Skip to main content
Version: 1.3.1

Threat Review

Data Security Essentials monitors your file systems and alerts you if it detects suspicious access behavior. Check the sections below to investigate threats, restore user access, or close alerts.

info

When Data Security Essentials detects suspicious behavior, it takes two key actions:

  • It blocks the offending user based on the response settings in the policy triggers.
  • It alerts the storage team if you configure notification settings for these policy triggers.

Access the Threat Detections UI to See the Alerts

Active Tab - Threat List with Severity Column

  1. Open Data Security Essentials
    Start the application to access its main interface.

  2. Select Threat Detections
    Choose Threat Detections from the left navigation menu. You see active and closed alerts, plus forensic data detailing who accessed which files, when, and what actions occurred.

Review Ongoing Threats

  1. Go to the Active Tab
    Click the Active tab to see a list of current threats.

  2. Check Key Columns
    Look at the Target, User, Trigger, Severity, and Detected At columns to find the alert you want to investigate.

    The Severity column displays the priority level of each alert:

    • Warning: Lower-priority issues
    • Major: Issues needing prompt action
    • Critical: Issues requiring immediate response (all ransomware alerts are Critical)

Investigate an Alert

Gather details about a specific alert.

  1. Click the Alert
    Select the alert you want to investigate.

    alt text

  2. Review Alert Fields
    Check the User, Response, Trigger, Severity, and Trigger Description fields.

  3. Check Detected At Timestamp
    Note when the alert occurred.

  4. Locate Suspicious Files
    In the table, examine the Device, Share, Path, and File Name columns.

Ransomware Alerts

Ransomware alerts are always marked with Critical severity and include specific details about the detected activities.

Take Action

Respond to alerts with appropriate actions.

  1. Open the Actions Menu
    Click the Take Action button or the ellipsis (...) icon in the Threat Detections list.

    Active Critical Ransomware Alerts

  2. Select an Action

    • Restore Access to User Account: Re-enable an AD account you disabled
    • Restore User Access to Shares: Restore access to shares you blocked
    • Disable Access to User Account: Disable an Active Directory account
    • Deny User Access to Shares: Block access to network shares
    • Log off User Workstation: End the current user session
    • Close Threat: Mark a threat as resolved
    • Download JSON: Export data for your offline analysis

    Action Options

    note

    Ransomware policy triggers enable all security action options by default. You can modify these settings as needed.

Restore User Access

Restore access when you need to reinstate permissions that were revoked.

  1. Check the User State View the Response field in the alert details. With ransomware threats, you may see Disabled Account or Logged Out.
    alt text

  2. Open the Actions Menu Click Take Action. The actions menu opens on the right.

  3. Apply the Restoration

    • Restore Access to User Account: Re-enables an account you disabled
    • Restore User Access to Shares: Restores access to shares you blocked
    • Log Off Workstation: After using this action, users must log in again

    When you select Restore Access to User Account, click Confirm in the dialog to complete your action.
    Confirmation Dialog