Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Analysis rules identify issues within your content sources. Each rule embodies a different type of problem. 

 

Empty Group

Detects groups that do not contain any users. This rule helps you keep your data repositories clean so they are easier to manage. Removing empty groups means your users are less likely to grant permissions to the wrong users. 

Default Severity Settings: 1


External Sharing

Detects files and folders accessible by people outside your organization. In the case of Egnyte Collaborate, this rule flags files and folders shared with Standard Users.

Default Severity Settings: 3 to 9

 

Inactive Users

Detects users that have not logged in or had any activity within a content source. This rule helps limit your exposure by identifying user accounts that should be deactivated or deleted. Reducing the risk of a brute force attack and exposure of sensitive data.

Default Severity Settings: 6 to 9

 

Individual Permission

Detects folders that are directly permitted to individual users, rather than to groups. It is a general security best practice to grant permissions to groups of users rather than individuals.

Default Severity Settings: 1 to 3

 

Malformed Permission

Detects folders where NTFS permissions are not working correctly, due to ACL ordering issues or orphaned inheritance. Malformed Permissions is only supported for Windows File Servers (WFS) and Common Internet File Systems (CIFS)

Default Severity Settings: 3

 

Open Access

Detects folders that are permitted to groups containing many users. In such situations, folders may be accessible by many more people than intended.

Default Severity Settings: 3 to 9

 

Certain groups will automatically be included in this rule such as All Power Users, but if you’d like to add additional groups, you can select them by clicking on the rule and then clicking on the setting under General Rule Settings.
Picture2.png

Public Link

Detects files and folders accessible via public links. These are any links that do not require a password and are not limited to domain users (i.e. they are open to the public).

Default Severity Settings: 2 to 9

 

Unused Group

Detects groups not used to grant any folder permissions. The group may or may not have users in it, but it is not being used in any of the content repositories that Egnyte Secure and Govern is overseeing. This rule helps you keep your data repositories clean so they are easier to manage.

Default Severity Settings: 1

 

Probable Ransomware

Detects user accounts that are potentially compromised by ransomware. This rule allows you to detect ransomware infections early and stop them by disabling impacted user accounts

Default Severity Settings: 9

 

Detection Confidence is calculated based on:

Zero-day (Behavioral-based) Detections

  • The number of files detected with entropy. Typically, zero-day detections will always receive the highest detection confidence

Artifact-based (Known Ransomware)

  • The number of known ransomware extensions and/or notes detected
  • The number of known ransomware extensions and/or notes detected with entropy
  • The probability of occurrence as calculated by the Bayesian network defining the dependencies between the presence of the ransomware and the evidence found.

File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts.

 

Unusual Access

Detects users who download or delete an unusually large number of files, which may indicate malicious activity. This rule helps you keep a close tab on the activity of all your users and reduce insider threats to your data.

Default Severity Settings: 7 to 9

 

Suspicious Login

Detects anomalous user login activity that may indicate a compromised account. The rule looks for concurrent logins that originate from two different locations and logins from restricted countries. It helps you ensure that all the user accounts are safe. You can customize the rule to your needs by allowing a range of IP addresses from which you would expect your users to log in, flagging user accounts that you expect will have concurrent logins, or removing countries from the restricted list. 

Default Severity Settings: 7 to 9

 

Unsuccessful login detections will always receive the lowest severity setting.

Detection Confidence is calculated based on:

Impossible Travel Detections

  • The time span between logins.
  • The distance between the IP login locations minus the IP accuracy radius of both locations.
  • The risk scores of the IP addresses involved.
  • If one of the IP addresses is identified as a malicious IP, the detection confidence will always be 100%

Restricted Country

  • The IP address location. The detection confidence will always be 100% for any IP detected from a restricted country.

All IP address and risk information is provided by a third-party IP reputation service provider.

 

For more information, please see the following articles

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.