If you still have questions about the Secure and Govern Analysis Rules, check out the frequently asked questions below. 

Skip Ahead to...

General

What content sources are supported by Analysis Rules?

What Egnyte clients are supported by Analysis Rules?

What Analysis Rules are enabled during Installation of Secure & Govern?

What Analysis Rules can be enabled/disabled?

If I modify folder scanning to exclude folders for active Analysis Rules, what happens to the existing open issues?

How frequently does Secure & Govern scan content sources for new Analysis Rule Issues?

Do you have recommendations for addressing Analysis Rules violations?

Suspicious Login

What actions will create a Suspicious Login Anomaly?

How can I prevent Suspicious Login Anomalies for VPN Users?

Why don’t Suspicious Login & Unusual Access issues appear under Ignored Issues?

Unusual Access

Why don’t Suspicious Login & Unusual Access issues appear under Ignored Issues?

How long do I have to wait for Unusual Access detections to occur?

How does changing Sensitivity threshold impact Unusual Access detections?

What does "files accessed" mean for Unusual Access detections?

What does the date under "UPDATED" mean for Unusual Access detections?

Why are the total number of files accessed/downloaded, by a user, different when comparing the Unusual Access "File Export Report" and the Collaborate "User Action File Report?

External Sharing

Can I stop generating External Sharing violations for approved folders?

Sensitive Content

Can I choose to only view Analysis Rule anomalies with sensitive content?

Can I choose to only view Analysis Rule anomalies without sensitive content?

What is the expected behavior of the sensitive content eye icon for Public Link anomalies?

Probable Ransomware

How is Probable Ransomware detected?

 

What content sources are supported by Analysis Rules?

Secure & Govern supports ALL Analysis Rules for the following content sources

  • Egnyte Collaborate
  • OneDrive
  • SharePoint Online
  • G-Drive

Secure & Govern supports the following Analysis Rules for SharePoint (on-prem)

  • Individual Permission
  • Empty Group
  • Unused Group
  • Public Link
  • Open Access

Secure & Govern supports the following Analysis Rules for Windows File Server (WFS) & Common Internet File System (CIFS)

  • Individual Permission
  • Empty Group
  • Unused Group
  • Open Access
  • Possible Ransomware
  • Malformed Permissions
  • Unusual Access (WFS Only)

What Egnyte clients are supported by Analysis Rules?

Secure & Govern Analysis Rules currently support following Egnyte clients

  • Web UI
  • Desktop App
  • Mobile
  • All Storage Sync Clients
  • Smart Cache (FKA Turbo)
  • WebEdit
  • Cloud Migration Manager
  • Egnyte Migration Toolkit
  • All WebDAV Clients
  • Outlook
  • SalesForce
  • SFTP
  • FTP

What Analysis Rules are enabled during Installation of Secure & Govern?

The following Secure & Govern Analysis Rules are enabled during initial installation/setup. For more information regarding Analysis Rules supported by content source, please see Analysis Rules by Content Source

  • Unused Group
  • Empty Group
  • Public Link
  • External Sharing
  • Probable Ransomware
  • Open Access
  • Unusual Access
  • Suspicious Login
  • Malformed Permissions (WFS & CIFS only)

All Analysis Rules, except Individual Permission, are enabled by default.

What Analysis Rules can be enabled/disabled?

All Secure & Govern Analysis Rules can be enabled and disabled

The following can be enabled under “Content Source”

  • External Sharing
  • Individual Permission
  • Open Access
  • Probable Ransomware
  • Public Link

The following can be enabled under “User Directory”

  • Empty Group
  • Suspicious Login
  • Unused Group
  • Unusual Access

What actions will create a Suspicious Login Anomaly?

Suspicious Login rule detects anomalous user login activity that may indicate a compromised account. 

There are 2 sub-types of Suspicious Logins:

  • Impossible TravelIdentifies unusual and impossible user login activity between two locations

Note: Impossible user login activity are logins that occur from distant locations within a time window that would be impossible for an individual to travel between the two points

  • Restricted Country – Identifies an attempted login from a restricted country

Impossible Travel uses only successful login attempts to determine when a Suspicious Login Anomaly is created.

Restricted Country uses successful and failed login attempts to determine when a Suspicious Login Anomaly is created.

