Leveraging Varonis with Splunk to
Create a Holistic Data Security State

Somerford Associates Limited
3 min readNov 3, 2020

Author: Grace Maher


In these unprecedented times, many of our IT departments are having to respond rapidly to the quickly changing business needs and the sudden increase in remote working. Whilst many businesses have focussed on increasing perimeter security, such as VPNs, remote working environments and SSO, there is a massive gap when it comes to data security and a lesser focus on possible insider threats. This leaves a massive attack surface for potential threats, both internal and external, as targeted attacks on remote workers have increased exponentially since the advent of the Coronavirus.

To combat this increased threat, it takes not only security monitoring, but also an understanding of where the risk within your data lies. By categorising data at a sensitive level, and also having knowledge of what is contained within your data, such as names, addresses or banking information

Deploying Splunk & Varonis together

It is well known by now that Splunk can ingest any human readable data, and in doing so can give you a full understanding of the different actions occurring inside of your infrastructure, such as logins, what has been accessed, and when. However, it is unable to show you if, say, for example, Bob in HR has access to the Legal folders, and although you can review events that show him accessing a legal document, it does not show you whether that access is correct for a project or similar, or if there has been some rogue access and Bob is just having a good old nosy around in files he should never have had access to.

By leveraging Varonis DatAdvantage, you can enhance your Splunk unified monitoring by understanding the contents of files, the access which may have been provided by incorrectly inherited permissions from group access, and what data is of high risk. Once you can find your “Bob” — you can rectify permissions and access in real-time by utilising the DatAdvantage workspace and review how the changed permissions will affect all users, to ensure that by tightening your data security, you are not impacting any other users’ everyday tasks.

Maintaining data integrity and security can be a difficult task, but by utilising DatAdvantage, you can ensure that permissions are correctly set and are appropriate for users and groups easily. What is even more important is that once this is done, we can utilise DatAlert to ensure this continues to be upheld and alert us to any changes to users’ access, or any moving, modifications, or sharing of data. DatAlert can also alert on dangerous actions that processes might be running across the network, such as mass-encryptions, signalling a ransomware attack and possibly log the user off to stop the process.

The Splunk Add-on and App for Varonis allows you to leverage Splunk’s real-time data architecture to get alerts from Varonis and correlate these with any other issues within your infrastructure, such as a user deleting or moving a file, and a sudden loss of reporting on a host. The app is available for free for Splunk customers, and providing you have DatAlert, you can immediately start getting Varonis insights within Splunk, and correlate across all of your data stores, local files on users workstations, and cloud storage.

If you are a Varonis Edge customer, you can also enrich these events with the context from analysing your VPN, DNS and Firewall traffic. This adds to the DatAlert data, by providing interpretation of internal or external requests, and attaching usernames to the access. Suddenly within Splunk, an event such as “89.250.1×5.8x read employeeguide.pdf” becomes: “Bob in Russia read employeeguide.pdf”.

By ensuring that your data security is in a good shape, and allowing Varonis and Splunk to automate the upkeep of your policies, you can be sure you are doing your utmost to secure your users, your data, and your applications and infrastructure.

If you would like to test how strong your data security is, we offer a FREE Data Risk Assessment to visualise to you where your sensitive data is, who has access to it, and also if it has been shared or moved.

If you are a current Splunk or Varonis customer, and would like to see more about how Splunk and Varonis can create a holistic monitoring system for both your data and your infrastructure, please get in touch and we can schedule a demo with a Varonis and Splunk certified engineer, to show you how this may work inside of your own environment.

Note: No Bobs were harmed during the writing of this blog.



Somerford Associates Limited

Specialist in innovative disruptive technologies with business focused consultants.