Monthly Varonis Automation Policy Execution Process

Owner: Security Team
Frequency: First day of each month
Purpose: To ensure timely execution of approved Varonis Automation Policies and maintain a secure environment by removing stale access and permissions.

 Step-by-Step Procedure


1. Automated Ticket Generated

  • Ticket will be assigned to designated Security Analyst. 
  • Attach the run sheet, to keep track of actions taken and include actions taken and suggestions. 


3. Execute Policies via Upload Files

  • For each policy:
    • Generate or retrieve the execution upload file.
    • Review Execution File, and upload for execution.
    • Record the number of items actioned in the run-sheet in the ticket details.
    • Attach the execution upload file to the ticket.


4. Policies to Action (all approved policies are marked as 'approved to run'

  • Disable Stale Users
    Disables users who have not logged in for 120 days. Non-Priv and Admin accounts should be disabled if not logged in, but do not need to be fully off-boarded until advised.

  • Disable Guest Users
    Disables guest user access if they have not been logged into for 120 days.

  • Remove Org-Wide Collaboration Links OneDrive
    Breaks org-wide collaboration links from OneDrive.

  • Remove Org-Wide Collaboration Links SharePoint
    Breaks org-wide collaboration links for SharePoint.

  • Remove direct permissions for disabled users
    Removes permissions for disabled users, breaking SharePoint or OneDrive access.

  • Remove direct permissions for non-org users
    Removes permissions of guest users in OneDrive or SharePoint.

  • Remove Org Wide Mailboxes
    Changes the Default (org-wide) group permission to "None", thus removing the org-wide exposure from the mail folder.

  • Remove stale collaboration links – OneDrive
    Removes stale collaboration links of all types – anyone on the internet, in the organisation, specific users – in SharePoint Online or OneDrive. Stale links are links that have not been used to access resources during the defined period (default is 120 days).

  • Remove stale collaboration links – SharePoint
    Same as above, but for SharePoint.

  • Remove memberships of disabled users from "Specific people" collaboration links
    Removes memberships of disabled users from "Specific people" collaboration links in SharePoint Online or OneDrive. Users whose membership was removed will no longer be able to use the link.

  • Remove direct permissions for org-wide groups - May not get used, keep an eye on it.
    Removes direct permissions of groups that contain or represent the entire organisation in SharePoint Online or OneDrive. Please review and remove any personal OneDrives.

  • Remove AD Memberships From Disabled Users
    Will remove AD memberships for disabled users.
    ⚠️ Requires thorough investigation before running as accounts may only be disabled due to being stale. 

  • Remove Cloud memberships of disabled users
    Will remove Azure/Cloud memberships for disabled users.
    ⚠️ Requires thorough investigation before running as accounts may only be disabled due to being stale. 

  • Remove memberships of Stale non-org users
    Removes non-org users from being members of a group or a link.
    ⚠️ Requires thorough investigation before running as accounts may only be disabled due to being stale. 


5. Complete Run-Sheet

  • Tick off each policy once executed.
  • Record the number of items actioned.
  • Note any exceptions or issues encountered.
  • Advise of any automation changes which can be included to assist with the process. 


6. Close Ticket

  • Ensure all execution files are attached.
  • Upload the completed run-sheet.
  • Add a summary comment with:
    • Total number of policies executed
    • Total items actioned
    • Any anomalies or follow-ups required