How can I prevent Suspicious Login Anomalies for VPN Users?

Suspicious Login anomalies can be prevented, for VPN user, by adding the user(s) to the IP address whitelist found under the Suspicious Login configuration settings:

mceclip4.png

Only Public IP addresses can be used when whitelisting an IP address. Local IP addresses are not supported.

Can I stop generating External Sharing violations for approved folders?

Yes. External Sharing anomalies can be prevented by adding the email domain to the External Sharing Allowed List

 The External Sharing Allowed List can be found under the “User Directory”, for a content source, in “Settings”

mceclip2.png

Select “Configure”

mceclip3.png

Existing External Sharing issues will be auto-remediated, for any group or domain added to the External Sharing Allowed list, after the next User Directory scan.  User Directory scans will occur nightly

Do you have recommendations for addressing Analysis Rules violations?

Yes. For more information, check out the Issue Types & Remediation article to learn how to prevent Analysis Rules violations.

Why don’t Suspicious Login & Unusual Access issues appear under Ignored Issues?

Unusual Access and Suspicious Login are considered event-based issues. When an event-based issue is ignored, Secure & Govern is dismissing this instance of the issue. A new Unusual Access or Suspicious Login issue could be generated for the same user in the future. If a new issue is created, for the same user, the history from the previous issue(s), including whether or not the previous issue was ignored,  can be seen in the detail section of the new issue.

How long do I have to wait for Unusual Access detections to occur?

For Unusual Access detections to occur, our ML model requires 60 days of history for each user. Waiting 60 days ensures our ML model is properly trained on a user's usage patterns and prevents a high number of false positives. For Unusual Access file deletion detections, an additional 30 days is required (90 days total) for each customer domain. This is to ensure enough data has been collected for each customer domain. Here are some scenarios:

  • For a new customer domain, the timeline is different for file delete anomaly detections and file download/access detections:
    • For file download/access events, no detections will occur for 60 days
    • For file download/access events, no detections will occur for 90 days. 
  • For an existing customer domain (older than 90 days) where the Unusual Access rule had been disabled. When the Unusual Access rule is enabled, detections will occur immediately
  • For an existing customer domain (older than 90 days) and a new user is added. No detections for the new user will occur for 60 days

How does changing the Sensitivity threshold impact Unusual Access detections?

Controls how far from their normal usage pattern a user needs to deviate before an anomaly is detected. There are 3 threshold settings for Unusual access: Low, Medium, and High

Setting the threshold to Low will result in generating the most Unusual Access anomalies while setting threshold to high will generate the fewest. 

Sensitivity settings, for files accessed/downloaded, are tied to multipliers for each user:

  • Low = Multiplier of 1
  • Medium = Multiplier of 3
  • High = Multiplier of 10

Example: If the normal usage pattern, for a user, is 100 files accessed/downloaded daily, the following will occur based on the threshold setting:

  • Threshold = Low - Unusual Access anomaly is created when a user deletes over 100 files
  • Threshold = Medium - Unusual Access anomaly is created when a user deletes over 300 files
  • Threshold = High - Unusual Access anomaly is created when a user deletes over 1000 files

Sensitivity settings, for files deleted, are tied to activity percentiles for each user:

  • Low = 90% or higher
  • Medium = 95% or higher
  • High = 99% or higher

For additional details please review Multivariate Anomaly Detection article

We suggest setting Unusual Access rule threshold to "medium". You can change the threshold setting by going to settings, selecting Analysis Rules and selecting Unusual Access.

Unusual_Access_1.jpg

Minimum file threshold and Sensitivity threshold work independently. Changing Sensitivity threshold from low to medium does NOT change or impact the Minimum file threshold

What does "files accessed" mean for Unusual Access detections?

Secure and Govern changed the language from "files downloaded" to "files accessed" when we started incorporating file open events from Storage Sync and Desktop Application. Opening a file on a Storage Sync share or from Desktop Application isn't technically a download, so we needed a term that is more inclusive. For Unusual Access detections, file accessed is used to capture a file read, a file download or a file copy.

What does the date under "UPDATED" mean for Unusual Access detections?

