In order to capture security incidents efficiently, 8MAN takes the user-initiated file server events into view. If these occur in unusually high numbers and additionally in a short period of time, 8MAN proactively informs all responsible persons.
The following possible security incidents are indicated by 8MAN:
•Data theft: A user account reads unusually many files in a short period of time ("file read")
•Sabotage: A user account deletes very many files in a short period of time ("file delete")
•Ransomware attack: The combination of file creation and deletion results from a user account ("file create" & "file delete")
You configure the following events as triggers for alerts:
•Permission (ACL) changed
Define thresholds based on the frequency of the events as well as the time intervals. Service accounts, administrator accounts and special directories can be excluded via a blacklist from the alert function.
If a file server or Active Directory alert is triggered, 8MAN can then execute a script. This is for example relevant in the following scenario:
A user account is added to the monitored administrator group. An alert is triggered immediately, and the linked script immediately removes the user account from the group. This means that the administrator group is permanently protected from manipulation.
In version 9, you prioritize the alerts according to the categories in the Windows Event Log. In addition, categorized alert emails are sent.
Enable alerts for file server directories
Activate alerts for suspected cases of data theft (file server)
Enable alerts for data erasure (file server)
Activate alerts for suspicious cases on Ransomware (file server)
Run a script after an alert