ONTAP 9.14.1 commands

security anti-ransomware volume attack-detection-parameters show

Show anti-ransomware volume attack detection parameters

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security anti-ransomware volume attack-detection-parameters show command displays attack detection parameter details of an anti-ransomware enabled volume.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-instance ] }

If you specify the -instance parameter, the command displays detailed information about all fields.

-vserver <Vserver Name> - Vserver Name

This parameter specifies the Vserver of the anti-ransomware enabled volume.

-volume <volume name> - Volume Name

This parameter specifies the anti-ransomware enabled volume for which the attack detection parameters need to be displayed.

[-based-on-high-entropy-data-rate {true|false}] - High Entropy Data Rate at Volume Level

This parameter displays whether ransomware detection is based on a high entropy data rate at the volume level. Ransomware detection is also done based on high entropy data rate at the file level and this method of detection is always enabled and has no dependency on this parameter.

[-based-on-never-seen-before-file-extension {true|false}] - Never Seen before File Extension

This parameter indicates whether ransomware detection is based on new file types not seen before at the volume level. This detection method is based only on the file extension not on file entropy. Some variants of ransomware modify the data such that the file entropy remains unchanged. This method helps in detecting those ransomwares but there is a possibility of false positives. Note that ransomware detection is also done based on combined file extension and file entropy and this method of detection is always enabled and has no dependency on this parameter.

[-based-on-file-create-rate {true|false}] - Is Based on File Create Operation Rate

This parameter displays whether ransomware detection is based on the file create rate at the volume level. If this is true and the number of files created per timeslot surges by -file-create-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

[-based-on-file-rename-rate {true|false}] - Is Based on File Rename Operation Rate

This parameter displays whether ransomware detection is based on the file rename rate at the volume level. If this is true and the number of files renamed per timeslot surges by -file-rename-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

[-based-on-file-delete-rate {true|false}] - Is Based on File Delete Operation Rate

This parameter displays whether ransomware detection is based on the file delete rate at the volume level. If this is true and the number of files deleted per timeslot surges by -file-delete-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

[-relaxing-popular-file-extensions {true|false}] - Is Relaxing Popular File Extensions

This parameter displays whether ransomware detection is based on commonly used extensions. If true, then a predetermined commonly used extension, such as .mp3, is considered safe. If false, only those file extensions observed during the dry run state are considered safe; any extension not observed during the dry-run state but observed later is suspected as a ransomware attack, even if it is a commonly used extension.

[-high-entropy-data-surge-notify-percentage <integer>] - High Entropy Data Surge Notify Percentage

This parameter displays the surge value that is considered safe in the overall incoming data at the volume level.

[-file-create-rate-surge-notify-percentage <integer>] - File Create Operation Rate Surge Notify Percentage

This parameter displays the surge rate that is considered safe for file create operations at the volume level.

[-file-delete-rate-surge-notify-percentage <integer>] - File Delete Operation Rate Surge Notify Percentage

This parameter displays the surge rate that is considered safe for file delete operations at the volume level.

[-file-rename-rate-surge-notify-percentage <integer>] - File Rename Operation Rate Surge Notify Percentage

This parameter displays the surge rate that is considered safe for file rename operations at the volume level.

[-never-seen-before-file-extn-count-notify-threshold <integer>] - Never Seen before File Extension Count Notify Threshold

This parameter displays the threshold value of new file extensions not seen before for create/rename operations.

[-never-seen-before-file-extn-duration-in-hours <integer>] - Never Seen before File Extension Duration in Hours

This parameter displays the duration for new file extensions not seen before, in hours. If a new file extension is observed and -never-seen-before-file-extn-count-notify-threshold number of files are created/renamed with this new file extension for this duration, then it is reported as an attack.

Examples

The following example displays attack detection parameter information of a volume.

cluster1::> security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1
                       Vserver Name : vs1
                        Volume Name : vol1
      Is Detection Based on High Entropy Data Rate? : true
  Is Detection Based on Never Seen before File Extension? : true
          Is Detection Based on File Create Rate? : true
          Is Detection Based on File Rename Rate? : true
          Is Detection Based on File Delete Rate? : true
       Is Detection Relaxing Popular File Extensions? : true
        High Entropy Data Surge Notify Percentage : 100
         File Create Rate Surge Notify Percentage : 100
         File Rename Rate Surge Notify Percentage : 100
         File Delete Rate Surge Notify Percentage : 100
 Never Seen before File Extensions Count Notify Threshold : 20
     Never Seen before File Extensions Duration in Hour : 24
Top of Page