跳转到主内容

是否可以使用重要事件筛选器发出勒索软件攻击事件通知?

Views:
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

适用场景

ONTAP 9.10.1或更高版本

问题解答

是的、可以。

追加信息

  • 如果发现具有此未知文件扩展名的20个或更多文件、则会将其视为攻击。与此同时、攻击概率将从更 low 改为 moderate 、并 callhome.arw.activity.seen 将生成EMS/ASUP警报通知。

cluster2::> event log show -message-name *arw*
Time         Node        Severity    Event
------------------- ---------------- ------------- ---------------------------
12/20/2022 11:27:55 cluster2-01    ALERT      callhome.arw.activity.seen: Call-home message for Vol1 (UUID: c437827d-8062-11ed-9f93-005056a0d3a0) svm1 (UUID: 4574c5fe-8916-11ec-b931-005056a0d3a0)

注意: 在上述示例中、系统会标注SVM和卷。

::> security anti-ransomware volume show -vserver svm1 -volume Vol1

    Vserver Name: svm1
    Volume Name: Vol1
       State: enabled
Dry Run Start Time: -
Attack Probability: moderate
  Attack Timeline: 12/21/2022 09:34:45
Number of Attacks: 1

  • callhome.arw.activity.seen 事件 严重性为警报、 important-events 筛选器包括所有警报类型的事件。

ontap913::> event catalog show -message-name callhome.arw.activity.seen

   Message Name: callhome.arw.activity.seen
     Severity: ALERT
    Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution.
Corrective Action: Refer to the anti-ransomware documentation to take remedial measures for ransomare activity. If you need assistance, contact NetApp technical support.
  SNMP Trap Type: Severity-based
   Is Deprecated: false

ontap913::> event filter show
Filter    Rule Rule                   SNMP Trap
Name     Posn Type    Message Name    Severity    Type    Parameters
----------- ---- -------- ---------------- ------------- --------- -----------
default-trap-events
       1   include  *         EMERGENCY, ALERT
                             *      *=*
       2   include  callhome.*     ERROR      *      *=*
       3   include  *         *        Standard, Built-in
                                  *=*
       4   exclude  *         *        *      *=*
important-events
      1   include  *         EMERGENCY, ALERT
                             *      *=*
       2   include  callhome.*     ERROR      *      *=*
       3   exclude  *         *        *      *=*
no-info-debug-events
       1   include  *         EMERGENCY, ALERT, ERROR, NOTICE
                             *      *=*
       2   exclude  *         *        *      *=*
9 entries were displayed.

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.