NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Discussions

Ransomware protection: How do I find out what triggered the alert?

Tava
4,825 Views

Hello, we are testing ARW on test volume and get alerts like:

"callhome.arw.activity.seen [ALERT]

Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution."

 

Now how do I find out what caused this alert?? I've checked system manager's vol-security page, AIQ and even went to activeiq.netapp.com to check the autosupport it sent as the sections are readable from there. Absolutely no information what caused this ALERT...we have on-prem BlueXp and it doesn't support ARW.

 

So where can I see what happened and caused snapshot creation and autosupport?

1 ACCEPTED SOLUTION
3 REPLIES 3

Sanaman
4,643 Views

Sanaman_0-1716163356788.png

You may see similar to above in "Volume -> Security", where you could see the suspected file type.

Tava
4,603 Views

Yes like I said I've checked that page but it only lists the suspected file types, but does not tell me why the alert was sent.

ByronE
4,261 Views
Public