If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

If you specify the -instance parameter, the command displays detailed information about all fields.

This parameter specifies the Vserver of the anti-ransomware enabled volume.

This parameter specifies the anti-ransomware enabled volume for which the attack detection parameters need to be displayed.

This parameter displays whether ransomware detection is based on a high entropy data rate at the volume level. Ransomware detection is also done based on high entropy data rate at the file level and this method of detection is always enabled and has no dependency on this parameter.

This parameter indicates whether ransomware detection is based on new file types not seen before at the volume level. This detection method is based only on the file extension not on file entropy. Some variants of ransomware modify the data such that the file entropy remains unchanged. This method helps in detecting those ransomwares but there is a possibility of false positives. Note that ransomware detection is also done based on combined file extension and file entropy and this method of detection is always enabled and has no dependency on this parameter.

This parameter displays whether ransomware detection is based on the file create rate at the volume level. If this is true and the number of files created per timeslot surges by -file-create-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

This parameter displays whether ransomware detection is based on the file rename rate at the volume level. If this is true and the number of files renamed per timeslot surges by -file-rename-rate-surge-notifiy-percentage percentage compared to the historically observed value, then it is considered an attack.

This parameter displays whether ransomware detection is based on the file delete rate at the volume level. If this is true and the number of files deleted per timeslot surges by -file-delete-rate-surge-notify-percentage percentage compared to the historically observed value, then it is considered an attack.

This parameter displays whether ransomware detection is based on commonly used extensions. If true, then a predetermined commonly used extension, such as .mp3, is considered safe. If false, only those file extensions observed during the dry run state are considered safe; any extension not observed during the dry-run state but observed later is suspected as a ransomware attack, even if it is a commonly used extension.

This parameter displays the surge value that is considered safe in the overall incoming data at the volume level.

This parameter displays the surge rate that is considered safe for file create operations at the volume level.

This parameter displays the surge rate that is considered safe for file delete operations at the volume level.

This parameter displays the surge rate that is considered safe for file rename operations at the volume level.

This parameter displays the threshold value of new file extensions not seen before for create/rename operations.

This parameter displays the duration for new file extensions not seen before, in hours. If a new file extension is observed and -never-seen-before-file-extn-count-notify-threshold number of files are created/renamed with this new file extension for this duration, then it is reported as an attack.