Release Date: June 30, 2023 Secure & Govern 19.0 Release
New Analysis Rule - Inactive User Detection (Egnyte Sources Only)
Secure & Govern now detects inactive users within a content source. The new Analysis Rule detects users that have not logged in or had any activity within a content source. This rule helps limit your exposure by identifying user accounts that should be deactivated or deleted. Reducing the risk of a brute force attack and exposure of sensitive data.
The rule can be customized to detect external users as well as non-admin users based on a period of inactivity.
For details on enabling the Inactive User Rule, refer to Enabling Inactive User Rule
This rule will be enabled, in the User Directory, for new and existing customers by default. However, the rule will only be enabled, in Analysis Rules configuration, for new customers. Existing customers will need to enable the Inactive User rule, in Analysis Rules configuration, manually.
Unusual Access - Detect Public API Downloads and Deletes
Download and Delete actions via the Secure & Govern Public API will now be detected as part of the Unusual Access Analysis Rule. This expands our coverage of potential Insider Threat detections.
Unusual Access detections, involving Public API downloads or deletes, will not occur for the next 30 days. This is to allow our user-based ML model to adjust and prevent false-positive detections. All other types of Unusual Access detections will continue to be detected during the 30 day period.
Unusual Access - Add Detected User and Folder Information to Public API & SIEM
User information as well as detected folder and file information has been added to the Secure and Govern Issues API and SIEM integrations.
The following user information has been added.
- The following will be found under “violationDetails/unusualActivities”
- Top 5 folders
- Top 10 files
- The following will be found under “violationDetails/unusualActivities/machineDetails”
- IP Address/Hostname
- Entry Point (Web UI, Desktop App, etc...)
- Operating System
Link to Public API (SIEM field format)
Configure M365 Groups to be Included/Excluded in Source Scanning
Many times an administrator wants to govern a limited set of their data. Up until now, that capability has only been available for Egnyte sources. This feature adds the capability to specify which M365 Groups that are scanned by Secure & Govern. Which groups are scanned can be defined during initial source configuration and also adjusted later as new groups are added on the M365 source.