Active Defense Active Defense is the BrickStor SP feature that detects ransomware attacks, malware activity, and other types of unusual activity on file systems in real-time. Suspicious activity is flagged in the form of an Incident which can generate an alert, block the user/IP address of the endpoint responsible for the attack, and provides a recovery point prior to the incident. User Behavior User Behavior is a BrickStor SP feature that monitors user IO (Input/Output) operations and records them for administrative review. It allowing active defense to analyze this activity and report on it by creating incidents. Incidents An incident is an active defense feature that logs unusual activity that can take action based on the incident rules that are put in place. Active defense incidents are managed in a centralized location and organized into a list format with each receiving its own summary. Administrators can modify which information fields are displayed for a more concise or informative report. They can also create custom incidents to place user(s)/host(s) under a temporary block until the situation can be assessed further. Incident Rules Incident rules are defined criteria that determine what actions are put in place when an incident is flagged. Active Defense comes with some pre-configured rules that are used for threat detection and custom rules can be created to meet the needs of the organization. Users & Hosts The Users & Hosts are defined as the authenticated persons and computers on the network. Administrators can view a collection of all users/hosts associated with active incidents and filter through this collection via a search bar, configure which information columns are to be displayed with each user/group, and group the users based on columns of interest. Default filters provided with Hub are With Incidents and Blocked. With Incidents - Display all Users & Hosts with an active incident. Blocked - Display Users & Hosts with that have active blocks on their incidents. Hub provides the functionality for administrators to view filtered users/hosts with the information columns of their choice. Custom - Display various fields of information in the form of columns for all Users & Hosts. View - Display the option to view that user’s associated incident(s). Name - Display the Name or Host connected to the incident. Blocking Incident - Display the incidents associated with the user that have active blocks. Non-Blocking - Display the number of incidents associated with the user that don’t have active blocks. Open Incidents - Display all active incidents, blocking or not, associated with the user. Recently Closed - Display the number of recently closed incidents associated with the user. Assessors Assessors are the definitions of pre-defined malicious behavior patterns, used by BrickStor SP, to analyze user behavior and detect potential malicious intent. Administrator Access Administrator Access assessors detect when any administrator, domain administrator, enterprise administrator or account operator initiates an operation against a file. The rules for the Admin Access incidents are default rules and the only action applied will be the Hold Snapshots action when this incident is triggered. Once an Admin Access incident is triggered, the user account name and the IP address of the device of the user will be displayed at the top of the screen. This will also list affected dataset(s), as well as the number of affected files. Excessive File Access The excessive file access assessors can detect various file operations that stand out in quantity over a set time-span given typical access patterns. The actions in these assessments include file read, write, and delete operations. These assessors are configurable on a per-dataset basis. Active Defense MUST be enabled prior to enabling Excessive File Access. Located in the Active Protection section of the Active Defense tab, enabling the Excessive File Access assessors for a dataset can be done by clicking the Cog Wheel in the Action column corresponding to that dataset, Selecting Edit Security, then toggling the Enabled slider at the far-right of the Excessive File Access panel. Enabling the Excessive File Access option will open a dialog box that allows the User to configure how many file read, write, and delete operations to track per minute, as well as the Access Denied attempts per hour. For each of the four access trackers, there are options for Notify After and Block After. Once the Notify After threshold for a certain file operation has been reached, an incident will be created which can be viewed on the Security Incidents screen. As the Block After file threshold has been reached, User Block and Hold Snapshots actions will be applied to the specific incident.