Integration · dspm

Varonis Data Security Platform

Pulls global-access exposure, ransomware blast radius, UBA-flagged access anomalies, external-share events, dormant-account permissions, and data-threat alert posture from Varonis's Data Security Platform, driving ten DSPM KRIs across unstructured and SaaS data estates.

sourceType: dspm vendorId: varonis-dsp auth: api-key (bearer token) schedule: daily
Manual setup, not part of guided onboarding
This connector requires you to register an app or issue an API token in your own vendor console first, so it sits outside the guided onboarding chat. Follow the steps below in your vendor admin UI, then add the integration from Settings → Integrations in Draxis. The four connectors that are in guided onboarding (Microsoft Entra ID, Microsoft Defender for Endpoint, Google Workspace, GitHub Advanced Security) install via a one-click OAuth popup with no per-customer registration step.

At a glance

VendorVaronis, Data Security Platform (SaaS) and on-prem DSP (formerly DatAdvantage + DatAlert + DataPrivilege).
Source typedspm
Vendor ID (slug)varonis-dsp
Base URLPer-tenant. SaaS: https://<your-tenant>.varonis.io. On-prem: your DSP Management Server hostname.
Auth methodapi-key, Varonis API token via Authorization: Bearer <token>. Dispatcher's default for api-key auth does this; no override needed.
Schedule defaultdaily, Varonis's data-classification and permissions analysis update overnight; hourly adds cost without new signal.
ReachabilitySaaS (*.varonis.io): works out of the box. On-prem DSP on RFC1918 / private IPs: blocked by Draxis's SSRF guard, front with a public-TLS reverse proxy, or switch to SaaS.
LicensingCore KRIs (exposure, blast radius, permissions, alerts) need the base DSP license. The SaaS external-shared KRI specifically requires the Varonis SaaS connector deployed on M365 / Google Workspace. UBA anomalies need the DatAlert module. Tenants without those modules get 0 + warn log.
AvailabilityNew in 2026.04.

Required scopes & roles

Varonis API tokens are scoped by the Varonis admin role assigned to the token. Create a dedicated service role with read-only access to:

  • Alerts, Read-only (data-threat alerts KRI).
  • Data Classification, Read-only (exposure, stale-data, regulated-shares KRIs).
  • Permissions, Read-only (blast radius, privileged-excessive, dormant-accounts KRIs).
  • Events, Read-only (UBA anomalies, external-events KRIs).
  • Users, Read-only (privileged analysis, dormant accounts).
  • Shares / SaaS Sharing, Read-only (regulated-shares and SaaS-external-shared KRIs).

Do not grant any write / modify / classify-as / respond-to permissions. The connector never mutates Varonis state.

Setup steps

  1. Identify your Varonis deployment. SaaS customers log into https://<tenant>.varonis.io; on-prem customers have a DSP Management Server hostname. The API is served from the same host under /api/v1/.
  2. Create a service-account user in the Varonis admin console (Management → Users → Add). Name: draxis-connector. Role: the read-only service role you created with the scopes above (or use the built-in "Auditor" role if it matches).
  3. Generate an API token as that service account. Admin Console → API → Create Token. Varonis shows the token once at creation, copy into your password manager.
  4. (On-prem only) Verify public-TLS reachability. Draxis runs from public egress IPs; an on-prem DSP on a private IP is blocked by the SSRF guard. Front with a reverse proxy that terminates public TLS and allowlists Draxis's egress range.
  5. Verify connectivity before wiring Draxis: 
    curl -sk -H 'Authorization: Bearer <token>' \
  'https://<your-tenant>.varonis.io/api/v1/system/info' \
  | jq '.version, .deployment'
    Should print your DSP version and deployment descriptor. 401 = wrong token; 404 = wrong base URL (path differs on some older on-prem DSP versions, check your Varonis Public API Guide).

Wire it into Draxis

  1. Open Settings → Integrations in your tenant.
  2. Click Add integration and pick Data Security Posture (DSPM) as the source type.
  3. Pick Varonis Data Security Platform from the vendor dropdown. Draxis pre-fills the auth method and daily schedule.
  4. In API Base URL, paste your Varonis tenant URL (SaaS) or on-prem Management Server URL. No trailing slash or path.
  5. In API Key / Token, paste the Varonis API token from step 3. Draxis encrypts it server-side with encryption.key before storage.
  6. Click Test. Green means Draxis called /api/v1/system/info successfully, the message includes your DSP version.
  7. Under KRIs to import, tick the KRIs you want Draxis to manage. All ten varonis_* KRIs are checked by default; uncheck the SaaS-external-shared KRI if you don't have Varonis SaaS connectors on M365 / Google Workspace, and uncheck the UBA KRI if you don't license DatAlert. Selected rows are created on save.
  8. Save. The connector runs daily by default.

