Manage Autonomous Ransomware Protection attack detection parameters

10/24/2024 Contributors

Beginning in ONTAP 9.11.1, you can modify the parameters for ransomware detection on a specific volume with Autonomous Ransomware Protection enabled and report a known surge as normal file activity. Adjusting detection parameters helps improve the accuracy of reporting based on your specific volume workload.

How attack detection works

When Autonomous Ransomware Protection (ARP) is in learning mode, it develops baseline values for volume behaviors. These are entropy, file extensions, and, beginning in ONTAP 9.11.1, IOPS. These baselines are used to evaluate ransomware threats. For more information about these criteria, see what ARP detects.

In ONTAP 9.10.1, ARP issues a warning if it detects both of the following conditions:

More than 20 files with file extensions not previously observed in the volume
High entropy data

Beginning in ONTAP 9.11.1, ARP issues a threat warning if only one condition is met. For example, if more than 20 files with file extensions that have not previously been observed in the volume are observed within a 24-hour period, ARP will categorize this as a threat regardless of observed entropy. The 24-hour and 20-file values are defaults, which can be modified.

To reduce high numbers of false positive alerts, go to Storage > Volumes > Security > Configure workload characteristics and disable Monitor new file types. This setting is disabled by default in ONTAP 9.14.1 P7, 9.15.1 P1, and 9.16.1 RC and later.

Beginning in ONTAP 9.14.1, you can configure alerts when ARP observes a new file extension and when ARP creates a snapshot. For more information, see Configure ARP alerts.

Certain volumes and workloads require different detection parameters. For example, your ARP-enabled volume may host numerous types of file extensions, in which case you may want to modify the threshold count for never-before-seen file extensions to a number greater than the default of 20 or disable warnings based on never-before-seen file extensions. Beginning with ONTAP 9.11.1, you can modify the attack detection parameters so they better fit your specific workloads.

Modify attack detection parameters

Depending on the expected behaviors of your ARP-enabled volume, you may want to modify the attack detection parameters.

Steps

View the existing attack detection parameters:

security anti-ransomware volume attack-detection-parameters show -vserver <svm_name> -volume <volume_name>

security anti-ransomware volume attack-detection-parameters show -vserver vs1 -volume vol1
                                             Vserver Name : vs1
                                              Volume Name : vol1
            Is Detection Based on High Entropy Data Rate? : true
  Is Detection Based on Never Seen before File Extension? : true
                  Is Detection Based on File Create Rate? : true
                  Is Detection Based on File Rename Rate? : true
                  Is Detection Based on File Delete Rate? : true
           Is Detection Relaxing Popular File Extensions? : true
                High Entropy Data Surge Notify Percentage : 100
                 File Create Rate Surge Notify Percentage : 100
                 File Rename Rate Surge Notify Percentage : 100
                 File Delete Rate Surge Notify Percentage : 100
 Never Seen before File Extensions Count Notify Threshold : 20
       Never Seen before File Extensions Duration in Hour : 24

All of the fields shown are modifiable with boolean or integer values. To modify a field, use the security anti-ransomware volume attack-detection-parameters modify command.

For a full list of parameters, see ONTAP command reference.

Report known surges

ARP continues to modify baseline values for detection parameters even in active mode. If you know of surges in your volume activity, either one-time surges or a surge that is characteristic of a new normal, you should report them as safe. Manually reporting these surges as safe helps to improve the accuracy of ARP's threat assessments.

Report a one-time surge

If a one-time surge is occurring under known circumstances and you want ARP to report a similar surge in future circumstances, clear the surge from the workload behavior:

security anti-ransomware volume workload-behavior clear-surge -vserver <svm_name> -volume <volume_name>

Modify baseline surge

If a reported surge should be considered normal application behavior, report the surge as such to modify the baseline surge value.

security anti-ransomware volume workload-behavior update-baseline-from-surge -vserver <svm_name> -volume <volume_name>

Configure ARP alerts

Beginning in ONTAP 9.14.1, ARP allows you to specify alerts for two ARP events:

Observation of new file extension on a volume
Creation of an ARP snapshot

Alerts for these two events can be set on individual volumes or for the entire SVM. If you enable alerts for the SVM, the alert settings are inherited only by volumes created after you enable alert. By default, alerts are not enabled on any volume.

Event alerts can be controlled with multi-admin verification. For more information, see Multi-admin verification with volumes protected with ARP.

System Manager

Set alerts for a volume

Navigate to Volumes. Select the individual volume for which you want to modify settings.
Select the Security tab then Event Security Settings.
To receive alerts for New file extension detected and Ransomware snapshot created, select the dropdown menu under the Severity heading. Modify the setting from Don't generate event to Notice.
Select Save.

Set alerts for an SVM

Navigate to Storage VM then select the SVM for which you want to enable settings.
Under the Security heading, locate the Anti-ransomware card. Select then Edit Ransomware Event Severity.
To receive alerts for New file extension detected and Ransomware snapshot created, select the dropdown menu under the Severity heading. Modify the setting from Don't generate event to Notice.
Select Save.

CLI