Skip to main content
NetApp Knowledge Base

Can important-events filter be used for event notification of ransomware attacks?

Views:
79
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
CORE
Last Updated:

Applies to

ONTAP 9.10.1 or later

Answer

Yes, it can.

Additional Information

  • When 20 or more files are found with this unknown file extension, then it is assumed as an attack. Along with this, the attack probability will change from low to moderate and callhome.arw.activity.seen EMS/ASUP alert notification will be generated.

cluster2::> event log show -message-name *arw*
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
12/20/2022 11:27:55 cluster2-01      ALERT         callhome.arw.activity.seen: Call-home message for Vol1 (UUID: c437827d-8062-11ed-9f93-005056a0d3a0) svm1 (UUID: 4574c5fe-8916-11ec-b931-005056a0d3a0)

Note: In the above example, the SVM and volumes are called out.

::> security anti-ransomware volume show -vserver svm1 -volume Vol1

      Vserver Name: svm1
       Volume Name: Vol1
             State: enabled
Dry Run Start Time: -
Attack Probability: moderate
   Attack Timeline: 12/21/2022 09:34:45
Number of Attacks: 1

  • callhome.arw.activity.seen event's Severity is alert and important-events filter includes all alert-type events.

ontap913::> event catalog show -message-name callhome.arw.activity.seen

     Message Name: callhome.arw.activity.seen
         Severity: ALERT
      Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution.
Corrective Action: Refer to the anti-ransomware documentation to take remedial measures for ransomare activity. If you need assistance, contact NetApp technical support.
   SNMP Trap Type: Severity-based
    Is Deprecated: false

ontap913::> event filter show
Filter      Rule Rule                                    SNMP Trap
Name        Posn Type     Message Name     Severity      Type      Parameters
----------- ---- -------- ---------------- ------------- --------- -----------
default-trap-events
            1    include  *                EMERGENCY, ALERT
                                                         *         *=*
            2    include  callhome.*       ERROR         *         *=*
            3    include  *                *             Standard, Built-in
                                                                   *=*
            4    exclude  *                *             *         *=*
important-events
            1    include  *                EMERGENCY, ALERT
                                                         *         *=*
            2    include  callhome.*       ERROR         *         *=*
            3    exclude  *                *             *         *=*
no-info-debug-events
            1    include  *                EMERGENCY, ALERT, ERROR, NOTICE
                                                         *         *=*
            2    exclude  *                *             *         *=*
9 entries were displayed.

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.