ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • security anti-ransomware volume attack-detection-parameters modify

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The security anti-ransomware volume attack-detection-parameters modify command can be used to modify the attack detection parameters of an anti-ransomware enabled volume.

    Parameters

    -vserver <Vserver Name> - Vserver Name

    This parameter specifies the Vserver of the anti-ransomware enabled volume.

    -volume <volume name> - Volume Name

    This parameter specifies the anti-ransomware enabled volume for which the attack detection parameters need to be modified.

    [-based-on-high-entropy-data-rate {true|false}] - High Entropy Data Rate at Volume Level

    This parameter indicates whether ransomware detection is based on a high entropy data rate at the volume level. Ransomware detection is also done based on high entropy data rate at the file level and this method of detection is always enabled and has no dependency on this parameter.

    [-based-on-never-seen-before-file-extension {true|false}] - Never Seen before File Extension

    This parameter indicates whether ransomware detection is based on new file types not seen before at the volume level. This detection method is based only on the file extension not on the file entropy. Some variants of ransomware modify the data such that the file entropy remains unchanged. This method helps in detecting those ransomwares but there is a possibility of false positives. Note that ransomware detection is also done based on combined file extension and file entropy and this method of detection is always enabled and has no dependency on this parameter.

    [-based-on-file-create-rate {true|false}] - Is Based on File Create Operation Rate

    This parameter indicates whether ransomware detection is based on the file create rate at the volume level. If this is true and the number of files created per timeslot surges by -file-create-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

    [-based-on-file-rename-rate {true|false}] - Is Based on File Rename Operation Rate

    This parameter indicates whether ransomware detection is based on the file rename rate at the volume level. If this is true and the number of files renamed per timeslot surges by -file-rename-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

    [-based-on-file-delete-rate {true|false}] - Is Based on File Delete Operation Rate

    This parameter indicates whether ransomware detection is based on the file delete rate at the volume level. If this is true and the number of files deleted per timeslot surges by -file-delete-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

    [-relaxing-popular-file-extensions {true|false}] - Is Relaxing Popular File Extensions

    This parameter indicates whether ransomware detection is based on commonly used extensions. If true, then a predetermined commonly used extension, such as .mp3, is considered safe. If false, only those file extensions observed during the dry-run state are considered safe; any extension not observed during the dry-run state but observed later is a suspected ransomware attack, even if it is a commonly used extension.

    [-high-entropy-data-surge-notify-percentage <integer>] - High Entropy Data Surge Notify Percentage

    This parameter displays the surge value that is considered safe in the overall incoming data at the volume level.

    [-file-create-rate-surge-notify-percentage <integer>] - File Create Operation Rate Surge Notify Percentage

    This parameter displays the surge rate that is considered safe for file create operations at the volume level.

    [-file-delete-rate-surge-notify-percentage <integer>] - File Delete Operation Rate Surge Notify Percentage

    This parameter displays the surge rate that is considered safe for file delete operations at the volume level.

    [-file-rename-rate-surge-notify-percentage <integer>] - File Rename Operation Rate Surge Notify Percentage

    This parameter displays the surge rate that is considered safe for file rename operations at the volume level.

    [-never-seen-before-file-extn-count-notify-threshold <integer>] - Never Seen before File Extension Count Notify Threshold

    This parameter displays the threshold value of number of files observed with a new file extension not seen before for create/rename operations.

    [-never-seen-before-file-extn-duration-in-hours <integer>] - Never Seen before File Extension Duration in Hours

    This parameter displays the duration for new file extensions not seen before, in hours. If a new file extension is observed and -never-seen-before-file-extn-count-notify-threshold number of files are created/renamed with this new file extension for this duration, then it is reported as an attack.

    Examples

    The following example displays attack detection parameter information of a volume.

    cluster1::> security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1
                                                 Vserver Name : vs1
                                                  Volume Name : vol1
                Is Detection Based on High Entropy Data Rate? : true
      Is Detection Based on Never Seen before File Extension? : true
                      Is Detection Based on File Create Rate? : true
                      Is Detection Based on File Rename Rate? : true
                      Is Detection Based on File Delete Rate? : true
               Is Detection Relaxing Popular File Extensions? : true
                    High Entropy Data Surge Notify Percentage : 100
                     File Create Rate Surge Notify Percentage : 100
                     File Rename Rate Surge Notify Percentage : 100
                     File Delete Rate Surge Notify Percentage : 100
     Never Seen before File Extensions Count Notify Threshold : 20
           Never Seen before File Extensions Duration in Hour : 24
    
    cluster1::> security anti-ransomware volume attack-detection-parameters modify -vserver vs1 -volume vol1 -file-delete-rate-surge-notify-percentage 25
    
    cluster1::> security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1
                                                 Vserver Name : vs1
                                                  Volume Name : vol1
                Is Detection Based on High Entropy Data Rate? : true
      Is Detection Based on Never Seen before File Extension? : true
                      Is Detection Based on File Create Rate? : true
                      Is Detection Based on File Rename Rate? : true
                      Is Detection Based on File Delete Rate? : true
               Is Detection Relaxing Popular File Extensions? : true
                    High Entropy Data Surge Notify Percentage : 100
                     File Create Rate Surge Notify Percentage : 100
                     File Rename Rate Surge Notify Percentage : 100
                     File Delete Rate Surge Notify Percentage : 25
     Never Seen before File Extensions Count Notify Threshold : 20
           Never Seen before File Extensions Duration in Hour : 24
    Top of Page