Version: 2.14.0

Active Auditor

Introduction

Active Auditor provides real-time auditing capabilities that let administrators define and respond to specific file activity behaviors across the cluster. Using prebuilt and custom triggers, you can monitor actions such as mass deletions, file accesses, and user activity patterns.

This guide covers the following features:

Mass Delete — Detect unusually high rates of file deletions.
Custom Real-time Audit Policy — Define complex rules using AND/OR logic.
Data Loss Prevention — Monitor users copying files from secured shares or paths.

Mass Delete

The Mass Delete trigger is a prebuilt policy that detects unusually high rates of file deletions in a specified directory. Use it to identify risky behaviors such as accidental or intentional mass deletions that could lead to data loss or operational issues.

Configure a Mass Delete Response

Select the Easy Auditor icon to open the interface.
Select the Active Auditor tab from the navigation menu.
Under Audit Triggers, locate the Mass Delete row and select Configure in the rightmost column. The Mass Delete Configuration window opens.
Select New Trigger Response. The Add New Mass Delete Response dialog opens.
Fill in the following fields:
- Path — Use the Cluster Directory Selector to choose the directory to monitor.
- Files — Enter the number of files that must be deleted to trigger the response.
  
  Best Practice
  Start at 1000 and adjust higher if too many notifications are sent.
- Interval — Define the time window for tracking events:
  - Value — Enter a number (for example, 1).
  - Unit — Choose a time unit (for example, Minute(s)).
Select Save to apply the settings, or Cancel to discard changes.
After saving, the new response appears under the Threat Responses section, where you can:
- Review the settings for each response (path, limit, and time interval).
- Remove a response by selecting Delete in the Actions column.
- Add more responses by selecting New Trigger Response.
Select Close to exit the configuration window.

Custom Real-time Audit Policy

The Custom Real-time Audit Policy feature enables you to define specific conditions using rule-based logic with AND/OR groupings. Use it to detect abnormal or unauthorized behaviors with precision.

Create or Edit a Custom Real-time Audit Policy

Select the Easy Auditor icon to open the interface.
Select the Active Auditor tab from the navigation menu.
Under Audit Triggers, locate the Custom Real-time Audit Policy row and select Configure in the rightmost column.
In the configuration window, fill in the following fields:
- Name — Enter a descriptive name for the policy (for example, High File Access Alert).
- Enabled — Select the checkbox to activate the policy.
Select View/Edit Audit Criteria to open the rule builder and define conditions using AND/OR logic to match specific audit events.

Available criteria include:
- Directory — Monitor a specific folder path.
- Full Path — Track activity for a specific file.
- File Name or Extension — Focus on specific file types or names.
- Event Type — Choose actions such as File Delete, Read, or Write.
- User — Monitor actions by a specific user. Enter the username in DOMAIN\user format.
- Cluster Name — Filter by originating cluster.
- Source IP — Limit activity by IP address. Use CIDR notation. Any range except /32 is valid.
Logic options:
- Add Rule — Add a new condition.
- Add Group — Nest multiple rules under AND/OR logic.
- Delete — Remove individual rules or groups.
After defining your rules, select Save to return to the configuration screen.
Configure the following monitoring parameters:
- Interval — Define the time window for tracking events:
  - Value — Enter a number (for example, 1).
  - Unit — Choose a time unit (for example, Minute(s)).
- Threshold — Enter the number of matching events that must occur within the interval to trigger the policy (for example, 100).
Select Save to apply the configuration, or Cancel to discard changes.
After saving, the new policy response appears under the Threat Responses section, where you can:
- View the policy name, interval, threshold, and enabled status.
- Select Edit to update the response configuration.
- Select Delete to remove the response.
- Add more custom audit responses by selecting New Trigger Response.
Select Close to exit the configuration window.

Data Loss Prevention

Data Loss Prevention (DLP) monitors users who copy files from any secured share or path. It provides real-time monitoring of secured data against bulk copy operations that are unauthorized or that indicate a potential data loss scenario.

The feature monitors the capacity of the file system path using an auto-applied accounting quota. You set the percentage of data any single user can read from the path before the audit trigger fires.

