Can important-events filter be used for event notification of ransomware attacks?

• Understanding Autonomous Ransomware Protection attacks and the Autonomous Ransomware Protection snapshot

• When 20 or more files are found with this unknown file extension, then it is assumed as an attack. Along with this, the attack probability will change from low to moderate and callhome.arw.activity.seen EMS/ASUP alert notification will be generated.

cluster2::> event log show -message-name *arw*
Time                Node             Severity      Event
------------------- ---------------- ------------- ---------------------------
12/20/2022 11:27:55 cluster2-01      ALERT         callhome.arw.activity.seen: Call-home message for Vol1 (UUID: c437827d-8062-11ed-9f93-005056a0d3a0) svm1 (UUID: 4574c5fe-8916-11ec-b931-005056a0d3a0)

Note: In the above example, the SVM and volumes are called out.

::> security anti-ransomware volume show -vserver svm1 -volume Vol1

      Vserver Name: svm1
       Volume Name: Vol1
             State: enabled
Dry Run Start Time: -
Attack Probability: moderate
   Attack Timeline: 12/21/2022 09:34:45
Number of Attacks: 1

• callhome.arw.activity.seen event's Severity is alert and important-events filter includes all alert-type events.

ontap913::> event catalog show -message-name callhome.arw.activity.seen

     Message Name: callhome.arw.activity.seen
         Severity: ALERT
      Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution.
Corrective Action: Refer to the anti-ransomware documentation to take remedial measures for ransomare activity. If you need assistance, contact NetApp technical support.
   SNMP Trap Type: Severity-based
    Is Deprecated: false

ontap913::> event filter show
Filter      Rule Rule                                    SNMP Trap
Name        Posn Type     Message Name     Severity      Type      Parameters
----------- ---- -------- ---------------- ------------- --------- -----------
default-trap-events
            1    include  *                EMERGENCY, ALERT
                                                         *         *=*
            2    include  callhome.*       ERROR         *         *=*
            3    include  *                *             Standard, Built-in
                                                                   *=*
            4    exclude  *                *             *         *=*
important-events
            1    include  *                EMERGENCY, ALERT
                                                         *         *=*
            2    include  callhome.*       ERROR         *         *=*
            3    exclude  *                *             *         *=*
no-info-debug-events
            1    include  *                EMERGENCY, ALERT, ERROR, NOTICE
                                                         *         *=*
            2    exclude  *                *             *         *=*
9 entries were displayed.