sidebar | permalink | keywords | summary |
---|---|---|---|
sidebar |
cs_alert_data.html |
alert, attack, ransomware, activity, security, abnormal |
Workload Security creates alerts in the event of abnormal user activity or potential attack. The Alerts page lists these activities for quick and easy investigation. |
The Alert list displays a graph showing the total number of Potential Attacks and/or Warnings that have been raised in the selected time range, followed by a list of the attacks and/or warnings that occurred in that time range. You can change the time range by adjusting the start time and end time sliders in the graph.
The following is displayed for each alert:
Potential Attacks:
-
The Potential Attack type (for example, Ransomware or Sabotage)
-
The date and time the potential attack was Detected
-
The Status of the alert:
-
New: This is the default for new alerts.
-
In Progress: The alert is under investigation by a team member or members.
-
Resolved: The alert has been marked as resolved by a team member.
-
Dismissed: The alert has been dismissed as false positive or expected behavior.
An administrator can change the status of the alert and add a note to assist with investigation.
-
-
The User whose behavior triggered the alert
-
Evidence of the attack (for example, a large number of files was encrypted)
-
The Action Taken (for example, a snapshot was taken)
Warnings:
-
The Abnormal Behavior that triggered the warning
-
The date and time the behavior was Detected
-
The Status of the alert (New, In progress, etc.)
-
The User whose behavior triggered the alert
-
A description of the Change (for example, an abnormal increase in file access)
-
The Action Taken
You can filter Alerts by the following:
-
The Status of the alert
-
Specific text in the Note
-
The type of Attacks/Warnings
-
The User whose actions triggered the alert/warning
You can click an alert link on the Alerts list page to open a detail page for the alert. Alert details may vary according to the type of attack or alert. For example, a Ransomware Attack detail page may show the following information:
-
Attack type (Ransomware, Sabotage) and Alert ID (assigned by Workload Security)
-
Date and Time the attack was detected
-
Action Taken (for example, an automatic snapshot was taken. Time of snapshot is shown immediately below the summary section))
-
Status (New, In Progress, etc.)
-
Counts of Affected Volumes and Files
-
An accompanying summary of the detection
-
A graph showing file activity during the attack
Workload Security protects your data by automatically taking a snapshot when malicious activity is detected, ensuring that your data is safely backed up.
You can define automated response policies that take a snapshot when ransomware attack or other abnormal user activity is detected.
You can also take a snapshot manually from the alert page.
Email notifications of alerts are sent to an alert recipient list for every action on the alert. To configure alert recipients, click on Admin > Notifications and enter an email addresses for each recipient.
Alerts and Warnings are retained for 13 months. Alerts and Warnings older than 13 months will be deleted.
If the Workload Security environment is deleted, all data associated with the environment is also deleted.
Problem: | Try This: |
---|---|
There is a situation where, ONTAP takes hourly snapshots per day. Will Workload Security (WS) snapshots affect it? Will WS snapshot take the hourly snapshot place? Will the default hourly snapshot get stopped? |
Workload Security snapshots will not affect the hourly snapshots. WS snapshots will not take the hourly snapshot space and that should continue as before. The default hourly snapshot will not get stopped. |
What will happen if the maximum snapshot count is reached in ONTAP? |
If the maximum Snapshot count is reached, subsequent Snapshot taking will fail and Workload Security will show an error message noting that Snapshot is full. |
Workload Security is unable to take snapshots at all. |
Make sure that the role being used to create snapshots has link: proper rights assigned. |
Snapshots are failing for older alerts on SVMs which were removed from Workload Security and subsequently added back again. For new alerts which occur after SVM is added again, snapshots are taken. |
This is a rare scenario. In the event you experience this, log in to ONTAP and take the snapshots manually for the older alerts. |
In the Alert Details page, the message “Last attempt failed” error is seen below the Take Snapshot button. |
This can happen when a data collector is added to Workload Security via SVM Management IP, if the LIF of the SVM is in disabled state in ONTAP. |