Configure BlueXP ransomware protection settings
You can configure a backup destination, enable threat detection, or configure connection to Data Infrastructure Insights Workload security by accessing the Settings option. Enabling threat detection automatically sends data to your security and event management system (SIEM) for threat analysis.
From the Settings page, you can do the following:
-
Configure the connection to Data Infrastructure Insights Workload security to see suspected user information in ransomware alerts.
-
Add a backup destination.
-
Connect your security and event management system (SIEM) for threat analysis and detection.
Access the Settings page directly
You can easily access the Settings page from the Actions option near the top menu.
-
From the BlueXP ransomware protection menu, select the vertical … option at the top right.
-
From the drop-down menu, select Settings.
Connect to Data Infrastructure Insights Workload security to see suspected anomalous user behavior
Before you can view details of suspected anomalous user behavior in BlueXP ransomware protection, you need to configure the connection to the Data Infrastructure Insights Workload security system.
Obtain an API access token from the Data Infrastructure Insights Workload security system
Obtain an API access token from the Data Infrastructure Insights Workload security system.
-
Log in to the Data Infrastructure Insights Workload security system.
-
From the left navigation, select Admin > API Access.
-
Either create an API access token or use an existing one.
-
Copy the API access token.
Connect to Data Infrastructure Insights Workload security
-
From the BlueXP ransomware protection Settings menu, select Workload security connection.
-
Select Connect.
-
Enter the URL for the Data Infrastructure Workload security UI.
-
Enter the API access token that provides access to Workload security.
-
Select Connect.
Add a backup destination
BlueXP ransomware protection can identify workloads that do not have any backups yet and also workloads that do not have any backup destinations assigned yet.
To protect those workloads, you should add a backup destination. You can choose one of the following backup destinations:
-
NetApp StorageGRID
-
Amazon Web Services (AWS)
-
Google Cloud Platform
-
Microsoft Azure
You can add a backup destination based on a recommended action from the Dashboard or from accessing the Settings option on the menu.
Access Backup Destination options from the Dashboard's recommended actions
The Dashboard provides many recommendations. One recommendation might be to configure a backup destination.
-
From the BlueXP left navigation, select Protection > Ransomware protection.
-
Review the Dashboard's Recommended actions pane.
-
From the Dashboard, select Review and fix for the recommendation of "Prepare <backup provider> as a backup destination."
-
Continue with instructions depending on the backup provider.
Add StorageGRID as a backup destination
To set up NetApp StorageGRID as a backup destination, enter the following information.
-
In the Settings > Backup destinations page, select Add.
-
Enter a name for the backup destination.
-
Select StorageGRID.
-
Select the Down arrow next to each setting and enter or select values:
-
Provider settings:
-
Create a new bucket or bring your own bucket that will store the backups.
-
StorageGRID gateway node fully qualified domain name, port, StorageGRID access key and secret key credentials.
-
-
Networking: Choose the IPspace.
-
The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.
-
-
-
Select Add.
The new backup destination is added to the list of backup destinations.
Add Amazon Web Services as a backup destination
To set up AWS as a backup destination, enter the following information.
For details about managing your AWS storage in BlueXP, refer to Manage your Amazon S3 buckets.
-
In the Settings > Backup destinations page, select Add.
-
Enter a name for the backup destination.
-
Select Amazon Web Services.
-
Select the Down arrow next to each setting and enter or select values:
-
Provider settings:
-
Create a new bucket, select an existing bucket if one already exists in BlueXP, or bring your own bucket that will store the backups.
-
AWS account, region, access key and secret key for AWS credentials
-
-
Encryption: If you are creating a new S3 bucket, enter encryption key information given to you from the provider. If you chose an existing bucket, encryption information is already available.
Data in the bucket is encrypted with AWS-managed keys by default. You can continue to use AWS-managed keys, or you can manage the encryption of your data using your own keys.
-
Networking: Choose the IPspace and whether you'll be using a Private Endpoint.
-
The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.
-
Optionally, choose whether you'll use an AWS private endpoint (PrivateLink) that you previously configured.
If you want to use AWS PrivateLink, refer to AWS PrivateLink for Amazon S3.
