Ransomware protection: How do I find out what triggered the alert?

Tava · ‎2024-05-17

Hello, we are testing ARW on test volume and get alerts like:

"callhome.arw.activity.seen [ALERT]

Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution."

Now how do I find out what caused this alert?? I've checked system manager's vol-security page, AIQ and even went to activeiq.netapp.com to check the autosupport it sent as the sections are readable from there. Absolutely no information what caused this ALERT...we have on-prem BlueXp and it doesn't support ARW.

So where can I see what happened and caused snapshot creation and autosupport?

Sanaman

You may see similar to above in "Volume -> Security", where you could see the suspected file type.

Tava

Yes like I said I've checked that page but it only lists the suspected file types, but does not tell me why the alert was sent.

Ransomware protection: How do I find out what triggered the alert?

NetApp Wins Gold in Globee® Awards

Join us on Discord