Primary Storage

 View Only
  • 1.  FS5300 Ransomware alerting.

    Posted Tue December 03, 2024 08:27 AM

    Hello All,

    With IBM FS5300 (8.7.0.x) equipped with FCM4 ​​together with Storage Insight Pro we now have Ransomware Detection where we can receive alerts from Storage Insights. 
    If there is an alert, can we also see this in the FS5300 logging itself (syslog, events, etc)?


    I see that as of 8.7.2.x there is a new error code: 4300 Workload anomaly detected. Does this have something to do with the Ransomware detection from the FCM4 or is this relating to Inline Data Corruption Detection?

    Thanks



    ------------------------------
    TMasteen
    ------------------------------


  • 2.  RE: FS5300 Ransomware alerting.
    Best Answer

    Posted Wed December 04, 2024 09:23 AM

    Hiya - 

    The 5300 will not be logging these event itself, they are only in SI Pro (we do some filtering/post processing and validation based on our data lake which is part of why SI Pro is required for this solution).

    I hope this helps.



    ------------------------------
    Evelyn Perez
    IBM Senior Technical Staff Member
    IBM Storage Virtualize Software Architect for SVC and FlashSystem
    ------------------------------



  • 3.  RE: FS5300 Ransomware alerting.

    Posted Thu December 05, 2024 06:17 AM

    We are giving you options …

    …to be more specific, these are the 3 options:

    1) eMail: you can set up email addresses to receive such alerts

    User the context menu to setup RTD for a FlashSystem in SI Pro

    Here you can overwrite eMail addresses


    2) Webhooks: a way where an application like ServiceNow offers a URL, that Storage Insights Pro can call when it received a RTD event. Read more here: https://www.ibm.com/docs/en/storage-insights?topic=resources-creating-webhook-in-storage-insights

    Or look strait here in this menu: Configuration ➞ Integrations


    3) REST API: You can use the REST API and query the Alert Log. This way you might be able to very tightly integrate this into your SIEM/SOAR system if that provides it's own API, for example many application are offering Python packages, and querying the SI REST API in Python is also easy. You can read more on the REST API here including a Python example: https://www.ibm.com/docs/en/storage-insights?topic=configuring-rest-api

    I hope this helps

    Markus



    ------------------------------
    Markus Standau
    Offering Leader for FlashSystems and SVC
    IBM
    Walldorf
    ------------------------------