Cloud Solution Architect – Engineering (aka. Sr. Premier Field Engineer – PFE) @ Microsoft dans les domaines de l’infrastructure, du cloud et de la sécurité. Je suis également passionné par tout ce qui concerne les nouvelles technologies ainsi que la photographie ! Bonne visite ! 🤓

Follow @akril
Girl in a jacket

Dernière vidéo YouTube

https://youtu.be/-hQdddZeaNs

Certifications

Certifications

Publicités

Partenaires

Autres articles

PowerShellMicrosoft Windows Server

Créer des comptes et groupes de tests dans Active Directory

thibault thibault 26 décembre 2022
PowerShell

Rechercher dans les GPO de votre Active Directory avec PowerShell

thibault thibault 13 novembre 2022
Microsoft Windows Server

Seize des rôles FSMO vers un Domain Controller

thibault thibault 21 mars 2023
PowerShell

Ouvrir PowerShell ou l’invite de commandes Windows en Administrateur

thibault thibault 13 novembre 2022

Derniers articles sur Microsoft Azure

Azure-Logic-App-Logo
Azure Logic App : publier automatiquement un article WordPress sur Twitter et LinkedIn
Microsoft Azure Cloud Computing
OpenAI-Logo-Blog
ChatGPT : innovation et conséquences
Microsoft Azure Cloud Computing Web
Création d’un environnement de formation avec Azure Lab Services
Microsoft Azure Cloud Computing Featured

Effectuer une recherche ?

Me contacter

Pour me contacter, il vous suffit d’utiliser le formulaire disponible sur la page de contact.

Derniers articles sur Varonis

Classify and locate important documents
English Varonis

Derniers articles sur Citrix

Créer des comptes et groupes de tests dans Active Directory
PowerShell Microsoft Windows Server
Rechercher dans les GPO de votre Active Directory avec PowerShell
PowerShell
winget : un gestionnaire de paquets sur Windows 10
PowerShell
Akril.netAkril.net
Follow US

AKRIL.NET - Copyrights © 2006-2023

Welcome Back!

Sign in to your account

Lost your password?