Skip to main content
BlueXP ransomware protection

Configure BlueXP ransomware protection settings

Contributors amgrissino

You can configure a backup destination, enable threat detection, or configure connection to Data Infrastructure Insights Workload security by accessing the Settings option. Enabling threat detection automatically sends data to your security and event management system (SIEM) for threat analysis.

From the Settings page, you can do the following:

  • Configure the connection to Data Infrastructure Insights Workload security to see suspected user information in ransomware alerts.

  • Add a backup destination.

  • Connect your security and event management system (SIEM) for threat analysis and detection.

Access the Settings page directly

You can easily access the Settings page from the Actions option near the top menu.

  1. From the BlueXP ransomware protection menu, select the vertical Vertical Actions…​ option at the top right.

  2. From the drop-down menu, select Settings.

Connect to Data Infrastructure Insights Workload security to see suspected anomalous user behavior

Before you can view details of suspected anomalous user behavior in BlueXP ransomware protection, you need to configure the connection to the Data Infrastructure Insights Workload security system.

Obtain an API access token from the Data Infrastructure Insights Workload security system

Obtain an API access token from the Data Infrastructure Insights Workload security system.

  1. Log in to the Data Infrastructure Insights Workload security system.

  2. From the left navigation, select Admin > API Access.

    API Access page in Data Infrastructure Insights Workload security

  3. Either create an API access token or use an existing one.

  4. Copy the API access token.

Connect to Data Infrastructure Insights Workload security

  1. From the BlueXP ransomware protection Settings menu, select Workload security connection.

  2. Select Connect.

  3. Enter the URL for the Data Infrastructure Workload security UI.

  4. Enter the API access token that provides access to Workload security.

  5. Select Connect.

Add a backup destination

BlueXP ransomware protection can identify workloads that do not have any backups yet and also workloads that do not have any backup destinations assigned yet.

To protect those workloads, you should add a backup destination. You can choose one of the following backup destinations:

  • NetApp StorageGRID

  • Amazon Web Services (AWS)

  • Google Cloud Platform

  • Microsoft Azure

You can add a backup destination based on a recommended action from the Dashboard or from accessing the Settings option on the menu.

The Dashboard provides many recommendations. One recommendation might be to configure a backup destination.

Steps
  1. From the BlueXP left navigation, select Protection > Ransomware protection.

  2. Review the Dashboard's Recommended actions pane.

    Dashboard page

  3. From the Dashboard, select Review and fix for the recommendation of "Prepare <backup provider> as a backup destination."

  4. Continue with instructions depending on the backup provider.

Add StorageGRID as a backup destination

To set up NetApp StorageGRID as a backup destination, enter the following information.

Steps
  1. In the Settings > Backup destinations page, select Add.

  2. Enter a name for the backup destination.

    Backup destinations page

  3. Select StorageGRID.

  4. Select the Down arrow next to each setting and enter or select values:

    • Provider settings:

      • Create a new bucket or bring your own bucket that will store the backups.

      • StorageGRID gateway node fully qualified domain name, port, StorageGRID access key and secret key credentials.

    • Networking: Choose the IPspace.

      • The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

  5. Select Add.

Result

The new backup destination is added to the list of backup destinations.

Backup destinations page the Settings option

Add Amazon Web Services as a backup destination

To set up AWS as a backup destination, enter the following information.

For details about managing your AWS storage in BlueXP, refer to Manage your Amazon S3 buckets.

Steps
  1. In the Settings > Backup destinations page, select Add.

  2. Enter a name for the backup destination.

    Backup destinations page

  3. Select Amazon Web Services.

  4. Select the Down arrow next to each setting and enter or select values:

    • Provider settings:

    • Encryption: If you are creating a new S3 bucket, enter encryption key information given to you from the provider. If you chose an existing bucket, encryption information is already available.

      Data in the bucket is encrypted with AWS-managed keys by default. You can continue to use AWS-managed keys, or you can manage the encryption of your data using your own keys.

    • Networking: Choose the IPspace and whether you'll be using a Private Endpoint.

      • The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

      • Optionally, choose whether you'll use an AWS private endpoint (PrivateLink) that you previously configured.

        If you want to use AWS PrivateLink, refer to AWS PrivateLink for Amazon S3.

    • Backup lock: Choose whether you want the service to protect backups from being modified or deleted. This option uses the NetApp DataLock technology. Each backup will be locked during the retention period, or for a minimum of 30 days, plus a buffer period of up to 14 days.

