Skip to main content
NetApp Ransomware Resilience

Configure suspicious user activity detection in NetApp Ransomware Resilience

Contributors netapp-ahibbard
PDFs

Ransomware Resilience supports detection of suspicious user behavior in detection policies, enabling you to address ransomware incidents at the user-level.

Ransomware Resilience detects suspicious user activity by analyzing user activity events generated by FPolicy in ONTAP. To collect user activity data, you need to deploy one or more user activity agents. The user activity agent is a Linux server or VM with connectivity to devices on your tenant.

User activity agents and collectors

At least one user activity agent must be installed to activate suspicious user activity detection in Ransomware Resilience. When you activate the suspicious user activity feature from the Ransomware Resilience dashboard, you need to provide the user activity agent host information.

A user activity agent can host multiple data collectors. Data collectors send data to a SaaS location for analysis. There are two types of collectors:

  • The data collector collects user activity data from ONTAP.

  • The user directory connector connects to your directory to map user IDs to usernames.

Collectors are configured in the Ransomware Resilience settings.

Required Console role
To activate suspicious user activity detection, you need the Organization admin role. For subsequent configurations for suspicious user activity, you need the Ransomware Resilience user behavior admin role. Learn about Ransomware Resilience roles for NetApp Console.

System requirements

To install a user activity agent, you need a host or VM that meets the following requirements.

Operating system requirements

Operating system Supported versions

AlmaLinux

9.4 (64 bit) through 9.5 (64 bit), and 10 (64 bit), including SELinux

CentOS

CentOS Stream 9 (64 bit)

Debian

11 (64 bit), 12 (64 bit), including SELinux

OpenSUSE Leap

15.3 (64 bit) through 15.6 (64 bit)

Oracle Linux

8.10 (64 bit), and 9.1 (64 bit) through 9.6 (64 bit), including SELinux

Red Hat

8.10 (64 bit), 9.1 (64 bit) through 9.6 (64 bit), and 10 (64 bit), including SELinux

Rocky

Rocky 9.4 (64 bit) through 9.6 (64 bit), including SELinux

SUSE Enterprise Linux

15 SP4 (64 bit) through 15 SP6 (64 bit), including SELinux

Ubuntu

20.04 LTS (64 bit), 22.04 LTS (64 bit) and 24.04 LTS (64 bit)
Note The machine you use for the user activity agent should not be running other application-level software. A dedicated server is recommended.

The unzip command is required for installation. The sudo su - command is required for installation, running scripts, and uninstall.

Server requirements

The server must meet the following minimum requirements:

  • CPU: 4 cores

  • RAM: 16 GB RAM

  • Disk space: 36 GB free disk space

Note Allocate extra disk space to allow for the creation of the filesystem. Ensure that there is at least 35 GB of free space in the filesystem.
If /opt is a mounted folder from a NAS storage, local users must have access to this folder. User activity agent creation can fail if local users don't have the necessary permissions.
Note It's recommended you install the user activity agent on a different system than your Ransomware Resilience environment. If you do install them on the same machine, you should allow for 50 to 55 GB of disk space. For Linux, allocate 25-30 GB of space to /opt/netapp and 25 GB to var/log/netapp.
Tip It's recommended you synchronize the time on both the ONTAP system and the user activity agent machine using Network Time Protocol (NTP) or Simple Network Time Protocol (SNTP).

Cloud network access rules

Review the cloud network access rules for your relevant geography (Asia Pacific, Europe, or United States).

APAC-based user-activity agent deployments

Protocol Port Source Destination Description

TCP

443

User activity agent

Ransomware Resilience service

Access to Ransomware Resilience

TCP

443

User activity agent

Ransomware Resilience service

Access to authentication services

Europe-based user-activity agent deployments

Protocol Port Source Destination Description

TCP

443

User activity agent

Ransomware Resilience service

Access to Ransomware Resilience

TCP

443

User activity agent

Ransomware Resilience service

Access to authentication services

US-based user-activity agent deployments

Protocol Port Source Destination Description

TCP

443

User activity agent

Ransomware Resilience service

Access to Ransomware Resilience

TCP

443

User activity agent

Ransomware Resilience service

Access to authentication services

In-network rules

Protocol Port Source Destination Description

TCP

389(LDAP)
636 (LDAPs / start-tls)

User activity agent

LDAP Server URL

Connect to LDAP

TCP

443

User activity agent

Cluster or SVM management IP address (depending on SVM collector configuration)

API communication with ONTAP

TCP

35000 - 55000

SVM data LIF IP addresses

User activity agent

Communication from ONTAP to the user activity agent for Fpolicy events. These ports must be opened towards the user activity agent in order for ONTAP to send events to it, including any firewall on the User activity agent itself (if present).
NOTE: You don't need to reserve all of these ports, but the ports you reserve for this must be within this range. It's recommended you start by reserving 100 ports and increase if necessary.

