Help Desk
Contact Support

Welcome to
Help Desk

Product Updates
 Training
Support
 Ideas Contact Support

Analysis Rules Overview

Analysis rules identify issues within your content sources. Each rule embodies a different type of problem. 

Empty Group

Detects groups that do not contain any users. This rule helps keep the data repositories clean so they are easier to manage. Removing empty groups means your users are less likely to grant permissions to the wrong users. 

Default Severity Settings: 1

Currently, nothing impacts issue severity. The severity for Empty Group detections will always be 1.

 

External Sharing

Detects files and folders accessible by people outside your organization. In the case of Egnyte Collaborate, this rule flags files and folders shared with Standard Users.

Default Severity Settings: 3 to 9

The following items increase the severity of an External Sharing detection.

  • Number of files.
  • Number of sensitive files.
  • The sensitivity risk score of the folder or files.

 

Inactive Users

Detects users that have not logged in or had any activity within a content source. This rule helps limit exposure by identifying user accounts that should be deactivated or deleted thereby reducing the risk of a brute force attack and exposure of sensitive data.

Default Severity Settings: 6 to 9

The following items increase the severity of an Inactive User detection.

  • User role or type within content source.
  • User role or type within Secure & Govern.
  • Number of days inactive.

 

Individual Permission

Detects folders that are directly permitted to individual users, rather than to groups. It is a general security best practice to grant permissions to groups of users rather than individuals.

Default Severity Settings: 1 to 3

The following items increase the severity of an External Sharing detection.

  • Number of files.
  • Number of sensitive files.
  • The sensitivity risk score of the folder or files.

 

Malformed Permission

Detects folders where NTFS permissions are not working correctly, due to ACL ordering issues or orphaned inheritance. Malformed Permissions is only supported for Windows File Servers (WFS) and Common Internet File Systems (CIFS)

Default Severity Settings: 3

Currently, nothing impacts issue severity. The severity for Malformed Permission detections will always be 3.

 

Open Access

Detects folders that are permitted to groups containing many users. In such situations, folders may be accessible by many more people than intended.

Default Severity Settings: 3 to 9

The following items increase the severity of an External Sharing detection.

  • Number of files.
  • Number of sensitive files.
  • The sensitivity risk score of the folder or files.

Certain groups will automatically be included in this rule such as All Power Users. To add more groups, the user can click on the rule and then select the setting under General Rule Settings.

open access issue config.png

Public Link

Detects files and folders accessible via public links. These are any links that do not require a password and are not limited to domain users (i.e. they are open to the public).

Default Severity Settings: 2 to 9

The following items increase the severity of an External Sharing detection.

  • File Links
    • Number of sensitive content matches in a file.
    • The sensitivity risk score of the folder or files.
  • Folder Links
    • Number of sensitive files.
    • The sensitivity risk score of the folder or files.

 

Unused Group

Detects groups not used to grant any folder permissions. The group may or may not have users in it, but it is not being used in any of the content repositories that Egnyte Secure and Govern is overseeing. This rule helps you keep your data repositories clean so they are easier to manage.

Default Severity Settings: 1

Currently, nothing impacts issue severity. The severity for Unused Group detections will always be 1.

 

Probable Ransomware

Detects user accounts that are potentially compromised by ransomware. This rule allows you to detect ransomware infections early and stop them by disabling impacted user accounts

Default Severity Settings: 9

Currently, nothing impacts issue severity. The severity, for Probable Ransomware detections, will always be 9. Probable Ransomware detections should always be viewed as critical and addressed in a timely manner.

Detection Confidence is calculated based on:

Zero-day (Behavioral-based) Detections

  • The number of files detected with entropy. Typically, zero-day detections will always receive the highest detection confidence

Artifact-based (Known Ransomware)

  • The number of known ransomware extensions and/or notes detected.
  • The number of known ransomware extensions and/or notes detected with entropy.
  • The probability of occurrence as calculated by the Bayesian network defining the dependencies between the presence of the ransomware and the evidence found.

File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts.

 

Unusual Access

Detects users who download or delete an unusually large number of files, which may indicate malicious activity. This rule helps you keep a close tab on the activity of all your users and reduce insider threats to your data.

Default Severity Settings: 7 to 9

The following items increase the severity of an External Sharing detection.

  • Number of files.
  • Number of sensitive files.
  • The sensitivity risk score of the folder or files.

 

Suspicious Login

Detects anomalous user login activity that may indicate a compromised account. The rule looks for concurrent logins that originate from two different locations and logins from restricted countries. It helps you ensure that all the user accounts are safe. You can customize the rule to your needs by allowing a range of IP addresses from which you would expect your users to log in, flagging user accounts that you expect will have concurrent logins, or removing countries from the restricted list. 

Default Severity Settings: 7 to 9

The following items increase the severity of an External Sharing detection.

  • Successful or Unsuccessful login attempt.
  • Restricted country.
  • Detection confidence.

Unsuccessful login detections will always receive the lowest severity setting.

Detection Confidence is calculated based on:

Impossible Travel Detections

  • The time span between logins.
  • The distance between the IP login locations minus the IP accuracy radius of both locations.
  • The risk scores of the IP addresses involved.
  • If one of the IP addresses is identified as a malicious IP, the detection confidence will always be 100%

Restricted Country

  • The IP address location. The detection confidence will always be 100% for any IP detected from a restricted country.

All IP address and risk information is provided by a third-party IP reputation service provider.

 

For more information, please see the following articles

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.