The Unusual Access rule detects patterns of download activity that may indicate malicious usage by your users - such as theft of data by an employee before they leave your company. This rule also detects unusually large deletions of files - such as an accidental deletion or malicious sabotage. The rule is powered by a machine learning model that is continually trained on each user’s historical activity.
The model takes into consideration periodic variations in usage for each individual user, for example the fact that someone is usually most active on Wednesdays or the burst of activity at the end of each quarter by the finance team. A download count or large deletion on any given day that exceeds the model’s predicted range of activity for the user for that day will flag an issue.
Adjust Detection Threshold
The amount by which a user must exceed their predicted activity before an issue is flagged can be controlled by the Detection Threshold setting for the rule.
- Click Settings, select Analysis Rules, and choose Unusual Access from the list.
- In the Detection Threshold section, choose the appropriate threshold level. The approximate number of issues you should expect to see generated in a month is shown for each threshold setting - this will help you choose a threshold that works for you.
Unusual Access Details
For each Unusual Access issue, you can review the days with anomalous activity for the respective user and details about what was downloaded or deleted. This should help you determine if the activity is routine or nefarious - in which case you can disable the user directly from the Egnyte Protect UI.
- From the homepage, select the Issues tab and check the box for Unusual Activity in the left Filters pane.
- Select an Unusual Access issue from the list and select the unusual activity from the right Issue Details pane.
- The list of folders and files the user downloaded or deleted, along with which folders contained sensitive content are shown. You can also click Export file list to get the full list of files that they downloaded or deleted.
- If you determine the activity was malicious and the user needs to be disabled, click the Fix drop-down and select Disable User Account.