Learn about the different issues Egnyte Secure & Govern will look for when scanning your supported content source and how to take action on those issues.
All of the dismissed issues can be reopened from the associated list if necessary.
Skip Ahead to...
Inactive Users
Public Links
External Sharing
Unusual Access
Suspicious Login (Formerly Compromised Account)
Probable Ransomware (Formerly Ransomware Infection)
Open Access
Individual Permissions
Empty Group
Unused Group
Issue Types
Inactive UsersDetects users that have not logged in or had any activity within a content source. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Focus on high severity issues involving external users first then review issues involving Non-Admins Contact the person who originally added the user to the content source (e.g. issue initiator) Contact the user to determine why they have not been active. |
Fixes Delete Links Dismiss |
Deactivate User Account: The user's account will be deactivated, and they will not be able to access any additional content from within the content source. Dismiss: This Inactive User issue will be dismissed and the user will be whitelisted. No new Inactive User issues will be created if the user. Note: Dismissed issues can be reviewed and re-opened using the “Dismissed” status filter within Secure & Govern issues view
|
|
Public LinksThe folder or file is accessible via a public link without a password. The public link may or may not have an expiration date. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Focus on high severity issues and issues with sensitive data. If a public link is older than six months to a year, delete the link. If it's a newer link, contact the user to discuss deleting the link or re-issuing it with password protection or as a private link. |
Fixes Delete Links Dismiss |
Delete Links: All Public links will be deleted for the folder/file, but users can create a new link with a password or as a private link (if the link is still needed). When the links are deleted, they'll be inaccessible immediately. A new Public issue will be created the next time a user generates a public link. Dismiss: The issue will be marked as dismissed and the folder/file will be whitelisted. No new issues will be created if the folder/file is shared through a public link again. Note: Dismissed issues can be reviewed and re-opened using the “Dismissed” status filter within Secure & Govern issues view |
Egnyte Collaborate Controls Link Controls: Disable public links, public links without a password, or public links without an expiration date. Set default expiration date limits. Folder-based Controls: Disable public links from specific folders.
Secure & Govern Controls Content Safeguards: Disable public links containing specific types of content |
External SharingA folder is shared with Standard Users (Egnyte) or External Users within a content source. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Focus on high severity issues and/or issues with sensitive data. Contact the user to assess the necessity of the access level and determine whether ongoing collaboration is necessary. Additionally, discuss the scope of the access and whether it should be narrowed to just what is necessary (e.g., a sub-folder instead of a main folder). Tip: Review audit reports in Egnyte Collaborate or other supported content sources to assess the level of external sharing. |
Fixes Remove Permissions Dismiss
|
Remove Permissions: Permissions will be adjusted to comply with the least-privileged access. Dismiss: The issue will be dismissed, and additional issues will not be created if the item is externally shared again. Note: Dismissed issues can be reviewed and re-opened using the “Dismissed” status filter within Secure & Govern issues view |
Remove/Adjust Permissions: If the level of access is not necessary, remove or adjust the permissions in the content source. Adjust External Sharing Allowed List: The External Sharing allowed list, found in Secure & Govern, should be reserved for long-term collaborators. If possible, leverage Groups to simplify control. |
Unusual AccessEgnyte Secure & Govern builds a profile of how each user typically downloads and deletes data. When a large number of files are downloaded or deleted, the activity is compared to the profile. Variances from the pattern, which takes seasonality into account, will be flagged. Please Note: For Unusual Access detections to occur, our ML model requires 60 days of history for each user. Waiting 60 days ensures our ML model is properly trained on a user's usage patterns and to prevent a high number of false-positives. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Focus on high issues with high variance and issues with sensitive data or involving very large numbers of files (e.g., >500, >1000, etc.). Contact the user for an explanation unless the behavior is clearly suspicious or user is known to be disgruntled. Note: Egnyte Secure & Govern requires 60 days of user data collection to build a profile for user behavior; this includes events prior to Egnyte Secure & Govern being enabled. |
Fixes Deactivate User Account Dismiss This Occurrence Mark as Resolved
|
Deactivate User Account: The user's account will be deactivated, and they will not be able to access any additional content from within the content source. Dismiss This Occurrence: This instance of unusual access will be dismissed. Egnyte Secure & Govern will continue to monitor the user for unusual access. Mark as Resolved: This instance of unusual access will be resolved. Egnyte Secure & Govern will continue to monitor the user for unusual access.
