Administration Guides

Security Event Descriptions

Home



Detected User Security Event Descriptions

Once a user security event appears in Active Events, the following table outlines the column definitions and descriptions of each state of the security event.

Column NameDescription
State

Warning - Threat rate threshold crossed.

Delayed Lockout - Major Threat rate threshold crossed.

Locked Out - Critical Threat rate threshold crossed.

Severity

Warning - Threat detector peak rate threshold for this event was crossed.

Major - Threat detector peak rate threshold for this event was crossed.

Critical - Threat detector peak rate threshold for this event was crossed.

Files

A count of files that tripped the threat detectors for this event.  Click to browse the file system path to see the location on the disk that the user was accessing.  

  • Two tabs are shown:
    • One is a list of files that the user was accessing within the last hour since the event was detected (All Files).
    • Affected Files is a list of files that tripped the threat detectors.
  • All files should be inspected to verify integrity
Signal StrengthsEach number from left to right is warning peak/ major peak / critical peak threat rate file count.  This indicates the highest count seen for each severity configured in the settings tab.  The metric is a count per minute.   The higher the number for each severity indicates a higher security risk detected for the user behavior.  It indicates more files were involved in the threat detection security event.  When comparing two different security events, higher numbers indicates more files tripped the threat detector.
UserThe domain and user account of the affected user or NFS ip and UI will be shown
DetectedDate and time representing the beginning of the security event.   This event will stay until it is auto-archived or is updated as resolved, or unresolved status.
Protected  SharesLists the cluster, share name, and access one of a share that had a lockout applied.  Expanding will display the deny permission and existing ACL applied to the share.
SnapshotsLists the snapshot name, time, and path that was protected by data-protection and recovery snapshot.  
Expires

This will show the time remaining before auto-archive as unresolved is applied to the event.  The auto-archive feature will only apply to events detected as warning, and will monitor the event for this time period before archiving the event as unresolved.

OR

If a timed lockout is active, the time remaining until a lockout will occur.

ClientsThis has a pop-up link to list the source ip address of the client machine the user was logged into when the signal event was detected.  This assists in finding the client on routers and switches in the environment.     Multiple ip’s can be listed for a client if they are logged into more than one machine.
ActionsClick to bring up the security event history of the event, all previous actions taken and menu to select available actions depending on the state of the security event.

Security Event State Descriptions

A Ransomware event in Eyeglass can be in one of the following states:  

StateDescription
WARNINGNew Ransomware events with a WARNING severity initially have a WARNING state.
DELAYED_LOCKOUTNew Ransomware events with a MAJOR severity initially have a DELAYED_LOCKOUT state. This implies that the user has not yet been locked out, but will be if the event is not acknowledged.
LOCKED_OUT

New Ransomware events with a CRITICAL severity initially have a LOCKED_OUT state.

MAJOR severity events that are not acknowledged before the grace period elapses also have a LOCKED_OUT state.  

WARNING severity events have a LOCKED_OUT state if the Administrator explicitly locks out the user.

ACKNOWLEDGED

A WARNING severity event can be acknowledged to indicate that the admin has seen the event and is monitoring the situation.

MAJOR severity events change to ACKNOWLEDGE when the admin intervenes before the grace period has elapsed.

CRITICAL severity events can never be ACKNOWLEDGED.

ACCESS_RESTOREDAn event is in RESOLVED state when the Administrator has restored access to a locked-out user.
SELF_RECOVERYAn event is in SELF_RECOVERY state when the Administrator has initiated a workflow for the user to recover the affected files.  See the Data Recovery section in this guide.
RECOVERED

An event is in RECOVERED state when the user file recovery process is complete.

RECOVERED state events are not listed in the Active Events tab on Eyeglass. They are listed in the Event History tab.

UNRESOLVED

An event is in UNRESOLVED state when the Administrator has archived the event, but not explicitly restored access to the user.  

UNRECOVERED state events will are not listed in the Active Events tab on Eyeglass. They are listed in the Event History tab.

ERRORAn event is in ERROR state when Eyeglass has attempted to initiate an action on the Administrator’s behalf, but that action has failed.

Security Event Possible Action Descriptions

The following actions are available to the Administrator at different stages of the Ransomware event lifecycle. The Required States column lists the state that the event must be in, for the action to be available. Whenever an action is submitted, a new record is added to the event’s history.

ActionRequired StatesResult
CommentANYAdds a comment to the event history.
AcknowledgeWARNINGChanges the event to ACKNOWLEDGED state.
Stop Lockout TimerDELAYED_LOCKOUTChanges the event to ACKNOWLEDGED state. Disables any countdown for the grace period on MAJOR severity events.
Lockout

WARNING,

DELAYED_LOCKOUT

Initiates the procedure on Eyeglass to revoke access to the user’s shares. Changes the event to the LOCKED_OUT state.
Restore User AccessLOCKED_OUTInitiates the procedure on Eyeglass to restore access to any shares where access was revoked in the lockout step. Changes the event to ACCESS_RESTORED state.
Initiate Self Recovery

ACKNOWLEDGED,

ACCESS_RESTORED

Launches the Eyeglass workflow to allow the user to recover all files associated with this event. This procedure will put the event into the RECOVERED state when it is complete.

Events in the RECOVERED state.  

See the Data Recovery section in this guide.

Mark as recovered

ACKNOWLEDGED,

ACCESS_RESTORED,

SELF_RECOVERY

Allows the admin to manually mark an event as having been recovered. This can happen if the administrator manually restores files, or the user decides that they do not need the encrypted files.
Archive as Unresolved

WARNING,

ACKNOWLEDGED,

LOCKED_OUT,

ACCESS_RESTORED,

SELF_RECOVERY,

ERROR

The administrator can archive an event in nearly any state. The event gets put into event history and is no longer shown on the active events screen.
Create SnapshotManually apply a snapshot to shares in the security eventRun this action if the auto snapshot was disabled.  It allows manual apply of snapshots to shares.
Delete  SnapshotManually delete snapshots applied to share path security events.Run this action if snapshots were applied and you want to manually delete BEFORE the auto expiry set on the snapshot.

 

© Superna LLC