Skip to main content
Version: 4.0.0

How to Configure Monitor Mode and Ignore Lists

Introduction

Monitor Mode, and the lists of Ignored variables, have certain configurations which are required for the features to work correctly. This guide explores each procedure necessary for appropriate setup.

Ignored Lists and Monitor Mode Lists

info

Ransomware Defender allows the administrator to specify paths, users, and client or server IP addresses to exclude from Ransomware processing. No detections will be processed once an ignore is applied based on matching criteria.

How to Add Path, User, or Source IP Address to Monitor Mode List or Ignored List

  1. Open the Ransomware Defender module by clicking on its icon on the Eyeglass Web UI Desktop.
  2. Click on Settings to expand its menu options, and click on Ignored List or Monitor Only Settings.
  3. Click on the + button next to Paths, Users, or Sources as applicable.
  4. Enter a path, an AD user, or IP address and save.
info
  1. New Paths: full path is required. (example: /ifs/data/xxx)
  2. Active Directory Users: domain\userid or user@domainname
  3. ECS Users should be entered by name. Example: object_user or urn:ecs:iam::ns1:user/test.
  4. Client IP is the IP of a client or server.
warning

Each ignore column is an or, meaning if any of the listed ignore values is found in an audit message it will be dropped before processing. The first matched ignore list will drop the audit event.

How to Convert Ignore Lists to Monitor Mode Lists

info

Ignore Lists should be used for less critical data, or data that can be easily recreated.

  1. Open the Ransomware Defender module by clicking on its icon on the Eyeglass Web UI Desktop.
  2. Click on Settings to expand its menu options, and click on Ignored List.
  3. You will find a button that says "Convert Entries to Monitor Mode". Click on this button to continue.
  4. A dialog will appear asking you to confirm the conversion process, which will remove all ignore list settings and move them to the monitor mode list.

Partial Path Matching

HOW PATH AND FILE MATCHING WORKS WITH IGNORE LISTS

  1. The asterisk character is put in place of a directory in a path. Example: /ifs/data/home/*/.
  2. If you use an asterisk at the end of a path, it becomes a file name wild card. Example: /ifs/data/home/userx/* is any file in the UserX folder.
  3. /ifs/path/* Matches any object on the given path.
  4. /ifs/path/*.java Matches any object name ending in .java on the given path.
  5. /ifs/**.java Matches any object name ending in .java on any path.
  6. /ifs/path/*.* Matches any object name with any extension on the given path.
  7. /ifs/path/*.{java,class} Matches object names ending with .java or .class
  8. /ifs/path/foo.? Matches object names starting with foo. and a single character extension.
info

You may apply any other globbing rules that can be useful to you here.

ECS OBJECT PATTERN MATCHING FOR BUCKET AND PATH

  1. Match the whole ECS cluster using the pattern: **

  2. Match a specific path in any bucket using the pattern: */path/to/object

  3. Match all direct children of a path using the pattern: <bucket>/path/*

  4. Match all descendants of a path using the pattern: <bucket>/path/**

  5. Match exact object: <bucket>/path/to/object

How to Enable Monitor Mode for an ECS Cluster

The ECS monitor mode option is set using a wild card match for all buckets, all objects.

  1. Open the monitor settings tab.
  2. Click to add an entry and configure as follows:
  • Target NE Type: ECS
  • New path: **
  • Select NE: Checked
  • Network Element: Your network element here.

See Also

You may now test adding items to the Monitor Mode List and the Ignore List by using the Eyeglass Web UI.