If you still have questions about the Secure & Govern Analysis Rules, check out the frequently asked questions below.
Skip Ahead to...
General
What content sources are supported by Analysis Rules?
What Egnyte clients are supported by Analysis Rules?
What Analysis Rules are enabled during Installation of Secure & Govern?
What Analysis Rules can be enabled/disabled?
If I modify folder scanning to exclude folders for active Analysis Rules, what happens to the existing open issues?
How frequently does Secure & Govern scan content sources for new Analysis Rule Issues?
Do you have recommendations for addressing Analysis Rules violations?
Suspicious Login
What actions will create a Suspicious Login Anomaly?
How can I prevent Suspicious Login Anomalies for VPN Users?
Unusual Access
How long do I have to wait for Unusual Access detections to occur?
How does changing Sensitivity threshold impact Unusual Access detections?
What does "files accessed" mean for Unusual Access detections?
What does the date under "UPDATED" mean for Unusual Access detections?
Why are the total number of files accessed/downloaded, by a user, different when comparing the Unusual Access "File Export Report" and the Collaborate "User Action File Report?
External Sharing
Can I stop generating External Sharing violations for approved folders?
Sensitive Content
Can I choose to only view Analysis Rule anomalies with sensitive content?
Can I choose to only view Analysis Rule anomalies without sensitive content?
What is the expected behavior of the sensitive content eye icon for Public Link anomalies?
Probable Ransomware
How is Probable Ransomware detected?
Public Links
When I delete a user, from Egnyte, will all open Public Links issues be auto-remediated?
What content sources are supported by Analysis Rules?
Content source Type | Supported Analysis rules |
Egnyte Collaborate | All |
SharePoint Online | All, except Inactive User |
OneDrive for Business | All, except Inactive User |
Office 365 | All, except Inactive User |
Google Drive | All, except Inactive User |
SharePoint (on-prem) |
|
Windows File Server (WFS) |
|
Common Internet File System (CIFS) |
|
What Egnyte clients are supported by Analysis Rules?
Secure & Govern Analysis Rules currently support following Egnyte clients
- Web UI
- Desktop App
- Mobile
- All Storage Sync Clients
- Smart Cache
- WebEdit
- Cloud Migration Manager
- Egnyte Migration Toolkit
- All WebDAV Clients
- Outlook
- SalesForce
- SFTP
- FTP
What Analysis Rules are enabled during Installation of Secure & Govern?
The following Secure & Govern Analysis Rules are enabled during initial installation/setup. For more information regarding Analysis Rules supported by content source, please see Analysis Rules by Content Source
- Inactive User
- Unused Group
- Empty Group
- Public Link
- External Sharing
- Probable Ransomware
- Open Access
- Unusual Access
- Suspicious Login
- Malformed Permissions (WFS & CIFS only)
All Analysis Rules, except Individual Permission, are enabled by default.
What Analysis Rules can be enabled/disabled?
All Secure & Govern Analysis Rules can be enabled and disabled
The following can be enabled under “Content Source”
- External Sharing
- Individual Permission
- Open Access
- Probable Ransomware
- Public Link
The following can be enabled under “User Directory”
- Inactive User
- Empty Group
- Suspicious Login
- Unused Group
- Unusual Access
What actions will create a Suspicious Login Anomaly?
Suspicious Login rule detects anomalous user login activity that may indicate a compromised account.
There are 2 sub-types of Suspicious Logins:
- Impossible Travel – Identifies unusual and impossible user login activity between two locations
Impossible user login activities are logins that occur from distant locations within a time window that would be impossible for an individual to travel between the two points.
- Restricted Country – Identifies an attempted login from a restricted country
Impossible Travel uses only successful login attempts to determine when a Suspicious Login Anomaly is created.
Restricted Country uses successful and failed login attempts to determine when a Suspicious Login Anomaly is created.
How can I prevent Suspicious Login Anomalies for VPN Users?
Suspicious Login anomalies can be prevented, for VPN user, by adding the user(s) to the IP address whitelist found under the Suspicious Login configuration settings:
When whitelisting a user, both IP addresses must be whitelisted to prevent future detection for that user.
Only Public IP addresses can be used when whitelisting an IP address. Local IP addresses are not supported.
Can I stop generating External Sharing violations for approved folders?