|
Adjust Threshold Settings: Unusual access threshold settings can be adjusted to reduce the number of issues created. Threshold: Low = most issues high = fewest issues Minimum number of files: Increasing the default setting of 10, will reduce the number of issues
|
Default Threshold Configuration Settings |
|||
Note: Initially, customers may see in an increase in Unusual Access detections involving Windows Explorer (explorer.exe). This is due to the current limitation of Windows Explorer which prevents differentiating between files accessed during a windows search and actual user file downloads. The number of detections will reduce over time as our ML model adjusts to a users behavior. |
Learn more about detecting unusual access by watching a Quick Tip on Egnyte University: Detect Unusual Access of Content
Suspicious LoginIdentifies unusual and impossible user login activity between two locations or from a restricted country. Please Note: Only Public IP addresses can be used when whitelisting an IP address. Local IP addresses are not supported. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
For Unusual or Impossible Login issues, contact the user to investigate issue trigger.
|
Fixes Reset User Password Deactivate User Account Add Exceptions Edit IP Address Whitelist Edit Restricted Country List Dismiss This Occurrence Mark as Resolved |
Reset User Password: The user's password will be disabled, and they will be prompted to reset their password. The user can reset their password, thus re-enabling their access to the content source with updated credentials. Deactivate User Account: The user's account will be deactivated, and they will not be able to access any additional content from within content source. Add Exceptions: Add a concurrent login exception for a user which allows the user to login from multiple locations. OR Edit restricted country list to allow access from a specific country. Edit IP Address Whitelist: When users must utilize a VPN, you can exempt their IP address range in Settings, under Analysis Rules, in the Suspicious section. Please note, both IP addresses must be whitelisted to prevent further detections for the user. Dismiss This Occurrence: Only this suspicious login instance will be dismissed. Egnyte Secure & Govern will continue to monitor this user for evidence of a suspicious login instance in the future. Mark as Resolved: This instance of suspicious login will be resolved. Egnyte Secure & Govern will continue to monitor the user for suspicious logins. |
Secure & Govern Controls User Exception and IP Address Allowed list: Determine users who share credentials and IP ranges of VPNs and proactively add them as exceptions. |
Note: Impossible user login activity are logins that occur from distant locations within a time window that would be impossible for an individual to travel between the two points. |
Probable RansomwareIndicates the possibility of a ransomware infection due to the presence of known "ransom notes" or file extensions associated with ransomware. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Contact the user to confirm the ransomware infection (e.g., files encrypting, file extensions changing, file names becoming garbled) and disable the user account. The originating virus must be identified and removed as malware. Work with Egnyte to identify affected files and roll back to the last good version. If the user cannot confirm further evidence of ransomware, determine with the user whether the file detected as a ransom note is valid. |
Fixes Deactivate User Account Restore Content Whitelist File Extension Dismiss This Occurrence Mark as Resolved |
Deactivate User Account: User's account will be disabled, and the ransomware virus will not be able to use the credentials to encrypt or change any more data. Restore Content: Restore your content to a specific point in time using snapshots. Please note, this action is only available for Egnyte content sources. Whitelist File Extension: Whitelist detected file extensions to prevent future probable ransomware detections for those file extension(s). Dismiss This Occurrence: The user will NOT be whitelisted. Egnyte Secure & Govern will continue to monitor this user for evidence of ransomware in the future. Mark as Resolved: This instance of Probable Ransomware will be resolved. Egnyte Secure & Govern will continue to monitor the user for probable ransomware.
Note: Because entropy-based Probable Ransomware issues are event-based, if ignored, they will not appear under ignored status. |
|
Open AccessA folder is shared with designated large groups (All Standard Users and/or All Power Users are the default groups). |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Focus on issues involving sensitive data |
Fixes Remove Permissions Dismiss |
Remove Permissions: Permissions for the group are removed for the selected folder. Dismiss: Sharing from that folder with the group(s) designated under Open Access will no longer trigger an issue. |
|
Individual PermissionsThe folder has been shared with an individual rather than a group. Best practices dictate that folders should be shared with groups. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Focus on issues involving sensitive data. Investigate with the folder owner whether group sharing can be enabled or whether individual permissions are required. |
Fixes Remove Permissions Dismiss |
Remove Permissions: Permissions for the individual user are removed for the selected folder. Dismiss: Sharing from that folder with the individual will no longer trigger an issue. |
|
Empty GroupA group that doesn't contain any users. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Contact the group owner to determine if the group will be used in the future. |
Fixes Delete Group Dismiss |
Delete Group: The specified group is deleted from the content source. This action cannot be undone. Dismiss: The specific empty group will no longer trigger an issue. |
|
Unused GroupA group isn't used to grant any folder permissions. |
|||
Issue Review Process | Issue Resolution Options | Resolution Impact | Preventing the Issue |
Contact the group owner to determine if the group will be used in the future. |
Fixes Delete Group Dismiss |
Delete Group: The specified group is deleted from the content source. This action cannot be undone. Dismiss: The specific unused group will no longer trigger an issue. |
|