If you still have questions about the Secure and Govern Analysis Rules, check out the frequently asked questions below. 

Skip Ahead to...

What content sources are supported by Analysis Rules?

What Egnyte clients are supported by Analysis Rules?

What Analysis Rules are enabled during Installation of Secure & Govern?

What Analysis Rules can be enabled/disabled?

What actions will create a Suspicious Login Anomaly?

How can I prevent Suspicious Login Anomalies for VPN Users?

Can I stop generating External Sharing violations for approved folders?

Do you have recommendations for addressing Analysis Rules violations?

Why don’t Suspicious Login & Unusual Access issues appear under Ignored Issues?

How does changing threshold impact Unusual Access detections?

What does "files accessed" mean for Unusual Access detections?

What does the date under "UPDATED" mean for Unusual Access detections?

Can I choose to only view Analysis Rule anomalies with sensitive content?

Can I choose to only view Analysis Rule anomalies without sensitive content?

What is the expected behavior of the sensitive content eye icon for Public Link anomalies?

If I modify folder scanning to exclude folders for active Analysis Rules, what happens to the existing open issues?

How frequently does Secure & Govern scan content sources for new Analysis Rule Issues?

 

What content sources are supported by Analysis Rules?

Secure & Govern supports ALL Analysis Rules for the following content sources

  • Egnyte Collaborate
  • OneDrive
  • SharePoint Online
  • G-Drive

Secure & Govern supports the following Analysis Rules for SharePoint (on-prem)

  • Individual Permission
  • Empty Group
  • Unused Group
  • Public Link
  • Open Access

Secure & Govern supports the following Analysis Rules for Windows File Server (WFS) & Common Internet File System (CIFS)

  • Individual Permission
  • Empty Group
  • Unused Group
  • Open Access
  • Possible Ransomware
  • Malformed Permissions
  • Unusual Access (WFS Only)

 

What Egnyte clients are supported by Analysis Rules?

Secure & Govern Analysis Rules currently support following Egnyte clients

  • Web UI
  • Desktop App
  • Mobile
  • All Storage Sync Clients
  • Smart Cache (FKA Turbo)
  • WebEdit
  • Cloud Migration Manager
  • Egnyte Migration Toolkit
  • All WebDAV Clients
  • Outlook
  • SalesForce
  • SFTP
  • FTP

 

What Analysis Rules are enabled during Installation of Secure & Govern?

The following Secure & Govern Analysis Rules are enabled during initial installation/setup. For more information regarding Analysis Rules supported by content source, please see Analysis Rules by Content Source

  • Unused Group
  • Empty Group
  • Public Link
  • External Sharing
  • Probable Ransomware
  • Open Access
  • Unusual Access
  • Suspicious Login
  • Malformed Permissions (WFS & CIFS only)

All Analysis Rules, except Individual Permission, are enabled by default

 

What Analysis Rules can be enabled/disabled?

All Secure & Govern Analysis Rules can be enabled and disabled

The following can be enabled under “Content Source”

  • External Sharing
  • Individual Permission
  • Open Access
  • Probable Ransomware
  • Public Link

The following can be enabled under “User Directory”

  • Empty Group
  • Suspicious Login
  • Unused Group
  • Unusual Access

 

What actions will create a Suspicious Login Anomaly?

Suspicious Login rule detects anomalous user login activity that may indicate a compromised account. 

There are 2 sub-types of Suspicious Logins:

  • Impossible TravelIdentifies unusual and impossible user login activity between two locations

Note: Impossible user login activity are logins that occur from distant locations within a time window that would be impossible for an individual to travel between the two points

  • Restricted Country – Identifies an attempted login from a restricted country

Impossible Travel uses only successful login attempts to determine when a Suspicious Login Anomaly is created.

Restricted Country uses successful and failed login attempts to determine when a Suspicious Login Anomaly is created.

 

How can I prevent Suspicious Login Anomalies for VPN Users?

Suspicious Login anomalies can be prevented, for VPN user, by adding the user(s) to the IP address whitelist found under the Suspicious Login configuration settings:

mceclip4.png

 

Can I stop generating External Sharing violations for approved folders?

Yes. External Sharing anomalies can be prevented by adding the email domain to the External Sharing Allowed List

 The External Sharing Allowed List can be found under the “User Directory”, for a content source, in “Settings”

mceclip2.png

Select “Configure”

mceclip3.png

Existing External Sharing issues will be auto-remediated, for any group or domain added to the External Sharing Allowed list, after the next User Directory scan.  User Directory scans will occur nightly

 

Do you have recommendations for addressing Analysis Rules violations?