KRIs produced

SlugMeaningDerivation
varonis_global_access_exposure Sensitive files / folders accessible to "Everyone" / "All Employees" / "Domain Users" GET /api/v1/exposure/global-access?sensitive=true, read count from the envelope.
varonis_blast_radius_max Largest per-user blast radius, files that user could encrypt if compromised GET /api/v1/blast-radius/top-users?limit=1&sort=blast_radius:desc → take the top row's blast_radius (or files_at_risk depending on DSP version).
varonis_stale_sensitive_data_90d Sensitive files with no access activity in 90+ days GET /api/v1/files/count?sensitive=true&last_accessed_before=<now-90d>
varonis_open_shares_regulated Permissive shares containing PII / PHI / PCI data GET /api/v1/shares/count?permissive=true&classifications=PII,PHI,PCI
varonis_uba_anomalies_24h UBA-flagged abnormal data access events in 24h (requires DatAlert) GET /api/v1/events/anomalies/count?since=<now-24h>
varonis_privileged_excessive_access Privileged accounts with out-of-role data access GET /api/v1/users/count?privileged=true&access_anomaly=true
varonis_external_guest_events_7d External / guest user data access events (7d) GET /api/v1/events/count?user_type=external&since=<now-7d>
varonis_dormant_accounts_with_perms Dormant accounts retaining active data permissions GET /api/v1/users/count?dormant=true&has_active_perms=true
varonis_unresolved_alerts_4h_plus Data-threat alerts unresolved > 4h GET /api/v1/alerts/count?status=open&created_before=<now-4h>
varonis_saas_external_shared_sensitive M365 / Google Workspace sensitive files shared externally GET /api/v1/saas/shares/count?external=true&sensitive=true. Requires Varonis SaaS connector on those platforms.

Each row is a slug the connector writes to. Draxis creates the matching kri rows automatically when you check them in the KRIs to import section of the integration form, no manual API call or seed script needed. Thresholds shown in the table are the seeded defaults; you can edit them freely in the KRIs tab afterwards.

Vendor quirks

  • Endpoint paths vary across DSP versions. The connector uses the conventional paths from Varonis's Public API Guide, but SaaS DSP, on-prem DSP, and older DatAdvantage deployments have slight variations. The connector tolerates 404 per-KRI with warn logs so a path mismatch on one endpoint doesn't abort the run, but you'll see zeros on the affected KRIs. If multiple KRIs return 0 with 404 warns, check your Varonis Public API Guide and adapt the paths in the connector (one-line edits).
  • On-prem DSP on a private IP is blocked. Same story as Splunk, Palo Alto on-prem, and GHES: Draxis's SSRF guard rejects RFC1918 addresses. Front with a public-TLS reverse proxy, or switch to SaaS DSP where the hostname is public.
  • Module gating. UBA / DatAlert module is required for the anomalies KRI; Varonis SaaS connectors on M365 + Google Workspace are required for the SaaS-external-shared KRI. Unlicensed modules return 403/404, recorded as 0 + warn.
  • "Sensitive" means Varonis-classified. The exposure and stale-data KRIs filter on Varonis's own classification tags (PII / PHI / PCI / etc.). Data that isn't classified, either because classification hasn't run yet, or because your org uses custom classification labels, won't count. Review your Classification Policies before interpreting these KRIs.
  • Blast radius varies by Varonis version. Newer DSP returns blast radius directly; older DatAdvantage versions computed a similar metric under a different field name. If the KRI always reads 0, verify your DSP exposes the /blast-radius/top-users endpoint (or its equivalent).
  • Dormant threshold is Varonis-defined. The connector passes dormant=true to Varonis, which uses its own inactivity threshold (configurable in DatAdvantage policies, typically 30-90 days). Tune your Varonis policy if the threshold doesn't match your compliance requirement.
  • External-user classification depends on identity source. Varonis's user_type=external flag is accurate when the identity source (AD / Azure AD / Okta) distinguishes guests from members. Misconfigured tenants might show 0 or misclassify, verify in the Varonis console.
  • Privileged excess-access KRI can be noisy on first rollout. Varonis's role analysis needs baseline activity to establish "normal role behavior"; in the first 30 days, every privileged user might show as anomalous. Wait a month of data before thresholding aggressively.
  • Alert-severity tier is not split in this KRI. The user spec asked for "unresolved data threat alerts > 4h (by severity tier)", KRIs are single numbers so we aggregate across severities. For per-severity breakdowns, use Varonis's own dashboards, or edit the connector to split into multiple KRIs (one per severity).
  • Rate limits are lenient. Varonis DSP typically allows 100+ API calls per minute per token. The connector makes ~11 calls per run, well under the cap.
  • Token rotation is manual. Varonis API tokens don't auto-expire unless configured; rotate on a cadence that matches your data-access security policy (typically 90-180 days).

Troubleshooting

  • Test returns 401, token is wrong or the service account was disabled. Regenerate in the admin console.
  • Test returns 404 on /api/v1/system/info, your DSP version exposes system info under a different path. Check your Varonis Public API Guide for the canonical path; the other KRIs may also need path adjustments.
  • Save-time error "host resolves to a private address", on-prem DSP on a private IP. Front with a public-TLS reverse proxy.
  • All KRIs return 0 with 404 warns, endpoint paths don't match your DSP version. The connector is built against SaaS DSP's current API surface; older on-prem deployments may need path customization.
  • varonis_saas_external_shared_sensitive = 0, you don't have the Varonis SaaS connector deployed on M365 / Google Workspace. Deploy those connectors in the Varonis admin console to populate.
  • varonis_uba_anomalies_24h = 0 on a tenant with active UBA, either no anomalies fired in the last 24h (possible on a healthy org), or the DatAlert module isn't licensed for API access. Verify in the Varonis admin console that DatAlert events are queryable via API.
  • varonis_blast_radius_max is suspiciously high, likely a service account or shared administrative account with broad access. Investigate the top user in the Varonis blast-radius dashboard; the KRI surfaces what\'s already visible in Varonis's UI.
  • rowsSkipped > 0 and rowsWritten = 0, your tenant hasn't imported any KRIs for this integration yet. Open the integration in Settings → Integrations, tick the KRIs under KRIs to import, and save.
  • Still stuck? Open a support ticket with the run ID (from Run history) and we'll dig in.