Skip to main content
NetApp Knowledge Base

Why does AIQUM trigger multiple mail alerts for Ransomware Activity Detected event with NEW and OBSOLETE status at the same time for the same volumes?

  1. Last updated
  2. Save as PDF
Views:
17
Visibility:
Public
Votes:
0
Category:
active-iq-unified-manager
Specialty:
om
Last Updated:

Applies to

  • ActiveIQ Unified Manager(AIQUM) 9.x
  • All platforms
  • Ransomware Activity Detected events

Answer

  • This is by design of the Ransomware Activities Detected events
  • Ransomware Activities Detected events are special events in AIQUM which is not coming as a native one but from ONTAP EMS event callhome.arw.activity.seen
  • Normally the native AIQUM events  behave differently as in when one event is already in NEW status, AIQUM doesn't trigger the same event more than once unless the previous alert is obsolete/marked as resolved even if the situation reoccurred again
  • This is due to avoiding spamming the mailbox of alert recipients with same events.
  • For subscribed EMS events (automatic/manual), the behavior is different than native AIQUM events where AIQUM just triggers an event whenever the corresponding EMS event is triggered in ONTAP
  • Retention of the event before it gets OBSOLETE is different for automatic and manual subscriptions
  • For automatically subscribed EMS, AIQUM keep it for the time till there is an event mentioning the earlier situation is reversed
  • For manually subscribed EMS, AIQUM marks them obsolete after certain time irrepective of the situation status
  • However Ransomware Activity Detected  is a special scenario. It is related to EMS so whenever the  callhome.arw.activity.seen is triggered, we will have an event generated but as this is neither automatically subscribed nor manually subscribed and doesnt have a counter event stating the activity is over, AIQUM treats this as special one and after having a new one, automatically obsoletes the previous event keeping only the latest occurence
  • Customer environments having alerts set on this will get two mails: first one stating NEW (as the latest occurence of callhome.arw.activity.seen event) and second one stating OBSOLETE (as the earlier one getting automatically obsolete due to having a new event) right after one another which can be confusing as it looks like AIQUM is falsely sending alerts of Ransomware Activity Detected getting OBSOLETE where as event page still shows that as NEW
  • Below screenshots explain the behavior: 
  1. First event occurred on Nov 12, 17:46 and staying there till Nov 13, 10:23 when the next event triggered:

First_event_Nov12.jpg

  1. Second event occurred on Nov 13, 10:23 and staying there till Nov 13, 15:14 when the next event triggered:
    Second_event_Nov13_Morning.jpg
  2. Third event occurred on Nov 13, 15:14 and staying there till Nov 14, 07:57 when the latest event triggered:
    Third_event_Nov13_Afternoon.jpg
  3. Latest event occurred on Nov 14, 07:57 and the event stays NEW until next occurrence of the event in future:
    Last_event_Nov14.jpg

Additional Information

additionalInformation_text
NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.