Veritas Data Insight User's Guide
- Section I. Introduction
- Section II. Data Insight Workspace
- Navigating the Workspace tab
- Analyzing data using the Workspace views
- Viewing access information for files and folders
- Viewing user activity on files or folders
- About visualizing collaboration on a share
- Viewing access information for users and user groups
- Section III. Data Insight reports
- Using Data Insight reports
- About Data Insight security reports
- Permissions reports
- Permissions Search report
- Creating a Permissions Query Template
- Permissions Query Template actions
- Ownership Reports
- About Data Insight storage reports
- About Data Insight custom reports
- Managing reports
- Viewing reports
- Using Data Insight reports
- Section IV. Remediation
- Configuring remediation workflows
- Managing workflow templates
- Creating a workflow using a template
- Managing workflows
- Using the Self-Service Portal
- About the Self-Service Portal
- Managing data
- About managing data using Enterprise Vault and custom scripts
- About adding tags to files, folders, and shares
- Managing permissions
- Configuring remediation workflows
- Appendix A. Command Line Reference
About Data Insight custom reports
Sometimes the existing report types might not be adequate for creating reports according to your needs. For example, you might want to create a report having the name, size, active data size, openness, and number of active users for each share. In such situations, Data Insight enables you to create customized reports to suit your requirements. You can use the proprietary Data Insight Query Language (DQL) to generate such custom reports.
For more information about creating DQL queries, see the Veritas Data Insight SDK Programmer's Guide.
Data is constantly vulnerable to unknown threats from malware variants such as ransomware, that continue to evolve. Protecting your data against these variants requires you to promptly detect the malicious attack and effectively perform a remediation course.
Veritas Data Insight periodically collects audits of the read, write, and rename activities performed on the files in the monitored storage environment. With the ransomware reports, you can capture the count of write and rename activities performed on the files by each user. If the count is higher than the specified threshold value, then the files on which the activities occurred could be exploited. The threshold value is the count of write and rename activities that you permit per user on files present in a data source. For example, when ransomware inflicts a file, it encrypts and renames the file to include a unique extension. When the Write Rename sensor query is executed on a data source, it fetches the count of write and rename activities performed by users on files within 24 hours. If it detects any user who performed more than 100 write and rename activities, the files on which the activities happened are termed as potentially exploited, and the users who are configured on the
page are alerted.By default, the threshold value is set to 100. This indicates that whenever any user performs 100 rename or write activities within 24 hours, the files accessed by that user could be infested.
The threshold value can be set by running the following command on the Management Server.
configdb -O -J ransomware.path.count -j <value>
For example,
configdb -O -J ransomware.path.count -j 72
Note that if the threshold value is low, then the reports might capture the authentic write and rename activities that happen as part of the routine tasks. Thus, it is recommended to consider these tasks when configuring the threshold value.
You must configure the ransomware report schedule to run once every 4 hours such that it runs along with the indexer schedule. This ensures that the ransomware query gets sufficient event logs for processing.
See About DQL query templates. for more information about different types of ransomware reports.