Skip to main content
NetApp Ransomware Resilience

Manage user blocking and alerts in NetApp Ransomware Resilience

Contributors netapp-ahibbard

After creating the user directory connector in NetApp Ransomware Resilience, you can block and unblock users when you experience ransomware events and evaluate them. You can also selectively exclude users from ransomware alerts if you are certain their actions aren't attacks.

Tip You can automate responses to user activity detection events.

Manage blocked users

You can block users when you believe they're responsible for malicious activity.

Block users
  1. In Ransomware Resilience, select Settings.

  2. In the Settings dashboard, locate the User activity monitoring tile then select Manage.

  3. Select the Users tab.

  4. Select Block users.

  5. Select the duration of the blocking: it can be one hour up to 24 hours or permanent.

  6. Select the checkbox next to the names of the users you want to block.

  7. Select Block.

Modify the blocked users list
  1. In Ransomware Resilience, select Settings.

  2. In the Settings dashboard, locate the User activity monitoring tile then select Manage.

  3. Select the Users tab.

  4. Select Edit user blocking.

  5. Choose the modification. To modify the duration of the blocking, select Time period for blocked users then modify the duration. To remove users from the blocked user list, select Unblock users.

  6. Select the checkbox next to the name of the blocked user whose status you want to change.

  7. Select Save.

Manage user alerts

If there are certain trusted users whose behavior might trigger user behavior alerts, you can exclude them from alerts.

Exclude users from alerts
  1. In Ransomware Resilience, select Settings.

  2. In the Settings dashboard, locate the User activity monitoring tile then select Manage.

  3. Select the Excluded from monitoring tab.

  4. To review individual users in the UI, choose Select manually. To upload a list of excluded users, select Upload.

    1. If you selected Select manually, select the checkbox next to the names of the specific users you want to exclude.

    2. If you select Upload, download the CSV or JSON file that includes the list of all the users. Select Download to access the list.

      On your local machine, review the file. Remove the names of all users that you want to maintain detection for. When the list includes only the names of users you want to exclude from detection, save it.

      In Ransomware Resilience, select Upload. Locate and upload the file.

  5. Select Add to complete adding the users to the exclusion list.

  6. In the Excluded from monitoring tab, the names of the users removed from user behavior detection alerts now display in the dashboard.

Tip You can also exclude a user directly from an alert. For more information, see Respond to ransomware alerts.
Remove users from the excluded user list
  1. In the Settings dashboard, locate the User activity monitoring tile then select Manage.

  2. Select the Excluded from monitoring tab.

  3. Select Add.

  4. To exclude individual users from the UI, choose Select manually.

  5. Locate the name of the user you want to remove from the excluded user list. Select the action menu (…​) on the row with the user's name then Remove.

  6. In the dialog, select Remove to confirm you want to remove the selected users.