Skip to main content
Version: 2.14.0

Events

Overview

The Events section helps you understand how Superna Data Security tracks, analyzes, and responds to security events in your environment. This page defines key concepts used throughout the Ransomware Defender interface and explains how to interpret event data to make informed decisions during security incidents.

Security Event Column Definitions

Understanding the terminology used in Ransomware Defender is essential for effective threat response. The following definitions explain what each column and data point represents in the Active Events and Event History tabs.

  • File Event: A discrete event published by PowerScale's event stream based on a user action, for example: open file, close file, write, or read to file.

  • User: The user account or NFS IP address of the locked-out account.

  • Shares: List of shares that were locked out during the security event. The shares column lists shares that were locked out for the specific user listed in the User column. Shares are detected based on AD group membership of the detected user and locks out on all shares across all clusters managed by Eyeglass.

  • Snapshots: List of snapshots of SMB share paths taken during the lockout. The snapshots are taken on the SMB share paths of all shares on all clusters as detected as accessible to the user. Snapshots default with an expiry of 48 hours.

  • Threat Detectors: Logic used by Eyeglass Ransomware Defender to determine if a group of File Events is potentially associated with a ransomware attack. There are multiple independent threat detectors used by Eyeglass Ransomware Defender during analysis that are assessed in parallel.

  • Signal: Occurrence of one or more File Events that have been flagged by one or more threat detectors as a potential ransomware event.

  • Signal Strength: For a given Signal, the number of threat detectors that were triggered. A higher Signal Strength has a higher probability of being a ransomware event.

    Threat detection Signal Strength is a measure of the severity of a user's File Event behavior. The higher the count, the higher the severity of the detection.

    The Signal Strength is displayed in the Eyeglass Ransomware Defender window in the Active Events or Event History tab. The numbers represent the peak of Warning, Major, and Critical signal strengths that were recorded in the entire lifetime of the ransomware event. In addition, a list of shares by cluster and access zone is listed that have lockouts applied.

  • Ransomware Event: A collection of signals whose combined Signal Strengths exceeds the user-set threshold in Eyeglass.

  • Files: The list of files associated with the detection for the specified user.

    The files section allows browsing of files that triggered the detection. A CSV download option provides a historical file list that contains all files from all detections for the specific user. This provides a history for all files that triggered events for each user when they have had multiple detections. The files will rollover and maintain a current file and then historical files will be listed with a date and time stamp.

    important notes
    • The CSV rows list signals, not files in each row. The files column cell for each row in the CSV will list all files related to the signal. If using Excel, double-click the cell to see the list of files for that signal. Remember a signal is a pattern of user behavior that affects multiple files.
    • The CSV will store the first 1000 files associated with detection, and there can be more files related to a detection that will not be stored in the CSV. The CSV could get very large to store all files, so only the first 1000 are stored.
    • In most cases, the CSV will store all affected files; it is best to use Easy Auditor to run a user report to get a complete list of files touched by a user.
    • Each CSV file from Ransomware Defender "Active events" and "Event history" can only be downloaded within 28 days (4 weeks) from the file creation.

  • Lock Out: The date and time of the security event.

  • Client IP: The IP address of the user's PC that is infected.

  • Actions: The history of all steps taken during the detection is listed with time stamps. All share lockout or snapshot create tracking is logged along with any failed API calls to lockout or create snapshots. All future actions stay with the event history, including restore user, comments, flag as false positive, etc. If an event is archived, the history will stay with the event in the Event History tab.

Signal Strength Window

When clicking on the Signal Strength in Eyeglass, you can see the threat detectors that contributed to the event. Note that this is not broken down by severity and represents the total of the Threat Detector types that were triggered throughout the lifetime of the event for this user security event. These are for support only.

The sum of these values can be greater than the peak signal strengths described above since it's possible that the lifetime of the ransomware event is greater than the interval for the thresholds.

How to Respond to Security Events

On detection of a possible ransomware event, the system provides you with a relative severity of the detection and then provides you with information to make a decision, such as files affected, user associated with the event, and client IP. This information should be used in conjunction with your security incident response process and security tools such as virus scanning and inspecting the user's computer to reach a conclusion whether or not it is a ransomware event.

A detection event should be evaluated based on the signal strength column and the severity column on an event as additional information for your security response process.

