If Major:

1. Review affected files, user name, and IP address to locate user in AD and your organization.
2. Review time to lockout timer in the Active Events tab which is the time until the lockout will be issued.
   1. If you determine this is a false alarm by contacting the user along with an assessment of the affected files, use the Action Menu to Stop the Lockout timer and then mark security event as Resolved (See Security Event Action State Descriptions section below).
3. If you determine it is a malicious security event, you can accelerate the lockout timer by using the Action menu to select Lockout Now. (See Security Event Action State Descriptions section below).
4. Recovery: Re-image machine or other recovery procedures that your policies require.  Determine which files are to be recovered on PowerScale by selecting the files option on the security event.  From this screen, you can download a CSV file of trigger files AND files from the last 1 hour of activity.
5. Restore User Access:  Take this step after it has been determined it is safe to restore access to the user.  The actions menu can be used to remove the user account lockout for all cluster shares to which that user had access.  Using the Actions menu restore user access. (See Security Event Action State Descriptions section below).  Click here for instructions.
6. The security event will now be in Restored state and can be archived to the Event History tab.  Using the actions menu, submit a Mark As Resolved action. (See Security Event Action State Descriptions section below).
7. If you need to flag as false-positive see instructions here on Flag As False Positive.
8. Done.