Active Defense Active Defense is a BrickStor SP feature that detects ransomware attacks, malware activity, and other types of unusual activity on filesystems in real-time. Suspicious activity is flagged in the form of an incident. These can generate an alert, block the user/IP address of the endpoint responsible for the attack, and provides a recovery point prior to the incident. Users & hosts The users & hosts are defined as the authenticated persons and computers on the network. Administrators can view a collection of all users/hosts associated with active incidents, as well as filter through this collection via a search bar, configure which information columns are to be displayed with each user/group, and group the users based on columns of interest. Default filters provided with Hub are With Incidents and Blocked. With Incidents - Display all Users & Hosts with an active incident. Blocked - Display Users & Hosts that are actively being blocked. Administrators can view filtered users/hosts with the information columns of their choice. Custom - Display various fields of information in the form of columns for all users/hosts. View - Display the option to view that user’s associated incident(s). Name - Display the Name or Host connected to the incident. Blocking Incident - Display the incidents associated with the user that have active blocks. Non-Blocking - Display the number of incidents associated with the user that don’t have active blocks. Open Incidents - Display all active incidents, blocking or not, associated with the user. Recently Closed - Display the number of recently closed incidents associated with the user. Assessors Assessors are the definitions of pre-defined malicious behavior patterns, used by BrickStor SP to analyze user behavior and detect potential malicious intent. Administrator access Administrator Access assessors detect when any administrator, domain administrator, enterprise administrator, or account operator initiates an operation against a file. The rules for the Admin Access incidents are default rules and the only action applied will be the Hold Snapshots action when this incident is triggered. Once an Admin Access incident is triggered, the user account name and the IP address of the device of the user will be displayed at the top of the screen. This will also list affected dataset(s), as well as the number of affected files. Excessive file access The excessive file access assessors can detect various file operations that stand out in quantity over a set time-span, given typical access patterns. The actions in these assessments include file read, write, and delete operations. These assessors are configurable on a per-dataset basis. Active Defense MUST be enabled prior to enabling Excessive File Access. Located in the Active Protection section of the Active Defense tab, enabling the Excessive File Access assessors for a dataset can be done by clicking the Cog Wheel in the Action column corresponding to that dataset, Selecting Edit Security, then toggling the Enabled slider at the far-right of the Excessive File Access panel. Enabling the Excessive File Access option will open a dialog box that allows the User to configure how many file read, write, and delete operations to track per minute, as well as the Access Denied attempts per hour. For each of the four access trackers, there are options for Notify After and Block After. Once the Notify After threshold for a certain file operation has been reached, an incident will be created which can be viewed on the Security Incidents screen. When the Block After file threshold has been reached, User Block and Hold Snapshots actions will be applied to the specific incident.