Manage Autonomous Ransomware Protection attack detection parameters
Beginning in ONTAP 9.11.1, you can modify the parameters for ransomware detection on a specific volume with Autonomous Ransomware Protection enabled and report a known surge as normal file activity. Adjusting detection parameters helps improve the accuracy of reporting based on your specific volume workload.
How attack detection works
When Autonomous Ransomware Protection (ARP) is in learning mode, it develops baseline values for volume behaviors. These are entropy, file extensions, and, beginning in ONTAP 9.11.1, IOPS. These baselines are used to evaluate ransomware threats. For more information about these criteria, see what ARP detects.
In ONTAP 9.10.1, ARP issues a warning if it detects both of the following conditions:
-
More than 20 files with file extensions not previously observed in the volume
-
High entropy data
Beginning in ONTAP 9.11.1, ARP issues a threat warning if only one condition is met. For example, if more than 20 files with file extensions that have not previously been observed in the volume are observed within a 24-hour period, ARP will categorize this as a threat regardless of observed entropy. The 24-hour and 20-file values are defaults, which can be modified.
To reduce high numbers of false positive alerts, go to Storage > Volumes > Security > Configure workload characteristics and disable Monitor new file types. This setting is disabled by default in ONTAP 9.14.1 P7, 9.15.1 P1, and 9.16.1 RC and later. |
Beginning in ONTAP 9.14.1, you can configure alerts when ARP observes a new file extension and when ARP creates a snapshot. For more information, see Configure ARP alerts.
Certain volumes and workloads require different detection parameters. For example, your ARP-enabled volume may host numerous types of file extensions, in which case you may want to modify the threshold count for never-before-seen file extensions to a number greater than the default of 20 or disable warnings based on never-before-seen file extensions. Beginning with ONTAP 9.11.1, you can modify the attack detection parameters so they better fit your specific workloads.
Modify attack detection parameters
Depending on the expected behaviors of your ARP-enabled volume, you may want to modify the attack detection parameters.
-
View the existing attack detection parameters:
security anti-ransomware volume attack-detection-parameters show -vserver <svm_name> -volume <volume_name>
security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1 Vserver Name : vs1 Volume Name : vol1 Is Detection Based on High Entropy Data Rate? : true Is Detection Based on Never Seen before File Extension? : true Is Detection Based on File Create Rate? : true Is Detection Based on File Rename Rate? : true Is Detection Based on File Delete Rate? : true Is Detection Relaxing Popular File Extensions? : true High Entropy Data Surge Notify Percentage : 100 File Create Rate Surge Notify Percentage : 100 File Rename Rate Surge Notify Percentage : 100 File Delete Rate Surge Notify Percentage : 100 Never Seen before File Extensions Count Notify Threshold : 20 Never Seen before File Extensions Duration in Hour : 24
-
All of the fields shown are modifiable with boolean or integer values. To modify a field, use the
security anti-ransomware volume attack-detection-parameters modify
command.Learn more about the commands described in this procedure in the ONTAP command reference.
Report known surges
ARP continues to modify baseline values for detection parameters even in active mode. If you know of surges in your volume activity, either one-time surges or a surge that is characteristic of a new normal, you should report them as safe. Manually reporting these surges as safe helps to improve the accuracy of ARP's threat assessments.
-
If a one-time surge is occurring under known circumstances and you want ARP to report a similar surge in future circumstances, clear the surge from the workload behavior:
security anti-ransomware volume workload-behavior clear-surge -vserver <svm_name> -volume <volume_name>
-
If a reported surge should be considered normal application behavior, report the surge as such to modify the baseline surge value.
security anti-ransomware volume workload-behavior update-baseline-from-surge -vserver <svm_name> -volume <volume_name>
Configure ARP alerts
Beginning in ONTAP 9.14.1, ARP allows you to specify alerts for two ARP events:
-
Observation of new file extension on a volume
-
Creation of an ARP snapshot
Alerts for these two events can be set on individual volumes or for the entire SVM. If you enable alerts for the SVM, the alert settings are inherited only by volumes created after you enable alert. By default, alerts are not enabled on any volume.
Event alerts can be controlled with multi-admin verification. For more information, see Multi-admin verification with volumes protected with ARP.
-
Navigate to Volumes. Select the individual volume for which you want to modify settings.
-
Select the Security tab then Event Security Settings.
-
To receive alerts for New file extension detected and Ransomware snapshot created, select the dropdown menu under the Severity heading. Modify the setting from Don't generate event to Notice.
-
Select Save.
-
Navigate to Storage VM then select the SVM for which you want to enable settings.
-
Under the Security heading, locate the Anti-ransomware card. Select then Edit Ransomware Event Severity.
-
To receive alerts for New file extension detected and Ransomware snapshot created, select the dropdown menu under the Severity heading. Modify the setting from Don't generate event to Notice.
-
Select Save.
-
To set alerts for a new file-extension:
security anti-ransomware volume event-log modify -vserver <svm_name> -is-enabled-on-new-file-extension-seen true
-
To set alerts for the creation of an ARP snapshot:
security anti-ransomware volume event-log modify -vserver <svm_name> -is-enabled-on-snapshot-copy-creation true
-
Confirm your settings with the
anti-ransomware volume event-log show
command.
-
To set alerts for a new file-extension:
security anti-ransomware vserver event-log modify -vserver <svm_name> -is-enabled-on-new-file-extension-seen true
-
To set alerts for the creation of an ARP snapshot:
security anti-ransomware vserver event-log modify -vserver <svm_name> -is-enabled-on-snapshot-copy-creation true
-
Confirm your settings with the
security anti-ransomware vserver event-log show
command.