DLP provides the following capabilities:

Monitors secure data access by users
Alerts administrators of access events with date, time, and IP address
Protects against bulk copying of secure data
Provides visibility into user data access
Secures sensitive data from insider threats

info

The selected path must have a corresponding smart quota created on PowerScale.

To ensure this trigger works correctly, PowerScale must audit close_file_modified and close_file_unmodified events. Run the following command to configure this:

isi audit settings modify --add-audit-success close_file_modified,close_file_unmodified --zone <your-zone>

Configure Data Loss Prevention

On the main Active Auditor screen, select Configure.
Select the enable toggle to activate DLP monitoring.
Select New Response to set per-user response actions when a user crosses the data copy percentage threshold.
Fill in the following fields:
- Path — Enter the directory path to monitor.
  
  Best Practice
  Enter a path that matches a share path you are already monitoring.
- Limit — Use the slider to set the threshold percentage.
  
  Best Practice
  Start at 10% to catch copy actions by users.
- Within — Define the time window during which copying must cross the threshold:
  - Value — Enter a numeric value (for example, 1).
  - Unit — Choose a time unit (for example, Minute(s)).
  Best Practice
  The rate at which copying occurs can affect trigger detection. Set the time period low enough to ensure the threshold is crossed. Adjust the value up or down based on trigger testing results.
Choose one or both of the following response actions:
- Email Alert — Sends an alert containing the user, path, and policy criteria that were crossed.
- User Lockout — Denies SMB access to the user on the first share above the monitored path.
  
  Best Practice
  Enable both Email Alert and User Lockout for DLP events.
Select Close to save and exit.

Manage Active Auditor Events

When a Mass Delete or Data Loss Prevention event is detected, the following options are available per incident. Any triggered event for a user is added to that user's existing active event entry. An active event remains active until you acknowledge it or mark it as recovered.

Each active event displays the following information:

State — The current state of the security event.
File List — A sample of files that triggered the detector.
Signal Strength — The active audit detectors triggered for this user ID.
User ID — The Active Directory username.
Detection Date and Time — When the event was detected.
Share Lockout List — The shares locked out if a lockout action was applied.
Snapshot Names — Snapshots created automatically if the snapshot checkbox is enabled. Custom triggers snapshot shares the user can access based on AD group membership.
Expiry Minutes — How long before the detection timer triggers secondary actions.
Client IP Address — The source IP address of the machine the user was logged into.

The Action menu provides a list of actions for each security event. The Lockout column indicates whether a lockout has been applied to deny the user access to all shares.

When you apply a lockout from the Action menu, the event updates to show the lockout date and time along with the list of locked shares. The status changes to Locked Out. To remove the lockout, select Restore User Access from the Action menu.

Apply Actions to an Active Event

Select the Action button for an active event to access the following options:

Comment — Add a comment to the event for other administrators to review. The comment is stored with the event when archived.
Create Snapshot — Creates a snapshot manually. Use this option only if auto-snapshot is disabled.
Lockout — Applies a deny-read restriction to all shares the user has access to mount.
Acknowledge — Sets the status to indicate the event has been reviewed. Other administrators can see that the event has been examined.
Archive as Unsolved — Archives the event without follow-up. Use this option when no issue resulted from the event after review.
Flag as False Positive — Sets an override for the specific user ID to prevent future detections and applies a custom threshold for that user. If too many false positives occur, consider adjusting the detector settings instead.

Archive an Active Auditor Event

Review the event and apply any necessary actions. See Apply Actions to an Active Event.
From the Action menu, select Acknowledge Event. Alternatively, select Archive as Unsolved to archive without investigation.
From the Action menu, select Mark as Recovered. The event moves from the active list to the historical list.

Display Historical Active Auditor Events

Select the Active Auditor tab.
Deselect the Show Active Events checkbox. The view updates to display historical events.

Introduction​

Mass Delete​

Configure a Mass Delete Response​

Custom Real-time Audit Policy​

Create or Edit a Custom Real-time Audit Policy​

Data Loss Prevention​

Configure Data Loss Prevention​

Manage Active Auditor Events​

Apply Actions to an Active Event​

Archive an Active Auditor Event​

Display Historical Active Auditor Events​

See Also​