Unusual Access detection are event-based by user. The "UPDATED" column date for Unusual Access could mean a the following:

  1. Original Detection Date - The date the original anomaly detection occurred
  2. Content Reclassification Date - The sensitive content in the original detection was reclassified which could mean there's an increase in the number of sensitive files or an increase in sensitivity of the files originally detected
  3. New Detection Date - a new anomaly was detected for the same user on a later date

Why are the total number files accessed/downloaded, by user, different when comparing the Unusual Access "File Export Report" and the Collaborate "User Action File" Report?

For Unusual Access detections we are looking for "unique file" events. This means that each unique file will only be counted and recorded once, for a Unusual Access detection, even if the file was accessed/downloaded multiple times by the same user in a 24 hour period. 

Unique file detection was needed to improve the Unusual Access detection accuracy due to "noisy" system applications such as Windows Explorer (explorer.exe). Often times Window Explorer will generate multiple file access events (e.g. file searches) for a file that are not real user actions.

Collaborate's "User File Action" report captures all these non-user file access events where Secure & Govern's Unusual Access "File Export Report" does not. When comparing these reports customers will often see many more user file access/download events, for the same file, Collaborate's report. This is expected.

Can I choose to only view Analysis Rule anomalies with sensitive content?

Yes, Analysis Rule anomalies can be filtered to only show anomalies containing sensitive content. However, the default view will show all anomalies regardless of content type.

Sensitive content can be filtered by “Any sensitive content” or by “specific policy types”. 

When in the Issues view use the filter scroll bar, on the left, to scroll to the bottom of the filter window. The following filter selections can be configured:

mceclip1.png

Can I choose to only view Analysis Rule anomalies without sensitive content?

No, Analysis Rule anomalies can’t be filtered to only show anomalies without sensitive content. For information regarding how to filter Analysis Rule anomalies containing sensitive content, check out Filtering by Sensitive Content

What is the expected behavior of the sensitive content eye icon for Public Link anomalies?

When reviewing sensitive content Public Link anomalies, in Secure and Govern, you will notice the following eye icon (outlined in RED).

mceclip0.png

There are two different levels of Public links, file level and folder level. The eye icon behavior for each is explained below:

  • File level – the eye icon will open the file in a separate window within Issue Review tab displaying the sensitive content found in the file
  • Folder level – the eye icon will open the folder in the Sensitive Content tab so ALL files in the folder can be reviewed and remediated

If I modify folder scanning to exclude folders for active Analysis Rules, what happens to the existing open issues?

When modifying folder scanning, the Analysis Rule types listed below are moved to “Resolved” status during the next content source scan.

  • Public Link
  • Individual Permission
  • External Sharing
  • Open Access
  • Probable Ransomware

The following Analysis Rules are “User Directory” managed rules and are not subject to folder scanning

  • Unusual Access
  • Suspicious Login
  • Empty Group
  • Unused Group
  • Malformed Permissions (WFS & CIFS only)

How frequently does Secure & Govern scan content sources for new Analysis Rule Issues?

Content sources or user directories are scanned every hour for the following Secure & Govern Analysis Rules

  • Public Link
  • Individual Permission
  • External Sharing
  • Open Access
  • Probable Ransomware
  • Unusual Access
  • Suspicious Login
  • Malformed Permissions (WFS & CIFS only)

User directories are scanned nightly for the following Secure & Govern Analysis Rules

  • Unused Group
  • Empty Group

Unused Group and Empty Group Analysis Rules are scanned nightly to ensure an Admin has sufficient time to assign groups to content or add users to groups

How is Probable Ransomware detected?

Probable Ransomware is detected by using two different methods. These methods are explained below.

Artifact-based Detections

Artifact detections look for known Ransomware file extensions and/or known Ransomware notes. If we find 3 or more files with known ransomware extensions or one ransomware note, a detection occurs and Probable Ransomware issue is created.

Zero-day/Behavioral-based Detections

Zero-day/Behavioral-based detections look for anomalous file activity such as a mass encryption of files, a mass renaming of files or a large number of file uploads occurring at the same time. These anomalous file behaviors are typical of a Ransomware attack, but are not detected by traditional artifact-based or signature-based solutions since they are new and unidentified. 

If we detect a certain number high entropy files, a detection occurs and Probable Ransomware issue is created.

 

Back to Top...