Skip to main content
NetApp Ransomware Resilience

Connect NetApp Ransomware Resilience to security and event management system (SIEM) for threat analysis and detection

Contributors netapp-ahibbard
PDFs

A security and event management system (SIEM) centralizes log and event data to provide insights into security events and compliance. NetApp Ransomware Resilience supports automatically sending data to your SIEM for streamlined threat analysis and detection.

Ransomware Resilience supports the following SIEMs:

  • AWS Security Hub

  • Microsoft Sentinel

  • Splunk Cloud

Before you enable SIEM in Ransomware Resilience, you need to configure your SIEM system.

Event data sent to a SIEM

Ransomware Resilience can send the following event data to your SIEM system:

  • context:

    • os: This is a constant with the value of ONTAP.

    • os_version: The version of ONTAP running on the system.

    • connector_id: The ID of the Console agent managing the system.

    • cluster_id: The cluster ID reported by ONTAP for the system.

    • svm_name: The name of the SVM where the alert was found.

    • volume_name: The name of the volume on which the alert is found.

    • volume_id: The ID of the volume reported by ONTAP for the system.

  • incident:

    • incident_id: The incident ID generated by Ransomware Resilience for the volume under attack in Ransomware Resilience.

    • alert_id: The ID generated by Ransomware Resilience for the workload.

    • severity: One of the following alert levels: "CRITICAL", "HIGH", "MEDIUM", "LOW".

    • description: Details about the alert that was detected, for example, "A Potential ransomware attack detected on workload arp_learning_mode_test_2630"

Configure AWS Security Hub for threat detection

Before you enable AWS Security Hub in Ransomware Resilience, you need to do the following high level steps in AWS Security Hub:

  • Set up permissions in AWS Security Hub.

  • Set up the authentication access key and secret key in AWS Security Hub. (These steps are not provided here.)

Steps to set up permissions in AWS Security Hub

  1. Go to AWS IAM console.

  2. Select Policies.

  3. Create a policy using the following code in JSON format:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NetAppSecurityHubFindings",
      "Effect": "Allow",
      "Action": [
        "securityhub:BatchImportFindings",
        "securityhub:BatchUpdateFindings"
      ],
      "Resource": [
        "arn:aws:securityhub:*:*:product/*/default",
        "arn:aws:securityhub:*:*:hub/default"
      ]
    }
  ]
}

Configure Microsoft Sentinel for threat detection

Before you enable Microsoft Sentinel in Ransomware Resilience, you need to do the following high level steps in Microsoft Sentinel:

  • Prerequisites

    • Enable Microsoft Sentinel.

    • Create a custom role in Microsoft Sentinel.

  • Registration

    • Register Ransomware Resilience to receive events from Microsoft Sentinel.

    • Create a secret for the registration.

  • Permissions: Assign permissions to the application.

  • Authentication: Enter authentication credentials for the application.

Steps to enable Microsoft Sentinel

  1. Go to Microsoft Sentinel.

  2. Create a Log Analytics workspace.

  3. Enable Microsoft Sentinel to use the Log Analytics workspace you just created.

Steps to create a custom role in Microsoft Sentinel

  1. Go to Microsoft Sentinel.

  2. Select Subscription > Access control (IAM).

  3. Enter a Custom role name. Use the name Ransomware Resilience Sentinel Configurator.

  4. Copy the following JSON and paste it into the JSON tab.

    {
  "roleName": "Ransomware Resilience Sentinel Configurator",
  "description": "",
  "assignableScopes":["/subscriptions/{subscription_id}"],
  "permissions": [

  ]
}

  5. Review and save your settings.

Steps to register Ransomware Resilience to receive events from Microsoft Sentinel

  1. Go to Microsoft Sentinel.

  2. Select Entra ID > Applications > App registrations.

  3. For the Display name for the application, enter "Ransomware Resilience".

  4. In the Supported account type field, select Accounts in this organizational directory only.

  5. Select a Default Index where events will be pushed.

  6. Select Review.

  7. Select Register to save your settings.

    After registration, the Microsoft Entra admin center displays the application Overview pane.

Steps to create a secret for the registration

  1. Go to Microsoft Sentinel.

  2. Select Certificates & secrets > Client secrets > New client secret.

  3. Add a description for your application secret.

  4. Select an Expiration for the secret or specify a custom lifetime.

    Tip A client secret lifetime is limited to two years (24 months) or less. Microsoft recommends that you set an expiration value of less than 12 months.

  5. Select Add to create your secret.

  6. Record the secret to use in the Authentication step. The secret is never displayed again after you leave this page.

Steps to assign permissions to the application

  1. Go to Microsoft Sentinel.

  2. Select Subscription > Access control (IAM).

  3. Select Add > Add role assignment.

  4. For the Privileged administrator roles field, select Ransomware Resilience Sentinel Configurator.

    Tip This is the custom role that you created earlier.

  5. Select Next.

  6. In the Assign access to field, select User, group, or service principal.

  7. Select Select Members. Then, select Ransomware Resilience Sentinel Configurator.

  8. Select Next.

  9. In the What user can do field, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended).

  10. Select Next.

  11. Select Review and assign to assign the permissions.

Steps to enter authentication credentials for the application

  1. Go to Microsoft Sentinel.

  2. Enter the credentials:

    1. Enter the tenant ID, the client application ID, and the client application secret.

    2. Select Authenticate.

      Note After the authentication is successful, an "Authenticated" message appears.

  3. Enter the Log Analytics workspace details for the application.

    1. Select the subscription ID, the resource group, and the Log Analytics workspace.

Configure Splunk Cloud for threat detection

Before you enable Splunk Cloud in Ransomware Resilience, you'll need to do the following high level steps in Splunk Cloud:

  • Enable an HTTP Event Collector in Splunk Cloud to receive event data via HTTP or HTTPS from the Console.

  • Create an Event Collector token in Splunk Cloud.

Steps to enable an HTTP Event Collector in Splunk

  1. Go to Splunk Cloud.

  2. Select Settings > Data Inputs.

  3. Select HTTP Event Collector > Global Settings.

  4. On the All Tokens toggle, select Enabled.

  5. To have the Event Collector listen and communicate over HTTPS rather than HTTP, select Enable SSL.

  6. Enter a port in HTTP Port Number for the HTTP Event Collector.

Steps to create an Event Collector token in Splunk

  1. Go to Splunk Cloud.

  2. Select Settings > Add Data.

  3. Select Monitor > HTTP Event Collector.

  4. Enter a Name for the token and select Next.

  5. Select a Default Index where events will be pushed, then select Review.

  6. Confirm that all settings for the endpoint are correct, then select Submit.

  7. Copy the token and paste it in another document to have it ready for the Authentication step.

Connect SIEM in Ransomware Resilience

Enabling SIEM sends data from Ransomware Resilience to your SIEM server for threat analysis and reporting.

Steps

  1. From the Console menu, select Protection > Ransomware Resilience.

  2. From the Ransomware Resilience menu, select the vertical Vertical Actions…​ option at the top right.

  3. Select Settings.

    The Settings page appears.

    Settings page

  4. In the Settings page, select Connect in the SIEM connection tile.

    Enable threat detection details page

  5. Choose one of the SIEM systems.

  6. Enter the token and authentication details you configured in AWS Security Hub or Splunk Cloud.

    Note The information that you enter depends on the SIEM you selected.

  7. Select Enable.

    The Settings page shows "Connected."