Security incident detection (early access)

It is disabled by default. It can be turned on manually but there is no guarantee as to its stability or performance.

Security incident detection is a feature that facilitates guided file recovery and allows to correlate all alerts generated in a specific time window for a user.

When enabled in the configuration, any new alert generated for a user will open a security incident that will stay open for a defined period of time. After the time is up with no new alerts generated in that window, the incident is automatically closed.

Security incidents can be listed from the REST API level and the file system event listing can be filtered by a security incident ID. A filtered file system listing only displays files that were changed during the incident for a particular user and only returns paths to files that are currently encrypted or deleted.

For further information see API Swagger on the machine where GuardMode Agent is installed → http://localhost:5000/swagger