TCP

35000-55000

Cluster Management IP

User activity agent

Communication from ONTAP cluster management IP to the user activity agent for EMS events. These ports must be opened towards the user activity agent in order for ONTAP to send EMS events to it, including any firewall on the user activity agent itself.
NOTE: You don't need to reserve all of these ports, but the ports you reserve for this must be within this range. It's recommended you start by reserving 100 ports and increase if necessary.

SSH

22

User activity agent

Cluster management

Needed for CIFS/SMB user blocking.

Enable suspicious user activity detection

Ensure you've met the system requirements for the user activity agent. Ensure that your configuration adheres to the supported cloud providers and regions.

Cloud provider support

Suspicious user activity data can be stored in AWS and Azure in the following regions:

Cloud provider Region

AWS

  • Asia Pacific (Sydney) (ap-southeast-2)

  • Europe (Frankfurt) (eu-central-1)

  • US East (N. Virginia) (us-east-1)

Azure

East US

Add a user activity agent

User activity agents are executable environments for data collectors; data collectors share user activity events with Ransomware Resilience. You must create at least one user activity agent to enable suspicious user activity detection.

Steps

  1. If this is your first time creating a user activity agent, go to the Dashboard. In the User activity tile, select Activate.

    If you're adding an additional user activity agent, go to Settings, locate the User activity tile, then select Manage. On the User activity screen, select the User activity agents tab then Add.

  2. Select a Cloud provider then a Region. Select Next.

  3. Provide the user activity agent details:

    • User activity agent name

    • Console agent - The Console agent should be in the same network as the user activity agent and have SSH connectivity to the user activity agent's IP address.

    • VM DNS name or IP address

    • VM SSH Key

      Screenshot of add activity agent interface.

  4. Select Next.

  5. Review your settings. Select Activate to complete adding the user activity agent.

  6. Confirm the user activity agent was successfully created. In the User activity tile, a successful deployment displays as Running.

Result

After the user activity agent is successfully created, return to the Settings menu then select Manage in the User activity tile. Select the User activity agent tab then select the user activity agent to view details about it, including data collectors and user directory connectors.

Add a data collector

Data collectors are created automatically when you enable a ransomware protection strategy with suspicious user activity detection. For more information, see add a detection policy.

You can view the details of the data collector. From Settings, select Manage in the User activity tile. Select the Data collector tab then select the data collector to view its details or pause it.

Screenshot of user activity settings

Add a user directory connector

To map user IDs to usernames, you must create a user directory connector.

Steps

  1. In Ransomware Resilience, go to Settings.

  2. In the User activity tile, select Manage.

  3. Select the User directory connectors tab then Add.

  4. Configure the connection. Enter the required information for each field.

    Field Description

    Name

    Enter a unique name for the user directory connector

    User directory type

    The directory type

    Server IP address or domain name

    The IP address or Fully-Qualified Domain Name (FQDN) of the server hosting the connection

    Forest name or search name

    You can specify the forest level of the directory structure as the direct domain name (for example unit.company.com) or a set of relative distinguished names (for example: DC=unit,DC=company,DC=com). You can also enter an OU to filter by an organizational unit or a CN to limit to a specific user (for example: CN=user,OU=engineering,DC=unit,DC=company,DC=com).

    BIND DN

    The BIND DN is a user account permitted to search the directory, such as user@domain.com. The user requires the Domain Read Only permission.

    BIND password

    The password for the user provided in BIND DN

    Protocol

    The protocol field is optional. You can use LDAP, LDAPS, or LDAP over StartTLS.

    Port

    Enter your chosen port number

    Screenshot of user directory connection

    Provide the attribute mapping details:

    • Display name

    • SID (if you're using LDAP)

    • User name

    • Unix ID (if you're using NFS)

    • If you select Include optional attributes, you can also add an email address, telephone number, role, state, country, department, photo, manager DN, or groups.
      Select Advanced to add an optional search query.

  5. Select Add.

  6. Return to the user directory connectors tab to check the status of your user directory connector. If created successfully, the status of the user directory connector displays as Running.

Delete a user directory connector

  1. In Ransomware Resilience, go to Settings.

  2. Locate the User activity tile, select Manage.

  3. Select the User directory connector tab.

  4. Identify the user directory connector you want to delete. In the action menu at the end of the line, select the three dots …​ then Delete.

  5. In the pop-up dialog, select Delete to confirm your actions.

Respond to suspicious user activity alerts

After you configure suspicious user activity detection, you can monitor events in the alerts page. For more information, see Detect malicious activity and anomalous user behavior.