Yes. For more information, check out the Issue Types & Remediation article to learn how to prevent Analysis Rules violations.

 

Why don’t Suspicious Login & Unusual Access issues appear under Ignored Issues?

Unusual Access and Suspicious Login are considered event-based issues. When an event-based issue is ignored, Secure & Govern is dismissing this instance of the issue. A new Unusual Access or Suspicious Login issue could be generated for the same user in the future. If a new issue is created, for the same user, the history from the previous issue(s) , including whether or not the previous issue was ignored,  can be seen in the detail section of the new issue.

 

How does changing threshold impact Unusual Access detections?

Controls how far from their normal usage pattern a user needs to deviate before an anomaly is detected. There are 3 threshold settings for Unusual access: Low, Medium and High

Setting the threshold to Low will result in generating the most Unusual Access anomalies while setting threshold to high will generate the fewest. 

Example: If the normal usage pattern, for a user, is 100 files deleted daily, the following will occur based on the threshold setting:

  • Threshold = Low - Unusual Access anomaly is created when a user deletes over 100 files
  • Threshold = Medium - Unusual Access anomaly is created when a user deletes over 300 files
  • Threshold = High - Unusual Access anomaly is created when a user deletes over 1000 files

We suggest setting Unusual Access rule threshold to "medium". You can change the threshold setting by going to settings, selecting Analysis Rules and selecting Unusual Access.

Unusual_Access_1.jpg

 

What does "files accessed" mean for Unusual Access detections?

Secure and Govern changed the language from "files downloaded" to "files accessed" when we started incorporating file open events from Storage Sync and Desktop Application. Opening a file on a Storage Sync share or from Desktop Application isn't technically a download, so we needed a term that is more inclusive. For Unusual Access detections, file accessed is used to capture a file read, a file download or a file copy.

 

What does the date under "UPDATED" mean for Unusual Access detections?

Unusual Access detection are event-based by user. The "UPDATED" column date for Unusual Access could mean a the following:

  1. Original Detection Date - The date the original anomaly detection occurred
  2. Content Reclassification Date - The sensitive content in the original detection was reclassified which could mean there's an increase in the number of sensitive files or an increase in sensitivity of the files originally detected
  3. New Detection Date - a new anomaly was detected for the same user on a later date

 

Can I choose to only view Analysis Rule anomalies with sensitive content?

Yes, Analysis Rule anomalies can be filtered to only show anomalies containing sensitive content. However, the default view will show all anomalies regardless of content type.

Sensitive content can be filtered by “Any sensitive content” or by “specific policy types”. 

When in the Issues view use the filter scroll bar, on the left, to scroll to the bottom of the filter window. The following filter selections can be configured:

mceclip1.png

 

Can I choose to only view Analysis Rule anomalies without sensitive content?

No, Analysis Rule anomalies can’t be filtered to only show anomalies without sensitive content. For information regarding how to filter Analysis Rule anomalies containing sensitive content, check out Filtering by Sensitive Content

 

What is the expected behavior of the sensitive content eye icon for Public Link anomalies?

When reviewing sensitive content Public Link anomalies, in Secure and Govern, you will notice the following eye icon (outlined in RED).

mceclip0.png

There are two different levels of Public links, file level and folder level. The eye icon behavior for each is explained below:

  • File level – the eye icon will open the file in a separate window within Issue Review tab displaying the sensitive content found in the file
  • Folder level – the eye icon will open the folder in the Sensitive Content tab so ALL files in the folder can be reviewed and remediated

 

If I modify folder scanning to exclude folders for active Analysis Rules, what happens to the existing open issues?

When modifying folder scanning, the Analysis Rule types listed below are moved to “Resolved” status during the next content source scan.

  • Public Link
  • Individual Permission
  • External Sharing
  • Open Access
  • Probable Ransomware

The following Analysis Rules are “User Directory” managed rules and are not subject to folder scanning

  • Unusual Access
  • Suspicious Login
  • Empty Group
  • Unused Group
  • Malformed Permissions (WFS & CIFS only)

 

How frequently does Secure & Govern scan content sources for new Analysis Rule Issues?

Content sources or user directories are scanned every hour for the following Secure & Govern Analysis Rules

  • Public Link
  • Individual Permission
  • External Sharing
  • Open Access
  • Probable Ransomware
  • Unusual Access
  • Suspicious Login
  • Malformed Permissions (WFS & CIFS only)

User directories are scanned nightly for the following Secure & Govern Analysis Rules

  • Unused Group
  • Empty Group

Unused Group and Empty Group Analysis Rules are scanned nightly to ensure an Admin has sufficient time to assign groups to content or add users to groups

 

Back to Top...