Skip to main content
NetApp Ransomware Resilience

Connect NetApp Ransomware Resilience to a SIEM for threat analysis and detection

Contributors netapp-ahibbard
PDFs

A security information and event management (SIEM) system centralizes log and event data to provide insights into security events and compliance. NetApp Ransomware Resilience supports automatically sending data to your SIEM for streamlined threat analysis and detection.

Ransomware Resilience supports the following SIEM systems:

  • AWS Security Hub

  • Google SecOps

  • Microsoft Sentinel

  • Splunk Cloud

  • Splunk Enterprise

Tip Ransomware Resilience also provides security orchestration, automation, and response (SOAR) playbooks.

Event data sent to a SIEM

Ransomware Resilience can send the following event data to your SIEM system:

  • context:

    • os: This is a constant with the value of ONTAP.

    • os_version: The version of ONTAP running on the system.

    • connector_id: The ID of the Console agent managing the system.

    • cluster_id: The cluster ID reported by ONTAP for the system.

    • svm_name: The name of the SVM where the alert was found.

    • volume_name: The name of the volume on which the alert is found.

    • volume_id: The ID of the volume reported by ONTAP for the system.

  • incident:

    • incident_id: The incident ID generated by Ransomware Resilience for the volume under attack in Ransomware Resilience.

    • alert_id: The ID generated by Ransomware Resilience for the workload.

    • severity: The severity of the alert levels: "CRITICAL", "HIGH", "MEDIUM", "LOW".

    • description: Details about the alert that was detected, for example, "A Potential ransomware attack detected on workload arp_learning_mode_test_2630"

    • title: The display name of the detected alert.

    • criticality: An assessment of the criticality of the volume in your environment: "CRITICAL", "IMPORTANT", "STANDARD".

    • incident_status: The active status of the incident, which can be: "NEW", "RESOLVED", "DISMISSED", "AUTO_RESOLVED".

    • first_detected: The timestamp indicating when the incident was first detected by Ransomware Resilience.

    • is_readiness_drill: A boolean value indicating whether the alert is a drill or an actual incident.

    • protocol: The protocol used by the volume. Possible values are "iSCSI", "NFS", and "SMB".

    • alert_type: The type of threat detected. Possible values are "Encryption", "Data destruction", "Data breach", and "Suspicious user behavior".

    • user_name: The username of the suspicious user associated with the alert.

    • user_id: The user ID of the suspicious user associated with the alert.

    • client_ips: A list of client IP addresses associated with the suspicious activity, applicable only for NFS alerts.

Note The user_name and user_id fields are only pertinent if you've configured user behavior detection.

Configure AWS Security Hub for threat detection

Before you enable AWS Security Hub in Ransomware Resilience, you need to do the following high-level steps in AWS Security Hub:

  • Set up permissions in AWS Security Hub.

  • Set up the authentication access key and secret key in AWS Security Hub. (These steps are not provided here.)

Steps to set up permissions in AWS Security Hub

  1. Go to AWS IAM console.

  2. Select Policies.

  3. Create a policy using the following code in JSON format:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NetAppSecurityHubFindings",
      "Effect": "Allow",
      "Action": [
        "securityhub:BatchImportFindings",
        "securityhub:BatchUpdateFindings"
      ],
      "Resource": [
        "arn:aws:securityhub:*:*:product/*/default",
        "arn:aws:securityhub:*:*:hub/default"
      ]
    }
  ]
}
Authenticate AWS Security Hub in Ransomware Resilience

  1. In Ransomware Resilience, select Settings in the sidebar.

    Settings page

  2. In the Settings page, select Connect in the SIEM connection tile.

    Enable threat detection details page

  3. Choose AWS Security Hub as the SIEM provider.

  4. Review the Permissions sections.

  5. Expand the Authentication section.

    1. Enter the AWS Account then select the account's AWS Region.

    2. Enter the Access key and Secret key from AWS Security Hub.

  6. Select Connect to begin sending SIEM data.

Configure Google SecOps for threat detection

Before you enable Google SecOps in Ransomware Resilience, you need to register the log type and webhook in Google SecOps to enable connection between services.

