The Unusual Access analysis rule detects patterns of download activity that may indicate malicious usage by your users - such as theft of data by an employee before they leave your company. This rule also detects unusually large deletions of files - such as an accidental deletion or malicious sabotage. The rule is powered by a machine learning model that is continually trained on each user’s historical activity.
The model takes into consideration periodic variations in usage for each individual user, for example the fact that someone is usually most active on Wednesdays or the burst of activity at the end of each quarter by the finance team. A download count or large deletion on any given day that exceeds the model’s predicted range of activity for the user for that day will flag an issue.
The amount by which a user must exceed their predicted activity before an issue is flagged can be controlled by the Detection Threshold setting for the rule. The approximate number of issues you should expect to see generated in a month is shown for each threshold setting - this will help you choose a threshold that works for you.
For each Unusual Access issue, you can review the days with anomalous activity for the respective user. The list of folders that they accessed, along with an indication when the folders contain sensitive content, is shown. You can also export the full list of files that they downloaded or deleted. This should help you determine if the activity is routine or nefarious - in which case you can disable the user directly from the Egnyte Protect UI.