IBM FlashSystem

IBM FlashSystem

Find answers and share expertise on IBM FlashSystem


#Storage
 View Only

  • 1.  Volumegroup snapshot Threat Detection Event

    Posted 10 hours ago

    Hi all, 

    With 9.1.0.x, we get additional information about the snapshots within a Volumegroup. We see a column with Threat Detection Event (Yes\No).

     

    How does the Flashsystem know that Threat Detection Event = Yes?

    What is the information flow?

    I assume this is only possible with Cloud services enabled (SI Pro is involved)?

    Thanks,



    ------------------------------
    TMasteen
    ------------------------------


  • 2.  RE: Volumegroup snapshot Threat Detection Event

    Posted 4 hours ago
    Hi T,
     
    This feature works as follows:
    Let's say Snapshot 1 was taken at 8 a.m. and Snapshot 2 at 10 a.m.
     
    At 9:50 a.m., an anomaly is detected on the volume where a Real-Time Threat Detection (RTD) copy is taken.
    In this case, the Threat Detection Event column will show "Yes" for Snapshot 2 - because it's the snapshot created after the anomaly was detected.
    Snapshot 1 will automatically be marked as the last known good copy.
     
    Snapshots identified as last known good copies are eligible for a retention-period extension (by 7 days) if you wish to keep them for investigation or recovery purposes.
    And yes as you already know Storage Insights Pro needed for RTD. 


    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


  • 3.  RE: Volumegroup snapshot Threat Detection Event

    Posted 3 hours ago

    Hello Nezih,

    Thanks for your reply.

    I understand the difference between the two snapshots, but how does the Flashsystem "knows" that there was an anomaly detected? Are there "events" from SI pro to the Flashsystem? Or maybe via another way?

    Thanks.



    ------------------------------
    TMasteen
    ------------------------------

    Original Message


  • 4.  RE: Volumegroup snapshot Threat Detection Event

    Posted 2 hours ago
    Edited by Nezih Boyacioglu 2 hours ago

    I thought SI informs the FlashSystem and in the events you will see Event ID 090037: A volume in the volume group received a workload anomaly due to new application configuration (encryption enabled) or a result of a security threat such as ransomware. After this event logged the latest copy on our example marked as "Threat Detection Event = Yes" and prior copy marked as last known good one. 



    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


  • 5.  RE: Volumegroup snapshot Threat Detection Event

    Posted an hour ago

    This information flow to the Flashsystem is new to me.

    It should also allow for events related to Workload anomaly and Ransomware detection when no snapshots are being taken and/or volumegroups are present.



    ------------------------------
    TMasteen
    ------------------------------

    Original Message


  • 6.  RE: Volumegroup snapshot Threat Detection Event

    Posted an hour ago

    if there is no volumegroup Event ID 090036: A volume received a workload anomaly due to new application configuration (encryption enabled) or a result of a security threat such as ransomware. logged on Events.



    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


Related Content