Before you begin
ARP has been available since ONTAP 9.10.1. The ARP function is focused on detecting ransomware attacks for file workloads.
In the case of an attack, ARP automatically creates a snapshot and can forward this event via BlueXP or syslog to an external SIEM solution.
You also need to be aware that ARP is not the only layer of protection that you have in place in your ransomware strategy.
Smart snapshot policies , tamperproof snapshots, snapmirror/vault, multi-admin approval and role based access should also be part of your ransomware protection strategy.
ARP use three ways to detect ransomware attacks Entropy, file extension and File IOPS.
Before you begin, you should have an ONTAP system with current ONTAP patch level. During the last time, a few bugs were fixed. Enabling ARP requires a ONTAP System with a valid ONTAP ONE license.
About this article
Enabling ARP
The learning mode should run for at least 30 days.
security anti-ransomware volume dry-run -volume your_vol01 -vserver svm1
After the learning period (30 days), you can enable the ARP function.
During the learning phase, ARP uses machine learning to learn how the file system is typically accessed.
The things that ARP learns about the access behavior are stored in a workload.
This workload can be inspected for troubleshooting purpose.
ONTAP 9.16.1 changes the way ARP is enabled. With ONTAP 9.16.1, learning mode is deprecated, you simply enable ARP and ARP works with a pre-trained model.
Forwarding ARP events
event notification destination create -name sime -syslog fqdnThe event filter needs to be configured with some ARP rules.
event filter rule add -filter-name arp -type include -message-name callhome.arw.activity.seen -severity *
event filter rule add -filter-name arp -type include -message-name arw.volume.state -severity *
event filter rule add -filter-name arp -type include -message-name arw.vserver.state -severity *
event filter rule add -filter-name arp -type include -message-name arw.analytics.* -severity *
Last step is to attach the event filter to the forwarding destination
yourcluster::> event notification create -filter-name arp -destinations sime
yourcluster::> event notification show -filter-name *arp*
ID Filter Name Destinations
---- ------------------------------ -----------------
4 arp your_siem
yourcluster::>To check whether the configuration works as expected, you can use the following command:
event generate -message-name arw.volume.state -node node01 -values Test,Test,Test,Test,Test
yourcluster::*> event notification history show -destination your_siem
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
11/27/2023 17:25:09 node01
NOTICE arw.volume.state: Anti-ransomware state was changed to "Test" on volume "Test" (UUID: "Test") in Vserver "Test" (UUID: "Test").
11/27/2023 17:20:15 node01
NOTICE arw.volume.state: Anti-ransomware state was changed to "Test" on volume "Test" (UUID: "Test") in Vserver "Test" (UUID: "Test").
11/27/2023 17:13:23 node01
NOTICE arw.volume.state: Anti-ransomware state was changed to "Test" on volume "Test" (UUID: "Test") in Vserver "Test" (UUID: "Test").
11/27/2023 17:04:24 node01
NOTICE arw.volume.state: Anti-ransomware state was changed to "Test" on volume "Test" (UUID: "Test") in Vserver "Test" (UUID: "Test").
4 entries were displayed.
yourcluster::*>