Quick Assessment

Use Severity and Signal Strength values to assess the event:

Severity level is determined by the settings in your environment:

  • Warning - Considered low probability of infection
  • Major - An increased probability of infection or medium user behavior
  • Critical - Strong ransomware user behavior and an indication of a possible infection. A decision to lock out the user should be determined along with reviewing the files affected

Signal Strength - For any severity level, a higher signal strength count indicates the user behavior is a continuous pattern. A continuous repeating detection pattern is consistent with ransomware activity and should be used as an input to a response action based on the security incident response process.

Security Event Triage Process

When a security event has been detected, follow these steps to collect key information for your security incident response process:

  1. Open Ransomware Defender Active Events tab

    Navigate to the Active Events tab in Ransomware Defender.

  2. Review the files that triggered the detector

    Download the CSV file associated with the event and review these files.

    Each event shows the number of files associated with the active or archived security event.

    Note: The list of files shown are the files that triggered the detector and were stored with the event. A limit of 100 files is stored in the Eyeglass database that populates the browser tree.

    The CSV download of affected files will list all detections for this user for all time. The date stamp in the file should be used to indicate when the detection occurred. It is possible to have more files associated with the event than the CSV shows if the event was active for more than 1 hour. The list of files in the CSV represents only files deemed to have triggered a detector, and NOT files accessed or saved in this time period that did NOT trigger a detector.

  3. Review the active event details

    Review the following elements of the active event:

    • Click on the Shares link to review the shares with a lockout applied
    • Click on the Snapshots link to review the snapshots that were applied to shares
    • Click on the Client IPs link to review the source IP of the subnet of the infected computer
    • Click the Actions menu to review the time stamps of each action applied to this event including share lockout and snapshots

    The Actions menu also provides a menu of actions that will be used based on the Warning, Major, and Critical event severity to make a decision on next steps.

  4. Review severity-specific response steps

    Based on the event severity (Warning, Major, or Critical), follow the appropriate response workflow described below.

If Warning

  1. Review the list of files affected for user account IP address by selecting the link in the Files column.

    The file list view shows files that triggered the security event. The last hour of files accessed by the user is shown and should be reviewed for possible compromise or data recovery.

  2. If the affected files are the result of normal file operations and not a malicious event, the event can be marked as resolved with the actions menu.

  3. If you need to flag as false-positive, see instructions in the Flag As False Positive section.

  4. Security event closed and moved to the Event History tab.

If Major

  1. Review affected files, user name, and IP address to locate user in AD and your organization.

  2. Review time to lockout timer in the Active Events tab, which is the time until the lockout will be issued.

  3. If you determine this is a false alarm by contacting the user along with an assessment of the affected files, use the Action Menu to Stop the Lockout timer and then mark the security event as Resolved.

  4. If you determine it is a malicious security event, you can accelerate the lockout timer by using the Action menu to select Lockout Now.

  5. Recovery: Re-image machine or other recovery procedures that your policies require. Determine which files are to be recovered on PowerScale by selecting the files option on the security event. From this screen, you can download a CSV file of trigger files AND files from the last 1 hour of activity.

  6. Restore User Access: Take this step after it has been determined it is safe to restore access to the user. The actions menu can be used to remove the user account lockout for all cluster shares to which that user had access. Using the Actions menu, restore user access.

  7. The security event will now be in Restored state and can be archived to the Event History tab. Using the actions menu, submit a Mark As Resolved action.

  8. If you need to flag as false-positive, see instructions in the Flag As False Positive section.

If Critical

  1. The security event will have a lockout applied immediately since it is a critical detection.

  2. Recovery: Reimage machine or other recovery procedures that your policies require. Determine which files to be recovered on the PowerScale by selecting the files option on the security event. From this screen, you can download a CSV file of trigger files AND files from the last 1 hour of activity.

  3. Restore User Access: After it has been determined it is safe to restore access to the user. The actions menu can be used to remove the user account lockout for all cluster shares to which that user had access. Using the Actions menu, restore user access.

  4. The security event will now be in Restored state and can be archived to the Event History tab. Using the actions menu, submit a Mark As Recovered action.

  5. If you need to flag as false-positive, see instructions in the Flag As False Positive section.

Security Event Action State Descriptions

Once a user security event appears in the Active Events tab, the following operations are possible by clicking the Actions icon. Each state has several possible actions.