-
-
Backup lock: Choose whether you want the service to protect backups from being modified or deleted. This option uses the NetApp DataLock technology. Each backup will be locked during the retention period, or for a minimum of 30 days, plus a buffer period of up to 14 days.
If you configure the backup lock setting now, you cannot change the setting later after the backup destination is configured. -
Governance mode: Specific users (with s3:BypassGovernanceRetention permission) can overwrite or delete protected files during the retention period.
-
Compliance mode: Users cannot overwrite or delete protected backup files during the retention period.
-
-
-
Select Add.
The new backup destination is added to the list of backup destinations.
Add Google Cloud Platform as a backup destination
To set up Google Cloud Platform (GCP) as a backup destination, enter the following information.
For details about managing your GCP storage in BlueXP, refer to Connector installation options in Google Cloud.
-
In the Settings > Backup destinations page, select Add.
-
Enter a name for the backup destination.
-
Select Google Cloud Platform.
-
Select the Down arrow next to each setting and enter or select values:
-
Provider settings:
-
Create a new bucket. Enter the access key and secret key.
-
Enter or select your Google Cloud Platform project and region.
-
-
Encryption: If you are creating a new bucket, enter encryption key information given to you from the provider. If you chose an existing bucket, encryption information is already available.
Data in the bucket is encrypted with Google-managed keys by default. You can continue to use Google-managed keys.
-
Networking: Choose the IPspace and whether you'll be using a Private Endpoint.
-
The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.
-
Optionally, choose whether you'll use an GCP private endpoint (PrivateLink) that you previously configured.
-
-
-
Select Add.
The new backup destination is added to the list of backup destinations.
Add Microsoft Azure as a backup destination
To set up Azure as a backup destination, enter the following information.
For details about managing your Azure credentials and marketplace subscriptions in BlueXP, refer to Manage your Azure credentials and marketplace subscriptions.
-
In the Settings > Backup destinations page, select Add.
-
Enter a name for the backup destination.
-
Select Azure.
-
Select the Down arrow next to each setting and enter or select values:
-
Provider settings:
-
Create a new storage account, select an existing one if one already exists in BlueXP, or bring your own storage account that will store the backups.
-
Azure subscription, region, and resource group for Azure credentials
-
-
Encryption: If you are creating a new storage account, enter encryption key information given to you from the provider. If you chose an existing account, encryption information is already available.
Data in the account is encrypted with Microsoft-managed keys by default. You can continue to use Microsoft-managed keys, or you can manage the encryption of your data using your own keys.
-
Networking: Choose the IPspace and whether you'll be using a Private Endpoint.
-
The IPspace is the cluster where the volumes you want to back up reside. The intercluster LIFs for this IPspace must have outbound internet access.
-
Optionally, choose whether you'll use an Azure private endpoint that you previously configured.
If you want to use Azure PrivateLink, refer to Azure PrivateLink.
-
-
-
Select Add.
The new backup destination is added to the list of backup destinations.
Enable threat detection
You can automatically send data to your security and event management system (SIEM) for threat analysis and detection. You can select the AWS Security Hub, Microsoft Sentinel, or Splunk Cloud as your SIEM.
Before you enable SIEM in BlueXP ransomware protection, you need to configure your SIEM system.
Configure AWS Security Hub for threat detection
Before you enable AWS Security Hub in BlueXP ransomware protection, you'll need to do the following high level steps in AWS Security Hub:
-
Set up permissions in AWS Security Hub.
-
Set up the authentication access key and secret key in AWS Security Hub. (These steps are not provided here.)
-
Go to AWS IAM console.
-
Select Policies.
-
Create a policy using the following code in JSON format:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "NetAppSecurityHubFindings", "Effect": "Allow", "Action": [ "securityhub:BatchImportFindings", "securityhub:BatchUpdateFindings" ], "Resource": [ "arn:aws:securityhub:*:*:product/*/default", "arn:aws:securityhub:*:*:hub/default" ] } ] }
Configure Microsoft Sentinel for threat detection
Before you enable Microsoft Sentinel in BlueXP ransomware protection, you'll need to do the following high level steps in Microsoft Sentinel:
-
Prerequisites
-
Enable Microsoft Sentinel.
-
Create a custom role in Microsoft Sentinel.
-
-
Registration
-
Register BlueXP ransomware protection to receive events from Microsoft Sentinel.