Create a log type

  1. Go to Google SecOps.

  2. Navigate to Settings > SIEM Settings > Available Log Types.

    It's recommended that you use the NETAPP_RANSOMWARE_RESILIENCE log type. If you don't want to use this, create a custom log type.

  3. If you use the NETAPP_RANSOMWARE_RESILIENCE log type, it includes a prebuilt parser, and no further action is necessary.

    If you use a custom log type, you must create a parser. Go to SIEM Settings > Parsers > Create Parser to create the parser.

Register the webhook

  1. Navigate to Google SecOps.

  2. Navigate to Settings > SIEM settings > Feeds.

  3. Select Add new feed.

  4. Select the log type you used in the Create a log type workflow.

  5. Set the Source type to Webhook then save the feed.

  6. Open the Details tab. Copy the Webhook endpoint URL to use when you authenticate in Ransomware Resilience.

  7. Open the Secret key tab. Generate the secret key or copy it if you've already created one. Save the key to use when you authenticate in Ransomware Resilience.

  8. Create an API key using your organization's Google API key process.

Authenticate Google SecOps in Ransomware Resilience

  1. In Ransomware Resilience, select Settings in the sidebar.

    Settings page

  2. In the Settings page, select Connect in the SIEM connection tile.

    Enable threat detection details page

  3. Choose Google SecOps as the SIEM provider.

  4. Review the Prerequisites and Webhook feed sections.

  5. Expand the Authentication section.

    1. Enter the Webhook URL you copied from Google SecOps' webhook endpoint URL.

    2. Enter the Secret key and API key from Google SecOps.

  6. Select Connect to begin sending SIEM data.

Configure Microsoft Sentinel for threat detection

Before you enable Microsoft Sentinel in Ransomware Resilience, you need to do the following high-level steps in Microsoft Sentinel:

  • Prerequisites

    • Enable Microsoft Sentinel.

    • Create a custom role in Microsoft Sentinel.

  • Registration

    • Register Ransomware Resilience to receive events from Microsoft Sentinel.

    • Create a secret for the registration.

  • Permissions: Assign permissions to the application.

  • Authentication: Enter authentication credentials for the application.

Enable Microsoft Sentinel

  1. Go to Microsoft Sentinel.

  2. Create a Log Analytics workspace.

  3. Enable Microsoft Sentinel to use the Log Analytics workspace you just created.

Create a custom role in Microsoft Sentinel

  1. Go to Microsoft Sentinel.

  2. Select Subscription > Access control (IAM).

  3. Enter a Custom role name. Use the name Ransomware Resilience Sentinel Configurator.

  4. Copy the following JSON and paste it into the JSON tab.

    {
  "roleName": "Ransomware Resilience Sentinel Configurator",
  "description": "",
  "assignableScopes":["/subscriptions/{subscription_id}"],
  "permissions": [

  ]
}

  5. Review and save your settings.

Authenticate Ransomware Resilience to receive events from Microsoft Sentinel

  1. Go to Microsoft Sentinel.

  2. Select Entra ID > Applications > App registrations.

  3. For the Display name for the application, enter "Ransomware Resilience".

  4. In the Supported account type field, select Accounts in this organizational directory only.

  5. Select a Default Index where events will be pushed.

  6. Select Review.

  7. Select Register to save your settings.

    After registration, the Microsoft Entra admin center displays the application Overview pane.

Create a secret for the registration

  1. Go to Microsoft Sentinel.

  2. Select Certificates & secrets > Client secrets > New client secret.

  3. Add a description for your application secret.

  4. Select an Expiration for the secret or specify a custom lifetime.

    Tip A client secret lifetime is limited to two years (24 months) or less. Microsoft recommends that you set an expiration value of less than 12 months.