      Caution If you configure the backup lock setting now, you cannot change the setting later after the backup destination is configured.
      • Governance mode: Specific users (with s3:BypassGovernanceRetention permission) can overwrite or delete protected files during the retention period.

      • Compliance mode: Users cannot overwrite or delete protected backup files during the retention period.

  5. Select Add.

Result

The new backup destination is added to the list of backup destinations.

Backup destinations page the Settings option

Add Google Cloud Platform as a backup destination

To set up Google Cloud Platform (GCP) as a backup destination, enter the following information.

For details about managing your GCP storage in BlueXP, refer to Connector installation options in Google Cloud.

Steps
  1. In the Settings > Backup destinations page, select Add.

  2. Enter a name for the backup destination.

    Backup destinations page

  3. Select Google Cloud Platform.

  4. Select the Down arrow next to each setting and enter or select values:

    • Provider settings:

      • Create a new bucket. Enter the access key and secret key.

      • Enter or select your Google Cloud Platform project and region.

    • Encryption: If you are creating a new bucket, enter encryption key information given to you from the provider. If you chose an existing bucket, encryption information is already available.

      Data in the bucket is encrypted with Google-managed keys by default. You can continue to use Google-managed keys.

    • Networking: Choose the IPspace and whether you'll be using a Private Endpoint.

      • The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

      • Optionally, choose whether you'll use an GCP private endpoint (PrivateLink) that you previously configured.

  5. Select Add.

Result

The new backup destination is added to the list of backup destinations.

Add Microsoft Azure as a backup destination

To set up Azure as a backup destination, enter the following information.

For details about managing your Azure credentials and marketplace subscriptions in BlueXP, refer to Manage your Azure credentials and marketplace subscriptions.

Steps
  1. In the Settings > Backup destinations page, select Add.

  2. Enter a name for the backup destination.

    Backup destinations page

  3. Select Azure.

  4. Select the Down arrow next to each setting and enter or select values:

    • Provider settings:

    • Encryption: If you are creating a new storage account, enter encryption key information given to you from the provider. If you chose an existing account, encryption information is already available.

      Data in the account is encrypted with Microsoft-managed keys by default. You can continue to use Microsoft-managed keys, or you can manage the encryption of your data using your own keys.

    • Networking: Choose the IPspace and whether you'll be using a Private Endpoint.

      • The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.

      • Optionally, choose whether you'll use an Azure private endpoint that you previously configured.

        If you want to use Azure PrivateLink, refer to Azure PrivateLink.

  5. Select Add.

Result

The new backup destination is added to the list of backup destinations.

Backup destinations page the Settings option

Enable threat detection

You can automatically send data to your security and event management system (SIEM) for threat analysis and detection. You can select the AWS Security Hub, Microsoft Sentinel, or Splunk Cloud as your SIEM.

Before you enable SIEM in BlueXP ransomware protection, you need to configure your SIEM system.

Configure AWS Security Hub for threat detection

Before you enable AWS Security Hub in BlueXP ransomware protection, you'll need to do the following high level steps in AWS Security Hub:

  • Set up permissions in AWS Security Hub.

  • Set up the authentication access key and secret key in AWS Security Hub. (These steps are not provided here.)

Steps to set up permissions in AWS Security Hub
  1. Go to AWS IAM console.

  2. Select Policies.

  3. Create a policy using the following code in JSON format:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "NetAppSecurityHubFindings",
          "Effect": "Allow",
          "Action": [
            "securityhub:BatchImportFindings",
            "securityhub:BatchUpdateFindings"
          ],
          "Resource": [
            "arn:aws:securityhub:*:*:product/*/default",
            "arn:aws:securityhub:*:*:hub/default"
          ]
        }
      ]
    }

Configure Microsoft Sentinel for threat detection

Before you enable Microsoft Sentinel in BlueXP ransomware protection, you'll need to do the following high level steps in Microsoft Sentinel:

  • Prerequisites

    • Enable Microsoft Sentinel.

    • Create a custom role in Microsoft Sentinel.

  • Registration

    • Register BlueXP ransomware protection to receive events from Microsoft Sentinel.

    • Create a secret for the registration.

  • Permissions: Assign permissions to the application.

  • Authentication: Enter authentication credentials for the application.

Steps to enable Microsoft Sentinel
  1. Go to Microsoft Sentinel.

  2. Create a Log Analytics workspace.

  3. Enable Microsoft Sentinel to use the Log Analytics workspace you just created.

Steps to create a custom role in Microsoft Sentinel
  1. Go to Microsoft Sentinel.

