Administrators and Super Administrators

Workplace Online > Team > Security

About Security Monitoring

A ransomware attack that encrypts your files and leaves you without access to them can pose an enormous threat to your business. And the sooner a ransomware attack is detected, the more effective damage mitigation will be.

Workplace"Workplace" describes the Autotask Workplace service in its entirety.'s Ransomware Detection and Management feature:

  • Uses a series of complex algorithms to detect ransomware attacks
  • Automatically quarantines affected devices.
  • Stops the syncing process to protect other devices using Workplace
  • Provides you with a confidence rating for the security incident
  • Allows you to either confirm or dismiss the incident
  • Gives you the tools to revert all affected files to their state before the attack
  • Automatically notifies all team administrators and Super Administrators of security incidents

  • Provides you with a mechanism to ignore an incident report from certain devices, or to place one or more devices on a Security Excluded Devices list to avoid repeated false positive incident reports,

You'll use both the Security page, described below, and the Ransomware Incident Detail page to monitor and manage the entire process from initial incident detection through quarantine, file reversion, closure, and removal of the affected device(s) from quarantine.

This feature is designed to contain the ransomware attack and to keep it from spreading via the sync process. If you have a confirmed ransomware incident, we recommend that you revert the affected files, then recycle the device via Workplace.

The Security Page

On the Security page, you'll be able to configure security monitoring, review security incidents and the devices they have affected, and track devices that have been exempted from monitoring.

The Incident Grid

The Incident grid displays all security incidents detected. It features the following columns:

Column Definition
ID The system-generated identification code for the specific incident. The first two characters indicate the type of incident. This ID ensures clear communication when discussing incidents.
Type The classification of the incident. The icon helps identify the type at a glance.
Status The current state of the alert. Available statuses are:
Started The time at which Workplace first detected suspicious activity.
Source The name of the quarantined device.
Resources Affected The number of devices, files, and projects affected by the incident.

The Security Excluded Devices Grid

The Security Excluded Devices grid displays all devices that have been temporarily or permanently removed from security incident monitoring. It features the following columns:

Column Definition
DeviceA device is computing device that has access to Autotask Workplace, including both mobile devices and computers. The name and operating system of the excluded device.
Owner The user associated with the excluded device.
Excluded The time at which the device was excluded from security monitoring.
Excluded By The user who excluded the device from security monitoring.

How to...


Forward this topic to others