Configure suspicious user activity detection in NetApp Ransomware Resilience
Suggest changes
PDFs
Ransomware Resilience supports detection of suspicious user behavior in detection policies, enabling you to address ransomware incidents at the user-level.
Ransomware Resilience detects suspicious user activity by analyzing user activity events generated by FPolicy in ONTAP. To collect user activity date, you need to deploy one or more user activity agents. The agent is a Linux server or VM with connectivity to devices on your tenant.
Agents and collectors
At least one user activity agent must be installed to activate suspicious user activity detection in Ransomware Resilience. When you activate the suspicious user activity feature from Ransomware Resilience dashboard, you need to provide the agent host information to activate the feature.
An agent can host multiple data collectors. Data collectors send data to a SaaS location for analysis. There are two types of collectors:
-
the data collector collects user activity data from ONTAP.
-
the user directory connector connects to your directory to map user IDs to usernames.
Collectors are configured in the Ransomware Resilience settings.
Enable suspicious user activity detection
Required Console role
To perform this task, you need the Ransomware Resilience user behavior admin role. Learn about Console access roles for all services.
Add a user activity agent
User activity agents are executable environments for data collectors; data collectors share user activity events with Ransomware Resilience. You must create at least one user activity agent to enable suspicious user activity detection.
Requirements
To install a user activity agent, you need a host or a VM with any of the following supported operating system and server requirements.
Operating system requirements
Operating system |
Supported versions |
AlmaLinux |
9.4 (64 bit) through 9.5 (64 bit), and 10 (64 bit), including SELinux |
CentOS |
CentOS Stream 9 (64 bit) |
Debian |
11 (64 bit), 12 (64 bit), including SELinux |
OpenSUSE Leap |
15.3 (64 bit) through 15.6(64 bit) |
Oracle Linux |
8.10 (64 bit), and 9.1 (64 bit) through 9.6 (64 bit), including SELinux |
RedHat |
8.10 (64 bit), 9.1 (64 bit) through 9.6 (64 bit), and 10 (64 bit), including SELinux |
Rocky |
Rocky 9.4 (64 bit) through 9.6(64 bit), including SELinux |
SUSE Enterprise Linux |
15 SP4 (64 bit) through 15 SP6 (64 bit), including SELinux |
Ubuntu |
20.04 LTS (64 bit), 22.04 LTS (64 bit) and 24.04 LTS (64 bit) |
Server requirements
The server must meet the following minimum requirements:
-
CPU: 4 CORES
-
RAM: 16GB RAM
-
Disc space: 35GB free disk space
-
If this is your first time creating a user activity agent, go to the Dashboard. In the User activity tile, select Activate.
If you're adding an additional user activity agent, go to Settings, locate the User activity tile, then select Manage. On the User activity screen, select the User activity agents tab then Add.
-
Select a Cloud provider then a Region. Select Next.
-
Provide the user activity agent details:
-
User activity agent name
-
Console agent - the Console agent should be in the same network as the user activity agent and have SSH connectivity to the user activity agent IP address.
-
VM DNS name or IP address
-
VM SSH Key
-
-
Select Next.
-
Review your settings. Select Activate to complete adding the user activity agent.
-
Confirm the user activity agent was successfully created. In the User activity tile, a successful deployment displays as Running.
After the user activity agent is successfully created, return to the Settings menu then select Manage in the User activity tile. Select the User activity agent tab then select the user activity agent to view details about it including data collectors and user directory connectors.
Add a data collector
Data collectors are created automatically when you enable a ransomware protection strategy with suspicious user activity detection. For more information, see add a detection policy.
You can view the details of the data collector. From Settings, select Manage in the User activity tile. Select the Data collector tab then select the data collector to view its details or pause it.
Add a user directory connector
To map user IDs to user names, you must create a user directory connector.
-
In Ransomware Resilience, go to Settings.
-
In the User activity tile, select Manage.
-
Select the User directory connectors tab then Add.
-
Provide the details of the connection:
-
Name
-
User directory type
-
Server IP address or domain name
-
Forest name or search name
-
BIND domain name
-
BIND password
-
Protocol (this is optional)
-
Port
Provide the attribute mapping details:
-
Display name
-
SID (if you're using LDAP)
-
User name
-
Unix ID (if you're using NFS)
-
Select Include optional attributes. You can also include email address, telephone number, role, state, country, department, photo, manager DN, or groups.
Select Advanced to add an optional search query.
-
-
Select Add.
-
Return to the user directory connectors tab to check the status of your user directory connector. If created successfully, the status of the user directory connector displays as Running.
Delete a user directory connector
-
In Ransomware Resilience, go to Settings.
-
Locate the User activity tile, select Manage.
-
Select the User directory connector tab.
-
Identify the user directory connector you want to delete. In the action menu at the end of the line, select the three dots
…then Delete. -
In the pop-up dialog, select Delete to confirm your actions.
Respond to suspicious user activity alerts
After you configure suspicious user activity detection, you can monitor events in the alerts page. For more information, see Detect malicious activity and anomalous user behavior.