是否可以使用重要事件筛选器发出勒索软件攻击事件通知?
适用场景
问题解答
追加信息
- 如果发现具有此未知文件扩展名的20个或更多文件、则会将其视为攻击。与此同时、攻击概率将从更
low
改为moderate
、并callhome.arw.activity.seen
将生成EMS/ASUP警报通知。
cluster2::> event log show -message-name *arw*
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
12/20/2022 11:27:55 cluster2-01 ALERT callhome.arw.activity.seen: Call-home message for Vol1 (UUID: c437827d-8062-11ed-9f93-005056a0d3a0) svm1 (UUID: 4574c5fe-8916-11ec-b931-005056a0d3a0)
注意: 在上述示例中、系统会标注SVM和卷。
::> security anti-ransomware volume show -vserver svm1 -volume Vol1
Vserver Name: svm1
Volume Name: Vol1
State: enabled
Dry Run Start Time: -
Attack Probability: moderate
Attack Timeline: 12/21/2022 09:34:45
Number of Attacks: 1
callhome.arw.activity.seen
事件 严重性为警报、important-events
筛选器包括所有警报类型的事件。
ontap913::> event catalog show -message-name callhome.arw.activity.seen
Message Name: callhome.arw.activity.seen
Severity: ALERT
Description: This message occurs when ransomware activity is detected. To protect the data, a Snapshot copy has been created, which can be used to restore the original data. If your system is configured to do so, it generates and transmits an AutoSupport (or "call home") message to NetApp technical support and to the configured destinations. Successful delivery of an AutoSupport message significantly improves problem determination and resolution.
Corrective Action: Refer to the anti-ransomware documentation to take remedial measures for ransomare activity. If you need assistance, contact NetApp technical support.
SNMP Trap Type: Severity-based
Is Deprecated: false
ontap913::> event filter show
Filter Rule Rule SNMP Trap
Name Posn Type Message Name Severity Type Parameters
----------- ---- -------- ---------------- ------------- --------- -----------
default-trap-events
1 include * EMERGENCY, ALERT
* *=*
2 include callhome.* ERROR * *=*
3 include * * Standard, Built-in
*=*
4 exclude * * * *=*
important-events
1 include * EMERGENCY, ALERT
* *=*
2 include callhome.* ERROR * *=*
3 exclude * * * *=*
no-info-debug-events
1 include * EMERGENCY, ALERT, ERROR, NOTICE
* *=*
2 exclude * * * *=*
9 entries were displayed.