Manage user blocking and alerts in NetApp Ransomware Resilience
After creating the user directory connector in NetApp Ransomware Resilience, you can block and unblock users when you experience ransomware events and evaluate them. You can also selectively exclude users from ransomware alerts if you are certain their actions aren't attacks.
You must have configured a user activity agent, enabled a policy with user activity detection, and created a user directory connector to block users.
|
|
You can automate responses to user activity detection events. |
Manage blocked users
You can block users when you believe they're responsible for malicious activity.
-
In Ransomware Resilience, select Settings.
-
In the Settings dashboard, locate the User activity monitoring tile then select Manage.
-
Select the Users tab.
-
Select Block users.
-
Select the duration of the blocking: it can be one hour up to 24 hours or permanent.
-
Select the checkbox next to the names of the users you want to block.
-
Select Block.
-
In Ransomware Resilience, select Settings.
-
In the Settings dashboard, locate the User activity monitoring tile then select Manage.
-
Select the Users tab.
-
Select Edit user blocking.
-
Choose the modification. To modify the duration of the blocking, select Time period for blocked users then modify the duration. To remove users from the blocked user list, select Unblock users.
-
Select the checkbox next to the name of the blocked user whose status you want to change.
-
Select Save.
Manage user alerts
If there are certain trusted users whose behavior might trigger user behavior alerts, you can exclude them from alerts.
-
In Ransomware Resilience, select Settings.
-
In the Settings dashboard, locate the User activity monitoring tile then select Manage.
-
Select the Excluded from monitoring tab.
-
To review individual users in the UI, choose Select manually. To upload a list of excluded users, select Upload.
-
If you selected Select manually, select the checkbox next to the names of the specific users you want to exclude.
-
If you select Upload, download the CSV or JSON file that includes the list of all the users. Select Download to access the list.
On your local machine, review the file. Remove the names of all users that you want to maintain detection for. When the list includes only the names of users you want to exclude from detection, save it.
In Ransomware Resilience, select Upload. Locate and upload the file.
-
-
Select Add to complete adding the users to the exclusion list.
-
In the Excluded from monitoring tab, the names of the users removed from user behavior detection alerts now display in the dashboard.
|
|
You can also exclude a user directly from an alert. For more information, see Respond to ransomware alerts. |
-
In the Settings dashboard, locate the User activity monitoring tile then select Manage.
-
Select the Excluded from monitoring tab.
-
Select Add.
-
To exclude individual users from the UI, choose Select manually.
-
Locate the name of the user you want to remove from the excluded user list. Select the action menu (
…) on the row with the user's name then Remove. -
In the dialog, select Remove to confirm you want to remove the selected users.