Skip to main content
Version: 1.2.0

Threat Review

Data Security Essentials monitors your file systems and alerts you if it detects suspicious access behavior. Check the sections below to investigate threats, restore user access, or close alerts.

info

When Data Security Essentials detects suspicious behavior, it takes two key actions:

  • It blocks the offending user based on the response settings in the policy triggers.
  • It alerts the storage team if you configure notification settings for these policy triggers.

Access The Main UI To See Alerts

  1. Open Data Security Essentials
    Start the application to access its main interface.

  2. Select Threat Detections
    Choose Threat Detections from the left navigation menu. You see active and closed alerts, plus forensic data detailing who accessed which files, when, and what actions occurred.

Threat Detections UI

Review Ongoing Threats

  1. Go To The Active Tab
    Click the Active tab to see a list of current threats.

  2. Check Key Columns
    Look at the Target, User, Trigger, and Detected At columns to find the alert you want to investigate.

Active Tab - Threat List

Investigate An Alert

Gather details about a specific alert.

  1. Click The Alert
    Select the alert you want to investigate.

  2. Review Alert Fields
    Check the User, Response, Trigger, and Trigger Description. For example, the user might be lab.local\david, the response might be None, and the trigger could be Large File Audit.

  3. Check Detected At Timestamp
    Note when the alert occurred.

  4. Locate Suspicious Files
    In the table, examine the Device, Share, Path, and File Name columns.

Alert Details

Take An Action

Respond to the alert.

  1. Open Actions Menu
    Click Take An Action (or the ellipsis ... on the Threat Detections list).

    Actions Menu

  2. Choose An Option

    • Restore Access to User Account or Restore User Access to Shares if the user is locked out.
    • Close Threat if the threat is resolved.
    • Download JSON for offline analysis.

    Action Options

Restore User Access

Reinstate a user's access if they were locked out, disabled, or logged off by the trigger actions.

  1. Identify The User State Check the Response field in the alert details. For ransomware threats, you might see Disabled Account or Logged Out.
    alt text

  2. Open Actions Menu Click Take An Action. The actions menu appears on the right.
    alt text

  3. Confirm Restoration

    • Restore Access To User Account: Appears when a user’s AD account is disabled. Click it to re-enable the account.
    • Restore User Access To Shares: Appears when the user is locked out of shared resources. Click it to restore share access.
    • Log Off Workstation: If a user is logged off, no restore option appears. The user must log in again.

    When you select Restore Access To User Account, a confirmation dialog appears. Click Confirm to complete the action.
    alt text