  2. Select Subscription > Access control (IAM).

  3. Enter a Custom role name. Use the name BlueXP Ransomware Protection Sentinel Configurator.

  4. Copy the following JSON and paste it into the JSON tab.

    {
      "roleName": "BlueXP Ransomware Protection Sentinel Configurator",
      "description": "",
      "assignableScopes":["/subscriptions/{subscription_id}"],
      "permissions": [
    
      ]
    }
  5. Review and save your settings.

Steps to register BlueXP ransomware protection to receive events from Microsoft Sentinel
  1. Go to Microsoft Sentinel.

  2. Select Entra ID > Applications > App registrations.

  3. For the Display name for the application, enter "BlueXP ransomware protection".

  4. In the Supported account type field, select Accounts in this organizational directory only.

  5. Select a Default Index where events will be pushed.

  6. Select Review.

  7. Select Register to save your settings.

    After registration, the Microsoft Entra admin center displays the application Overview pane.

Steps to create a secret for the registration
  1. Go to Microsoft Sentinel.

  2. Select Certificates & secrets > Client secrets > New client secret.

  3. Add a description for your application secret.

  4. Select an Expiration for the secret or specify a custom lifetime.

    Tip A client secret lifetime is limited to two years (24 months) or less. Microsoft recommends that you set an expiration value of less than 12 months.
  5. Select Add to create your secret.

  6. Record the secret to use in the Authentication step. The secret is never displayed again after you leave this page.

Steps to assign permissions to the application
  1. Go to Microsoft Sentinel.

  2. Select Subscription > Access control (IAM).

  3. Select Add > Add role assignment.

  4. For the Privileged administrator roles field, select BlueXP Ransomware Protection Sentinel Configurator.

    Tip This is the custom role that you created earlier.
  5. Select Next.

  6. In the Assign access to field, select User, group, or service principal.

  7. Select Select Members. Then, select BlueXP Ransomware Protection Sentinel Configurator.

  8. Select Next.

  9. In the What user can do feld, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended).

  10. Select Next.

  11. Select Review and assign to assign the permissions.

Steps to enter authentication credentials for the application
  1. Go to Microsoft Sentinel.

  2. Enter the credentials:

    1. Enter the tenant ID, the client application ID, and the client application secret.

    2. Click Authenticate.

      Note After the authentication is successful, an "Authenticated" message appears.
  3. Enter the Log Analytics workspace details for the application.

    1. Select the subscription ID, the resource group, and the Log Analytics workspace.

Configure Splunk Cloud for threat detection

Before you enable Splunk Cloud in BlueXP ransomware protection, you'll need to do the following high level steps in Splunk Cloud:

  • Enable an HTTP Event Collector in Splunk Cloud to receive event data via HTTP or HTTPS from BlueXP.

  • Create an Event Collector token in Splunk Cloud.

Steps to enable an HTTP Event Collector in Splunk
  1. Go to Splunk Cloud.

  2. Select Settings > Data Inputs.

  3. Select HTTP Event Collector > Global Settings.

  4. On the All Tokens toggle, select Enabled.

  5. To have the Event Collector listen and communicate over HTTPS rather than HTTP, select Enable SSL.

  6. Enter a port in HTTP Port Number for the HTTP Event Collector.

Steps to create an Event Collector token in Splunk
  1. Go to Splunk Cloud.

  2. Select Settings > Add Data.

  3. Select Monitor > HTTP Event Collector.

  4. Enter a Name for the token and select Next.

  5. Select a Default Index where events will be pushed, then select Review.

  6. Confirm that all settings for the endpoint are correct, then select Submit.

  7. Copy the token and paste it in another document to have it ready for the Authentication step.

Connect SIEM in BlueXP ransomware protection

Enabling SIEM sends data from BlueXP ransomware protection to your SIEM server for threat analysis and reporting.

Steps
  1. From the BlueXP menu, select Protection > Ransomware protection.

  2. From the BlueXP ransomware protection menu, select the vertical Vertical Actions…​ option at the top right.

  3. Select Settings.

    The Settings page appears.

    Settings page

  4. In the Settings page, select Connect in the SIEM connection tile.

    Enable threat detection details page

  5. Choose one of the SIEM systems.

  6. Enter the token and authentication details you configured in AWS Security Hub or Splunk Cloud.

    Note The information that you enter depends on the SIEM you selected.
  7. Select Enable.

    The Settings page shows "Connected."