Real-time User Activity Alerts and Incident Response
Ekran System® provides an actionable alert system to enable quick incident response.
Besides easy-to-use tools to build your custom alerting rules, Ekran System deployment includes a library of alert patterns prepared by our experts according to the best security practices.
You can import this default library and select alerts that meet your security strategy.
You can also use the built-in alert export/import features to reuse your custom alerts across multiple Ekran System Server deployments.
User action alerts are fully customizable. You can configure any number of rules to trigger real-time notifications and automatic responses using parameters such as:
- User names
- Application names
- Window titles (including folder or file names)
- Visited URLs
- Types and groups of connected USB devices (for all Windows clients)
- Typed keywords
- Entered commands and/or parameters (for Linux Clients)
You can assign a risk level to each alert that will be used in reporting and when highlighting alerted events in monitoring information.
User and entity behavior analytics (UEBA)
Ekran’s alert system includes an artificial intelligence module that establishes a baseline of user behavior to detect abnormal user activity and possible account compromise.
With the UEBA module, you can get real-time notifications via email, view sessions with behavior anomalies, and quickly respond to suspicious user activity.
For instance, this AI-powered module can establish a user’s typical work hours and notify you in case of user activity outside of normal hours.
When an Alert Is Triggered
You can configure the response to a triggered alert using a combination of the following:
User activity monitoring notifications allow your incident response team to quickly detect and analyze an issue in order to respond promptly.
Your security specialists can be notified about potentially critical events right when an alert is triggered. Notifications are delivered via email and/or system tray message and contain a direct link to the session that triggered the alert. After clicking this link, the specialist is redirected to the Ekran player, where they can replay the episode in question to analyze the context and respond.
If this option is set up, a user who triggers an alert will see a customizable warning message. This message can be closed only after a reasonable delay to be sure that the user has acknowledged the performed actions.
Automated incident responses
In addition to notifying security staff, Ekran System allows you to set up automated incident response actions for each alert.
Ekran System can automatically respond to critical incidents by:
- Blocking the user who triggered the alert (forcing them to log out from all sessions and placing a further login restriction)
- Blocking a connected USB device of a restricted type
- Killing the related application (process)
Besides real-time user activity monitoring notifications, Ekran System software provides a special suspicious user activity alert report containing details on all triggered alerts for a specified period of time. This allows you to analyze, audit, and cross-check incident response actions.