  5. Select Add to create your secret.

  6. Record the secret to use in the Authentication step. The secret is never displayed again after you leave this page.

Assign permissions

  1. Go to Microsoft Sentinel.

  2. Select Subscription > Access control (IAM).

  3. Select Add > Add role assignment.

  4. For the Privileged administrator roles field, select Ransomware Resilience Sentinel Configurator.

    Tip This is the custom role that you created earlier.

  5. Select Next.

  6. In the Assign access to field, select User, group, or service principal.

  7. Select Select Members. Then, select Ransomware Resilience Sentinel Configurator.

  8. Select Next.

  9. In the What user can do field, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended).

  10. Select Next.

  11. Select Review and assign to assign the permissions.

Enter authentication credentials

  1. Go to Microsoft Sentinel.

  2. Enter the credentials:

    1. Enter the tenant ID, the client application ID, and the client application secret.

    2. Select Authenticate.

      Note After the authentication is successful, an "Authenticated" message appears.

  3. Enter the Log Analytics workspace details for the application.

    1. Select the subscription ID, the resource group, and the Log Analytics workspace.

Authenticate Microsoft Sentinel in Ransomware Resilience

  1. In Ransomware Resilience, select Settings in the sidebar.

    Settings page

  2. In the Settings page, select Connect in the SIEM connection tile.

    Enable threat detection details page

  3. Choose Microsoft Sentinel as the SIEM provider.

  4. Review the Prerequisites, Registration, and Permissions sections to ensure you've successfully completed each step.

  5. Expand the Authentication section.

    1. Enter the Directory (tenant) ID, Application (tenant) ID, and Client secret. Select Authenticate then wait until the UI confirms the credentials have been authenticated.

    2. In the dropdown menus, choose the Subscription ID, Resource group, and Log analytics workspace you want to send SIEM data to.

  6. Select Connect to begin sending SIEM data.

Configure Splunk Cloud and Splunk Enterprise for threat detection

Ransomware Resilience supports threat detection with Splunk Cloud and Splunk Enterprise. Before enabling the Splunk connection in Ransomware Resilience, you need to:

  • Enable an HTTP Event Collector in Splunk Cloud or Enterprise to receive event data via HTTP or HTTPS from the Console.

  • Create an Event Collector token in Splunk Cloud or Enterprise.

Note For Splunk Enterprise, you must allow inbound public internet traffic for Ransomware Resilience to be able to push events using the HTTP event collector details supplied to it.
Enable an HTTP Event Collector in Splunk

  1. Go to your chosen Splunk environment: Cloud or Enterprise.

  2. Select Settings > Data Inputs.

  3. Select HTTP Event Collector > Global Settings.

  4. On the All Tokens toggle, select Enabled.

  5. To have the Event Collector listen and communicate over HTTPS rather than HTTP, select Enable SSL.

  6. Enter a port in HTTP Port Number for the HTTP Event Collector. Save the port number for the authentication process.

Create an Event Collector token in Splunk

  1. Go to Splunk Cloud or Enterprise.

  2. Select Settings > Add Data.

  3. Select Monitor > HTTP Event Collector.

  4. Enter a Name for the token and select Next.

  5. Select a Default Index where events will be pushed, then select Review.

  6. Confirm that all settings for the endpoint are correct, then select Submit.

  7. Copy the token and paste it in another document to have it ready for the Authentication step.

Authenticate Splunk with Ransomware Resilience

  1. In Ransomware Resilience, select Settings in the sidebar.

    Settings page

  2. In the Settings page, select Connect in the SIEM connection tile.

    Enable threat detection details page

  3. Choose Splunk as the SIEM provider.

  4. Review the Event collector and Token sections to confirm you have the correct information.

  5. Expand the Authentication section.

    1. Select the Protocol for the HTTP Event Collector. It's recommended that you use HTTPS, but if SSL isn't enabled for the HTTP Event Collector, select HTTP.

    2. Enter the Host and Port for the Splunk Cloud instance that runs the HTTP Event Collector. The port should match what you entered in the HTTP event collector process.

    3. Enter the event collector token you created in Splunk.

  6. Select Connect to begin sending SIEM data.

Next steps