-
Create a secret for the registration.
-
-
Permissions: Assign permissions to the application.
-
Authentication: Enter authentication credentials for the application.
-
Go to Microsoft Sentinel.
-
Create a Log Analytics workspace.
-
Enable Microsoft Sentinel to use the Log Analytics workspace you just created.
-
Go to Microsoft Sentinel.
-
Select Subscription > Access control (IAM).
-
Enter a Custom role name. Use the name BlueXP Ransomware Protection Sentinel Configurator.
-
Copy the following JSON and paste it into the JSON tab.
{ "roleName": "BlueXP Ransomware Protection Sentinel Configurator", "description": "", "assignableScopes":["/subscriptions/{subscription_id}"], "permissions": [ ] }
-
Review and save your settings.
-
Go to Microsoft Sentinel.
-
Select Entra ID > Applications > App registrations.
-
For the Display name for the application, enter "BlueXP ransomware protection".
-
In the Supported account type field, select Accounts in this organizational directory only.
-
Select a Default Index where events will be pushed.
-
Select Review.
-
Select Register to save your settings.
After registration, the Microsoft Entra admin center displays the application Overview pane.
-
Go to Microsoft Sentinel.
-
Select Certificates & secrets > Client secrets > New client secret.
-
Add a description for your application secret.
-
Select an Expiration for the secret or specify a custom lifetime.
A client secret lifetime is limited to two years (24 months) or less. Microsoft recommends that you set an expiration value of less than 12 months. -
Select Add to create your secret.
-
Record the secret to use in the Authentication step. The secret is never displayed again after you leave this page.
-
Go to Microsoft Sentinel.
-
Select Subscription > Access control (IAM).
-
Select Add > Add role assignment.
-
For the Privileged administrator roles field, select BlueXP Ransomware Protection Sentinel Configurator.
This is the custom role that you created earlier. -
Select Next.
-
In the Assign access to field, select User, group, or service principal.
-
Select Select Members. Then, select BlueXP Ransomware Protection Sentinel Configurator.
-
Select Next.
-
In the What user can do feld, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended).
-
Select Next.
-
Select Review and assign to assign the permissions.
-
Go to Microsoft Sentinel.
-
Enter the credentials:
-
Enter the tenant ID, the client application ID, and the client application secret.
-
Click Authenticate.
After the authentication is successful, an "Authenticated" message appears.
-
-
Enter the Log Analytics workspace details for the application.
-
Select the subscription ID, the resource group, and the Log Analytics workspace.
-
Configure Splunk Cloud for threat detection
Before you enable Splunk Cloud in BlueXP ransomware protection, you'll need to do the following high level steps in Splunk Cloud:
-
Enable an HTTP Event Collector in Splunk Cloud to receive event data via HTTP or HTTPS from BlueXP.
-
Create an Event Collector token in Splunk Cloud.
-
Go to Splunk Cloud.
-
Select Settings > Data Inputs.
-
Select HTTP Event Collector > Global Settings.
-
On the All Tokens toggle, select Enabled.
-
To have the Event Collector listen and communicate over HTTPS rather than HTTP, select Enable SSL.
-
Enter a port in HTTP Port Number for the HTTP Event Collector.
-
Go to Splunk Cloud.
-
Select Settings > Add Data.
-
Select Monitor > HTTP Event Collector.
-
Enter a Name for the token and select Next.
-
Select a Default Index where events will be pushed, then select Review.
-
Confirm that all settings for the endpoint are correct, then select Submit.
-
Copy the token and paste it in another document to have it ready for the Authentication step.
Connect SIEM in BlueXP ransomware protection
Enabling SIEM sends data from BlueXP ransomware protection to your SIEM server for threat analysis and reporting.
-
From the BlueXP menu, select Protection > Ransomware protection.
-
From the BlueXP ransomware protection menu, select the vertical … option at the top right.
-
Select Settings.
The Settings page appears.
-
In the Settings page, select Connect in the SIEM connection tile.
-
Choose one of the SIEM systems.
-
Enter the token and authentication details you configured in AWS Security Hub or Splunk Cloud.
The information that you enter depends on the SIEM you selected. -
Select Enable.
The Settings page shows "Connected."