important-eventsフィルタをランサムウェア攻撃のイベント通知に使用できますか。

最後の更新
PDFとして保存

Views:: 70

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: core

Last Updated:

環境

ONTAP 9.10.1以降

回答

はい、できます。

追加情報

『Understanding Autonomous Ransomware Protection Attacks and the Autonomous Ransomware Protection Snapshot』

この未知のファイル拡張子を持つ20個以上のファイルが見つかった場合は、攻撃と見なされます。これに伴い、攻撃の可能性が low からに変わり moderate 、 callhome.arw.activity.seen EMS / ASUPアラート通知が生成されます。

cluster2::> event log show -message-name *arw* Time Node Severity Event ------------------- ---------------- ------------- --------------------------- 12/20/2022 11:27:55 cluster2-01 ALERT callhome.arw.activity.seen: Call-home message for Vol1 (UUID: c437827d-8062-11ed-9f93-005056a0d3a0) svm1 (UUID: 4574c5fe-8916-11ec-b931-005056a0d3a0)

注：上記の例では、SVMとボリュームが呼び出されています。

::> security anti-ransomware volume show -vserver svm1 -volume Vol1

Vserver Name: svm1 Volume Name: Vol1 State: enabled Dry Run Start Time: - Attack Probability: moderate Attack Timeline: 12/21/2022 09:34:45 Number of Attacks: 1

callhome.arw.activity.seen イベントの重大度はアラートであり、 important-events フィルタにはアラートタイプのすべてのイベントが含まれます。

ontap913::> event catalog show -message-name callhome.arw.activity.seen

Message Name: callhome.arw.activity.seen Severity: ALERT Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution. Corrective Action: Refer to the anti-ransomware documentation to take remedial measures for ransomare activity. If you need assistance, contact NetApp technical support. SNMP Trap Type: Severity-based Is Deprecated: false

ontap913::> event filter show Filter Rule Rule SNMP Trap Name Posn Type Message Name Severity Type Parameters ----------- ---- -------- ---------------- ------------- --------- ----------- default-trap-events 1 include * EMERGENCY, ALERT * *=* 2 include callhome.* ERROR * *=* 3 include * * Standard, Built-in *=* 4 exclude * * * *=* important-events 1 include * EMERGENCY, ALERT * *=* 2 include callhome.* ERROR * *=* 3 exclude * * * *=* no-info-debug-events 1 include * EMERGENCY, ALERT, ERROR, NOTICE * *=* 2 exclude * * * *=* 9 entries were displayed.