Threat Review
Data Security Essentials monitors your file systems and alerts you if it detects suspicious access behavior. Check the sections below to investigate threats, restore user access, or close alerts.
When Data Security Essentials detects suspicious behavior, it takes two key actions:
- It blocks the offending user based on the response settings in the policy triggers.
- It alerts the storage team if you configure notification settings for these policy triggers.
Access the Threat Detections UI to See the Alerts
-
Open Data Security Essentials
Start the application to access its main interface. -
Select Threat Detections
Choose Threat Detections from the left navigation menu. You see active and closed alerts, plus forensic data detailing who accessed which files, when, and what actions occurred.
Review Ongoing Threats
-
Go to the Active Tab
Click the Active tab to see a list of current threats. -
Check Key Columns
Look at the Target, User, Trigger, Severity, and Detected At columns to find the alert you want to investigate.The Severity column displays the priority level of each alert:
- Warning: Lower-priority issues
- Major: Issues needing prompt action
- Critical: Issues requiring immediate response (all ransomware alerts are Critical)
Investigate an Alert
Gather details about a specific alert.
-
Click the Alert
Select the alert you want to investigate. -
Review Alert Fields
Check the User, Response, Trigger, Severity, and Trigger Description fields. -
Check Detected At Timestamp
Note when the alert occurred. -
Locate Suspicious Files
In the table, examine the Device, Share, Path, and File Name columns.
Ransomware alerts are always marked with Critical severity and include specific details about the detected activities.
Take Action
Respond to alerts with appropriate actions.
-
Open the Actions Menu
Click the Take Action button or the ellipsis (...) icon in the Threat Detections list. -
Select an Action
- Restore Access to User Account: Re-enable an AD account you disabled
- Restore User Access to Shares: Restore access to shares you blocked
- Disable Access to User Account: Disable an Active Directory account
- Deny User Access to Shares: Block access to network shares
- Log off User Workstation: End the current user session
- Close Threat: Mark a threat as resolved
- Download JSON: Export data for your offline analysis
noteRansomware policy triggers enable all security action options by default. You can modify these settings as needed.
Restore User Access
Restore access when you need to reinstate permissions that were revoked.
-
Check the User State View the Response field in the alert details. With ransomware threats, you may see Disabled Account or Logged Out.
-
Open the Actions Menu Click Take Action. The actions menu opens on the right.
-
Apply the Restoration
- Restore Access to User Account: Re-enables an account you disabled
- Restore User Access to Shares: Restores access to shares you blocked
- Log Off Workstation: After using this action, users must log in again
When you select Restore Access to User Account, click Confirm in the dialog to complete your action.