Yes. External Sharing anomalies can be prevented by adding the email domain to the External Sharing Allowed List
The External Sharing Allowed List can be found under the “User Directory”, for a content source, in “Settings”
Select “Configure”
Existing External Sharing issues will be auto-remediated, for any group or domain added to the External Sharing Allowed list, after the next User Directory scan. User Directory scans will occur nightly
Do you have recommendations for addressing Analysis Rules violations?
Yes. For more information, check out the Issue Types & Remediation article to learn how to prevent Analysis Rules violations.
How long do I have to wait for Unusual Access detections to occur?
For Unusual Access detections to occur, our ML model requires 60 days of history for each user. Waiting 60 days ensures our ML model is properly trained on a user's usage patterns and prevents a high number of false positives. For Unusual Access file deletion detections, an additional 30 days is required (90 days total) for each customer domain. This is to ensure enough data has been collected for each customer domain. Here are some scenarios:
- For a new customer domain, the timeline is different for file delete anomaly detections and file download/access detections:
- For file download/access events, no detections will occur for 60 days
- For file delete events, no detections will occur for 90 days.
- For an existing customer domain (older than 90 days) where the Unusual Access rule had been disabled: When the Unusual Access rule is enabled, detections will occur immediately
- For an existing customer domain (older than 90 days) and a new user is added: No detections for the new user will occur for 60 days
How does changing the Sensitivity threshold impact Unusual Access detections?
The sensitivity threshold controls how far from their normal usage pattern a user needs to deviate before an anomaly is detected. There are 3 threshold settings for Unusual access: Low, Medium, and High
Setting the threshold to Low will result in generating the most Unusual Access anomalies while setting threshold to high will generate the fewest.
Sensitivity settings, for files accessed/downloaded, are tied to multipliers for each user:
- Low = Multiplier of 1
- Medium = Multiplier of 3
- High = Multiplier of 10
Example: If the normal usage pattern, for a user, is 100 files accessed/downloaded daily, the following will occur based on the threshold setting:
- Threshold = Low - Unusual Access anomaly is created when a user deletes over 100 files
- Threshold = Medium - Unusual Access anomaly is created when a user deletes over 300 files
- Threshold = High - Unusual Access anomaly is created when a user deletes over 1000 files
Sensitivity settings, for files deleted, are tied to activity percentiles for each user:
- Low = 90% or higher
- Medium = 95% or higher
- High = 99% or higher
For additional details please review Multivariate Anomaly Detection article
We suggest setting Unusual Access rule threshold to "medium". You can change the threshold setting by going to settings, selecting Analysis Rules and selecting Unusual Access.
Minimum file threshold and Sensitivity threshold work independently. Changing Sensitivity threshold from low to medium does NOT change or impact the Minimum file threshold
What does "files accessed" mean for Unusual Access detections?
Secure and Govern changed the language from "files downloaded" to "files accessed" when we started incorporating file open events from Smart Cache and Desktop Application. Opening a file on a Smart Cache share or from Desktop Application isn't technically a download, so we needed a term that is more inclusive. For Unusual Access detections, file accessed is used to capture a file read, a file download or a file copy.
What does the date under "UPDATED" mean for Unusual Access detections?
Unusual Access detection are event-based by user. The "UPDATED" column date for Unusual Access could mean a the following:
- Original Detection Date - The date the original anomaly detection occurred
- Content Reclassification Date - The sensitive content in the original detection was reclassified which could mean there's an increase in the number of sensitive files or an increase in sensitivity of the files originally detected
- New Detection Date - a new anomaly was detected for the same user on a later date
Why are the total number files accessed/downloaded, by user, different when comparing the Unusual Access "File Export Report" and the Collaborate "File Audit Report"?
For Unusual Access detections, we are looking for "unique file" events. This means that each unique file will only be counted and recorded once, for a Unusual Access detection, even if the file was accessed/downloaded multiple times by the same user in a 24-hour period.
Unique file detection was needed to improve the Unusual Access detection accuracy due to "noisy" system applications such as Windows Explorer (explorer.exe). Often times Window Explorer will generate multiple file access events (e.g. file searches) for a file that are not real user actions.
Collaborate's "File Audit Report" captures all these non-user file access events where Secure & Govern's Unusual Access "File Export Report" does not. When comparing these reports customers will often see many more user file access/download events, for the same file, Collaborate's file audit report. This is expected.
