Primary Storage

Hello All,

With IBM FS5300 (8.7.0.x) equipped with FCM4 ​​together with Storage Insight Pro we now have Ransomware Detection where we can receive alerts from Storage Insights. 
If there is an alert, can we also see this in the FS5300 logging itself (syslog, events, etc)?

I see that as of 8.7.2.x there is a new error code: 4300 Workload anomaly detected. Does this have something to do with the Ransomware detection from the FCM4 or is this relating to Inline Data Corruption Detection?

Thanks

------------------------------
TMasteen
------------------------------

Hiya - 

The 5300 will not be logging these event itself, they are only in SI Pro (we do some filtering/post processing and validation based on our data lake which is part of why SI Pro is required for this solution).

I hope this helps.

------------------------------
Evelyn Perez
IBM Senior Technical Staff Member
IBM Storage Virtualize Software Architect for SVC and FlashSystem
------------------------------

Original Message:
Sent: Tue December 03, 2024 08:27 AM
From: T Masteen
Subject: FS5300 Ransomware alerting.

Hello All,

With IBM FS5300 (8.7.0.x) equipped with FCM4 ​​together with Storage Insight Pro we now have Ransomware Detection where we can receive alerts from Storage Insights. 
If there is an alert, can we also see this in the FS5300 logging itself (syslog, events, etc)?

I see that as of 8.7.2.x there is a new error code: 4300 Workload anomaly detected. Does this have something to do with the Ransomware detection from the FCM4 or is this relating to Inline Data Corruption Detection?

Thanks

------------------------------
TMasteen
------------------------------

We are giving you options …

…to be more specific, these are the 3 options:

1) eMail: you can set up email addresses to receive such alerts

2) Webhooks: a way where an application like ServiceNow offers a URL, that Storage Insights Pro can call when it received a RTD event. Read more here: https://www.ibm.com/docs/en/storage-insights?topic=resources-creating-webhook-in-storage-insights

Or look strait here in this menu: Configuration ➞ Integrations

3) REST API: You can use the REST API and query the Alert Log. This way you might be able to very tightly integrate this into your SIEM/SOAR system if that provides it's own API, for example many application are offering Python packages, and querying the SI REST API in Python is also easy. You can read more on the REST API here including a Python example: https://www.ibm.com/docs/en/storage-insights?topic=configuring-rest-api

I hope this helps

Markus

------------------------------
Markus Standau
Offering Leader for FlashSystems and SVC
IBM
Walldorf
------------------------------

Original Message:
Sent: Wed December 04, 2024 09:23 AM
From: Evelyn Perez
Subject: FS5300 Ransomware alerting.

Hiya - 

The 5300 will not be logging these event itself, they are only in SI Pro (we do some filtering/post processing and validation based on our data lake which is part of why SI Pro is required for this solution).

I hope this helps.

------------------------------
Evelyn Perez
IBM Senior Technical Staff Member
IBM Storage Virtualize Software Architect for SVC and FlashSystem

Original Message:
Sent: Tue December 03, 2024 08:27 AM
From: T Masteen
Subject: FS5300 Ransomware alerting.

Hello All,

With IBM FS5300 (8.7.0.x) equipped with FCM4 ​​together with Storage Insight Pro we now have Ransomware Detection where we can receive alerts from Storage Insights. 
If there is an alert, can we also see this in the FS5300 logging itself (syslog, events, etc)?

I see that as of 8.7.2.x there is a new error code: 4300 Workload anomaly detected. Does this have something to do with the Ransomware detection from the FCM4 or is this relating to Inline Data Corruption Detection?

Thanks

------------------------------
TMasteen
------------------------------