Use the evidence locker to view exfiltration event details

When a file in your file inventory is involved in a data exfiltration event, it is stored and encrypted in the Arctic Wolf managed AWS instance using different keys for each tenant, and it is added to the evidence locker. You can view or download the files involved in exfiltration events from the evidence locker.

Evidence file collection must be enabled in the information protection settings. See Configure data collection settings for more information.

  1. In the management console, on the menu bar, click Avert > Evidence Locker.
    The evidence locker displays a list of all the files in your organization that have been involved in a data exfiltration event. The following table explains the information that is in the Evidence Locker list:

    Item

    Description

    Time Added

    This is the time the file was added to the evidence locker.

    File Name

    This is the name of the file involved in an exfiltration event.

    File Size

    This is the size of the file involved in an exfiltration event.

    Associated Events

    These are the exfiltration events that the file is associated with. You can click on the number to see more details.

    Download

    You can click this to download the full file involved in the exfiltration event. Evidence files are downloaded as a compressed .gz file. You will need a utility tool, such as 7zip, to decompress the files and view them.
  2. Click on the number in the associated events column to view the CylanceAVERT events.
  3. To filter the time added, file name, or file size columns, click The Filter column icon in the column heading.