ONTAP 9 Manuals ( CA08871-402 )

Manage Autonomous Ransomware Protection attack detection parameters

Beginning in ONTAP 9.11.1, you can modify the parameters for ransomware detection on a specific Autonomous Ransomware Protection-enabled volume and report a known surge as normal file activity. Adjusting detection parameters helps improve the accuracy of reporting based on your specific volume workload.

How attack detection works

When Autonomous Ransomware Protection (ARP) is in learning mode, it develops baseline values for volume behaviors. These are entropy, file extensions, and, beginning in ONTAP 9.11.1, IOPS. These baselines are used to evaluate ransomware threats. For more information about these criteria, see What ARP detects.

In ONTAP 9.10.1, ARP issues a warning if it detects both of the following conditions:

  • more than 20 files with file extensions not previously observed in the volume

  • high entropy data

Beginning in ONTAP 9.11.1, ARP issues a threat warning if only one condition is met. For example, if more than 20 files with file extensions that have not previously been observed in the volume are observed within a 24 hour period, ARP will categorize this as a threat regardless of observed entropy. (The 24 hour and 20 file values are defaults, which can be modified.)

Beginning in ONTAP 9.14.1, you can configure alerts when ARP observes a new file extension and when ARP creates a Snapshot. For more information, see Configure ARP alerts

Certain volumes and workloads require different detection parameters. For example, your ARP-enabled volume may host numerous types of file extensions, in which case you may want to modify the threshold count for never-before-seen file extensions to a number greater than the default of 20 or disable warnings based on never-before-seen file extensions. Beginning with ONTAP 9.11.1, you can modify the attack detection parameters so they better fit your specific workloads.

Modify attack detection parameters

Depending on the expected behaviors of your ARP-enabled volume, you may want to modify the attack detection parameters.

Steps
  1. View the existing attack detection parameters:

    security anti-ransomware volume attack-detection-parameters show -vserver svm_name -volume volume_name

    security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1
                                                 Vserver Name : vs1
                                                  Volume Name : vol1
                Is Detection Based on High Entropy Data Rate? : true
      Is Detection Based on Never Seen before File Extension? : true
                      Is Detection Based on File Create Rate? : true
                      Is Detection Based on File Rename Rate? : true
                      Is Detection Based on File Delete Rate? : true
               Is Detection Relaxing Popular File Extensions? : true
                    High Entropy Data Surge Notify Percentage : 100
                     File Create Rate Surge Notify Percentage : 100
                     File Rename Rate Surge Notify Percentage : 100
                     File Delete Rate Surge Notify Percentage : 100
     Never Seen before File Extensions Count Notify Threshold : 20
           Never Seen before File Extensions Duration in Hour : 24
  2. All of the fields shown are modifiable with boolean or integer values. To modify a field, use the security anti-ransomware volume attack-detection-parameters modify command.

    For a full list of parameters, see ONTAP command reference.

Report known surges

ARP continues to modify baseline values for detection parameters even in active mode. If you know of surges in your volume activity—​either one-time surges or a surge that is characteristic of a new normal—​you should report it as safe. Manually reporting these surges as safe helps to improve the accuracy of ARP’s threat assessments.

Report a one-time surges
  1. If a one-time surge is occurring under known circumstances and you want ARP to report a similar surge in future circumstances, clear the surge from the workload behavior:

    security anti-ransomware volume workload-behavior clear-surge -vserver svm_name -volume volume_name

Modify baseline surge
  1. If a reported surge should be considered normal application behavior, report the surge as such to modify the baseline surge value.

    security anti-ransomware volume workload-behavior update-baseline-from-surge -vserver svm_name -volume volume_name

Configure ARP alerts

Beginning in ONTAP 9.14.1, ARP allows you to specify alerts for two ARP events:

  • Observation of new file extension on a volume

  • Creation of an ARP Snapshot

Alerts for these two events can be set on individual volumes or for the entire SVM. If you enable alerts for the SVM, the alert settings are inherited only by volumes created after you enable alert. By default, alerts are not enabled on any volume.

Event alerts can be controlled with multi-admin verification. For more information, see Multi-admin verification with volumes protected with ARP.

ONTAP System Manager
Set alerts for a volume
  1. Navigate to Volumes. Select the individual volume for which you want to modify settings.

  2. Select the Security tab then Event Security Settings.

  3. To receive alerts for New file extension detected and Ransomware snapshot created, select the dropdown menu under the Severity heading. Modify the setting from Don’t generate event to Notice.

  4. Select Save.

Set alerts for an SVM
  1. Navigate to Storage VM then select the SVM for which you want to enable settings.

  2. Under the Security heading, locate the Anti-ransomware card. Select three dots then Edit Ransomware Event Severity.

  3. To receive alerts for New file extension detected and Ransomware snapshot created, select the dropdown menu under the Severity heading. Modify the setting from Don’t generate event to Notice.

  4. Select Save.

CLI
Set alerts for a volume
  • To set alerts for a new file-extension:

    security anti-ransomware volume event-log modify -vserver svm_name -is-enabled-on-new-file-extension-seen true

  • To set alerts for the creation of an ARP Snapshot:

    security anti-ransomware volume event-log modify -vserver svm_name -is-enabled-on-snapshot-copy-creation true

  • Confirm your settings with the anti-ransomware volume event-log show command.

Set alerts for an SVM
  • To set alerts for a new file-extension:

    security anti-ransomware vserver event-log modify -vserver svm_name -is-enabled-on-new-file-extension-seen true

  • To set alerts for the creation of an ARP Snapshot:

    security anti-ransomware vserver event-log modify -vserver svm_name -is-enabled-on-snapshot-copy-creation true

  • Confirm your settings with the security anti-ransomware vserver event-log show command.

Top of Page