Why does WS blocks an user for activities on devices excluded from WS attack Policy?
- Views:
- 120
- Visibility:
- Public
- Votes:
- 0
- Category:
- data-infrastructure-insights
- Specialty:
- bluexp_insights
- Last Updated:
Applies to
- Workload Security (WS)
- Cloud Insight Services (CI)
- Automated response attack policies for Anti Ransomware
Answer
- The device list in automated response attack policy is only applicable for taking snapshots of the impacted volumes on vserver devices depending on they are included or not, where as user blocking will be done anyway to prevent further attacks irrespective of the source device is included/excluded on the device list
- For example:
- Say, there are 3 SVM data collectors- xxx, yyy, zzz monitored using WS
- An automated response ransomware attack policy is in place where device drop down only includes xxx and both
Take Snapshot&Block User File Accessare selected as action - Here, if WS finds any attack originating from xxx, it will take snapshots on the impacted volumes of the attack (impacted volumes can be seen in alert page)
- If an attack originates from yyy or zzz, no snapshot will be taken on any volume
- However blocking user, is done on all 3 devices as long as they are on the WS data collectors list so attack cannot proceed on new devices/volumes
Additional Information
If blocking of user is not desirable from particular vserver devices, they need to be removed from data collectors list in WS