Warning State

Possible Actions:

  • Comment - Comment on the event to update the security response or assessment of the event. Can be viewed by other administrators that review the security event history.
  • Archive as Unsolved - Moves event to the History tab.
  • Lockout - From the Access Restored state it's possible to re-lockout the user again from the action menu. This applies deny permission to all shares stored within the lockout event.
  • Acknowledged State - An administrator has acknowledged this event but has not marked as resolved. In this state the user is not locked out or in timed lockout states.
  • Create Snapshot - Manual snapshot created on all share paths in the security event.
  • Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Locked out User State (Critical Severity Threat Detection)

Possible Actions:

  • Comment - Comment on the event to update the security response or assessment of the event. Can be viewed by other administrators that review the security event history.

  • Restore User Access - This will reverse the lockout and grant access to the shares that were locked out. Review the lockout details for a full list of shares and clusters that lockout was applied.

    Once Restore User Access is launched, this will start a restore access job (running jobs window) and restore access in real-time to the shares that were locked out.

    • Verify the user has access
    • Verify a cluster share to confirm that the restore access was successful

  • Archive as Unsolved - Leaves the lockout applied and moves the event to the History tab. Not recommended unless the user access is permanently revoked.

  • Create Snapshot - Manual snapshot created on all share paths in the security event.

  • Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Access Restored State

Possible Actions:

  • Mark as Recovered - This option allows archiving the security event to the history tab.

  • Lockout - From the Access Restored state it's possible to re-lockout the user again from the action menu. This applies deny permission to all shares stored within the lockout event.

  • Initiate Self Recovery - This option will only function if the Cluster Storage Monitor add-on is purchased. It integrates with the Backup Recovery User portal to create secured shares to snapshots and DR data that allow the user to recover data from snapshots. The temporary shares will have a 2-day lifetime by default, after which they will be deleted. The shares are secured only to the user involved in the lockout. The data recovery request will require approval in the Data Recovery Manager Icon. (If licensed)

  • Comment - Comment on the event to update the security response or assessment of the event. Can be viewed by other administrators that review the security event history.

  • Restore User Access - (Allows to re-run this job in the event a share or update failed) This will reverse the lockout and grant access to the shares that were locked out. Review the lockout details for a full list of shares and clusters that lockout was applied.

    Once Restore User Access is launched, this will start a restore access job (running jobs window) and restore access in real-time to the shares that were locked out.

    • Verify that the user has access
    • Verify a cluster share to confirm that restore access was successful

  • Archive as Unsolved - Leaves the lockout applied and moves the event to the History tab. Not recommended unless user access is permanently revoked.

  • Create Snapshot - Manual snapshot created on all share paths in the security event.

  • Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Delayed Lockout State

Possible Actions:

  • Lockout - From the Access Restored state it's possible to re-lockout the user again from the action menu. This applies deny permission to all shares stored within the lockout event.
  • Stop Lockout Timer - This option can be used to stop the timed lockout. This would be used when the investigation determines the user account should not be locked out. The status changes to Acknowledged and the lockout will stop.
  • Comment - Comment on the event to update the security response or assessment of the event. Can be viewed by other administrators that review the security event history.
  • Create Snapshot - Manual snapshot created on all share paths in the security event.
  • Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Acknowledged State

Possible Actions:

  • Comment - Comment on the event to update the security response or assessment of the event. Can be viewed by other administrators that review the security event history.
  • Archive as Unsolved - Leaves the lockout applied and moves the event to the History tab. Not recommended unless user access is permanently revoked.
  • Mark as Recovered - This option allows archiving the security event to the history tab.
  • Create Snapshot - Manual snapshot created on all share paths in the security event.
  • Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Archived Event on Event History

Possible Actions:

  • Comment - Comment on the event to update the security response or assessment of the event. Can be viewed by other administrators that review the security event history.
  • Create Snapshot - Manual snapshot created on all share paths in the security event.
  • Delete Snapshot - Manual snapshot deleted on all share paths in the security event.

Error State

Possible Actions:

  • Open the Action to see the Event Action History. Here you will see which shares had an issue in Lockout or Restore and the reason.
  • Lockout - If Lockout Error is related to an AEC_CONFLICT, then select the Lockout action again to re-attempt to complete the Lockout.
  • Restore - If Restore Error is related to an AEC_CONFLICT, then select the Restore action again to re-attempt to complete the Restore.

See Also

To learn how to configure the threat detection settings that generate these events, review the Configuration section.

Security Guard

Configure automated ransomware simulations to validate your security detection and response mechanisms.

See more