topic Re: Ransomware protection: How do I find out what triggered the alert? in ONTAP Discussions

Ransomware protection: How do I find out what triggered the alert?

Tava — Fri, 17 May 2024 11:45:59 GMT

Hello, we are testing ARW on test volume and get alerts like:

"callhome.arw.activity.seen [ALERT]

Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution."

Now how do I find out what caused this alert?? I've checked system manager's vol-security page, AIQ and even went to activeiq.netapp.com to check the autosupport it sent as the sections are readable from there. Absolutely no information what caused this ALERT...we have on-prem BlueXp and it doesn't support ARW.

So where can I see what happened and caused snapshot creation and autosupport?

Re: Ransomware protection: How do I find out what triggered the alert?

Sanaman — Mon, 20 May 2024 00:06:29 GMT

You may see similar to above in "Volume -> Security", where you could see the suspected file type.

Re: Ransomware protection: How do I find out what triggered the alert?

Tava — Mon, 20 May 2024 10:15:07 GMT

Yes like I said I've checked that page but it only lists the suspected file types, but does not tell me why the alert was sent.

Re: Ransomware protection: How do I find out what triggered the alert?

ByronE — Tue, 18 Jun 2024 20:55:45 GMT

How to confirm the attack's details detected from ARP

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/How_to_confirm_the_attack's_details_detected_from_ARP

Security anti-ransomware volume attack generate-report output

https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/Security_anti-ransomware_volume_attack_generate-report_output