Once a user security event appears in Active Events, the following table outlines the column definitions and descriptions of each state of the security event.
Column Name
Description
State
Warning - Threat rate threshold crossed.
Delayed Lockout - Major Threat rate threshold crossed.
Locked Out - Critical Threat rate threshold crossed.
Severity
Warning - Threat detector peak rate threshold for this event was crossed.
Major - Threat detector peak rate threshold for this event was crossed.
Critical - Threat detector peak rate threshold for this event was crossed.
Files
A count of files that tripped the threat detectors for this event. Click to browse the file system path to see the location on the disk that the user was accessing.
Two tabs are shown:
One is a list of files that the user was accessing within the last hour since the event was detected (All Files).
Affected Files is a list of files that tripped the threat detectors.
All files should be inspected to verify integrity
Signal Strengths
Each number from left to right is warning peak/ major peak / critical peak threat rate file count. This indicates the highest count seen for each severity configured in the settings tab. The metric is a count per minute. The higher the number for each severity indicates a higher security risk detected for the user behavior. It indicates more files were involved in the threat detection security event. When comparing two different security events, higher numbers indicates more files tripped the threat detector.
User
The domain and user account of the affected user or NFS ip and UI will be shown
Detected
Date and time representing the beginning of the security event. This event will stay until it is auto-archived or is updated as resolved, or unresolved status.
Protected Shares
Lists the cluster, share name, and access one of a share that had a lockout applied. Expanding will display the deny permission and existing ACL applied to the share.
Snapshots
Lists the snapshot name, time, and path that was protected by data-protection and recovery snapshot.
Expires
This will show the time remaining before auto-archive as unresolved is applied to the event. The auto-archive feature will only apply to events detected as warning, and will monitor the event for this time period before archiving the event as unresolved.
OR
If a timed lockout is active, the time remaining until a lockout will occur.
Clients
This has a pop-up link to list the source ip address of the client machine the user was logged into when the signal event was detected. This assists in finding the client on routers and switches in the environment. Multiple ip’s can be listed for a client if they are logged into more than one machine.
Actions
Click to bring up the security event history of the event, all previous actions taken and menu to select available actions depending on the state of the security event.
Security Event State Descriptions
A Ransomware event in Eyeglass can be in one of the following states:
State
Description
WARNING
New Ransomware events with a WARNING severity initially have a WARNING state.
DELAYED_LOCKOUT
New Ransomware events with a MAJOR severity initially have a DELAYED_LOCKOUT state. This implies that the user has not yet been locked out, but will be if the event is not acknowledged.
LOCKED_OUT
New Ransomware events with a CRITICAL severity initially have a LOCKED_OUT state.
MAJOR severity events that are not acknowledged before the grace period elapses also have a LOCKED_OUT state.
WARNING severity events have a LOCKED_OUT state if the Administrator explicitly locks out the user.
ACKNOWLEDGED
A WARNING severity event can be acknowledged to indicate that the admin has seen the event and is monitoring the situation.
MAJOR severity events change to ACKNOWLEDGE when the admin intervenes before the grace period has elapsed.
CRITICAL severity events can never be ACKNOWLEDGED.
ACCESS_RESTORED
An event is in RESOLVED state when the Administrator has restored access to a locked-out user.
SELF_RECOVERY
An event is in SELF_RECOVERY state when the Administrator has initiated a workflow for the user to recover the affected files. See the Data Recovery section in this guide.
RECOVERED
An event is in RECOVERED state when the user file recovery process is complete.
RECOVERED state events are not listed in the Active Events tab on Eyeglass. They are listed in the Event History tab.
UNRESOLVED
An event is in UNRESOLVED state when the Administrator has archived the event, but not explicitly restored access to the user.
UNRECOVERED state events will are not listed in the Active Events tab on Eyeglass. They are listed in the Event History tab.
ERROR
An event is in ERROR state when Eyeglass has attempted to initiate an action on the Administrator’s behalf, but that action has failed.
Security Event Possible Action Descriptions
The following actions are available to the Administrator at different stages of the Ransomware event lifecycle. The Required States column lists the state that the event must be in, for the action to be available. Whenever an action is submitted, a new record is added to the event’s history.
Action
Required States
Result
Comment
ANY
Adds a comment to the event history.
Acknowledge
WARNING
Changes the event to ACKNOWLEDGED state.
Stop Lockout Timer
DELAYED_LOCKOUT
Changes the event to ACKNOWLEDGED state. Disables any countdown for the grace period on MAJOR severity events.
Lockout
WARNING,
DELAYED_LOCKOUT
Initiates the procedure on Eyeglass to revoke access to the user’s shares. Changes the event to the LOCKED_OUT state.
Restore User Access
LOCKED_OUT
Initiates the procedure on Eyeglass to restore access to any shares where access was revoked in the lockout step. Changes the event to ACCESS_RESTORED state.
Initiate Self Recovery
ACKNOWLEDGED,
ACCESS_RESTORED
Launches the Eyeglass workflow to allow the user to recover all files associated with this event. This procedure will put the event into the RECOVERED state when it is complete.
Events in the RECOVERED state.
See the Data Recovery section in this guide.
Mark as recovered
ACKNOWLEDGED,
ACCESS_RESTORED,
SELF_RECOVERY
Allows the admin to manually mark an event as having been recovered. This can happen if the administrator manually restores files, or the user decides that they do not need the encrypted files.
Archive as Unresolved
WARNING,
ACKNOWLEDGED,
LOCKED_OUT,
ACCESS_RESTORED,
SELF_RECOVERY,
ERROR
The administrator can archive an event in nearly any state. The event gets put into event history and is no longer shown on the active events screen.
Create Snapshot
Manually apply a snapshot to shares in the security event
Run this action if the auto snapshot was disabled. It allows manual apply of snapshots to shares.
Delete Snapshot
Manually delete snapshots applied to share path security events.
Run this action if snapshots were applied and you want to manually delete BEFORE the auto expiry set on the snapshot.