Can I choose to only view Analysis Rule anomalies with sensitive content?
Yes, Analysis Rule anomalies can be filtered to only show anomalies containing sensitive content. However, the default view will show all anomalies regardless of content type.
Sensitive content can be filtered by “Any sensitive content” or by “specific policy types”.
When in the Issues view use the filter scroll bar, on the left, to scroll to the bottom of the filter window. The following filter selections can be configured:
Can I choose to only view Analysis Rule anomalies without sensitive content?
No, Analysis Rule anomalies can’t be filtered to only show anomalies without sensitive content. For information regarding how to filter Analysis Rule anomalies containing sensitive content, check out Filtering by Sensitive Content
What is the expected behavior of the sensitive content eye icon for Public Link anomalies?
When reviewing sensitive content Public Link anomalies, in Secure and Govern, you will notice the following eye icon (outlined in RED).
There are two different levels of Public links, file level and folder level. The eye icon behavior for each is explained below:
- File level – the eye icon will open the file in a separate window within Issue Review tab displaying the sensitive content found in the file
- Folder level – the eye icon will open the folder in the Sensitive Content tab so ALL files in the folder can be reviewed and remediated
If I modify folder scanning to exclude folders for active Analysis Rules, what happens to the existing open issues?
When modifying folder scanning, the Analysis Rule types listed below are moved to “Resolved” status during the next content source scan.
- Public Link
- Individual Permission
- External Sharing
- Open Access
- Probable Ransomware
The following Analysis Rules are “User Directory” managed rules and are not subject to folder scanning
- Inactive User
- Unusual Access
- Suspicious Login
- Empty Group
- Unused Group
- Malformed Permissions (WFS & CIFS only)
How frequently does Secure & Govern scan content sources for new Analysis Rule Issues?
Content sources or user directories are scanned every hour for the following Secure & Govern Analysis Rules
- Inactive User
- Public Link
- Individual Permission
- External Sharing
- Open Access
- Probable Ransomware
- Unusual Access
- Suspicious Login
- Malformed Permissions (WFS & CIFS only)
User directories are scanned nightly for the following Secure & Govern Analysis Rules
- Unused Group
- Empty Group
Unused Group and Empty Group Analysis Rules are scanned nightly to ensure an Admin has sufficient time to assign groups to content or add users to groups
How is Probable Ransomware detected?
Probable Ransomware is detected by using two different methods. These methods are explained below.
Artifact-based Detections
Artifact detections look for known Ransomware file extensions and/or known Ransomware notes. If we find 3 or more files with known ransomware extensions or one ransomware note, a detection occurs and a Probable Ransomware issue is created.
Zero-day/Behavioral-based Detections
Zero-day/Behavioral-based detections look for anomalous file activity such as a mass encryption of files, a mass renaming of files or a large number of file uploads occurring at the same time. These anomalous file behaviors are typical of a Ransomware attack, but are not detected by traditional artifact-based or signature-based solutions since they are new and unidentified.
If we detect a certain number of high entropy files, a detection occurs and Probable Ransomware issue is created.
Customers can control the detection threshold for behavior-based (zero-day) Probable Ransomware detections. By controlling the detection threshold, customers can control the detection sensitivity. The detection threshold defines the percentage of suspicious files required to create a detection. For example, Secure & Govern analyzes a folder which contains 10 files. If the detection threshold is set to 50 percent, a Probable Ransomware detection would only occur if 5 or more files were found to be suspicious.
The behavior-based detection threshold is set to 50 percent by default, but Admins can adjust the range from 10 to 100 percent. Lowering the detection threshold, from 50 to 30 percent, will increase detection sensitivity and increase the number of behavior-based Probable Ransomware detections. Raising the confidence range, from 50 to 80 percent, will decrease detection sensitivity and decrease the number of behavior-based Probable Ransomware detections.
When I delete a user, from Egnyte Collaborate, will all open Public Link issues be auto-remediated?
No, when a user is deleted, from Egnyte Collaborate, all Public Links for this user are preserved to prevent a potential disruption in business. However, a "link deletion" email is sent to all Egnyte Collaborate Admins for awareness as well as to allow the Admin to delete the links for this user. If the Admin deletes any or all of the existing Public Links, for the user, the corresponding Public Issue will be auto-remediated.
Example Email: