IBM FlashSystem

IBM FlashSystem

Find answers and share expertise on IBM FlashSystem


#Storage
 View Only
Back to discussions
Expand all | Collapse all

Volumegroup snapshot Threat Detection Event

  • 1.  Volumegroup snapshot Threat Detection Event

    Posted 27 days ago

    Hi all, 

    With 9.1.0.x, we get additional information about the snapshots within a Volumegroup. We see a column with Threat Detection Event (Yes\No).

     

    How does the Flashsystem know that Threat Detection Event = Yes?

    What is the information flow?

    I assume this is only possible with Cloud services enabled (SI Pro is involved)?

    Thanks,



    ------------------------------
    TMasteen
    ------------------------------


  • 2.  RE: Volumegroup snapshot Threat Detection Event

    Posted 27 days ago
    Hi T,
     
    This feature works as follows:
    Let's say Snapshot 1 was taken at 8 a.m. and Snapshot 2 at 10 a.m.
     
    At 9:50 a.m., an anomaly is detected on the volume where a Real-Time Threat Detection (RTD) copy is taken.
    In this case, the Threat Detection Event column will show "Yes" for Snapshot 2 - because it's the snapshot created after the anomaly was detected.
    Snapshot 1 will automatically be marked as the last known good copy.
     
    Snapshots identified as last known good copies are eligible for a retention-period extension (by 7 days) if you wish to keep them for investigation or recovery purposes.
    And yes as you already know Storage Insights Pro needed for RTD. 


    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


  • 3.  RE: Volumegroup snapshot Threat Detection Event

    Posted 27 days ago

    Hello Nezih,

    Thanks for your reply.

    I understand the difference between the two snapshots, but how does the Flashsystem "knows" that there was an anomaly detected? Are there "events" from SI pro to the Flashsystem? Or maybe via another way?

    Thanks.



    ------------------------------
    TMasteen
    ------------------------------

    Original Message


  • 4.  RE: Volumegroup snapshot Threat Detection Event

    Posted 27 days ago
    Edited by Nezih Boyacioglu 27 days ago

    I thought SI informs the FlashSystem and in the events you will see Event ID 090037: A volume in the volume group received a workload anomaly due to new application configuration (encryption enabled) or a result of a security threat such as ransomware. After this event logged the latest copy on our example marked as "Threat Detection Event = Yes" and prior copy marked as last known good one. 



    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


  • 5.  RE: Volumegroup snapshot Threat Detection Event

    Posted 27 days ago

    This information flow to the Flashsystem is new to me.

    It should also allow for events related to Workload anomaly and Ransomware detection when no snapshots are being taken and/or volumegroups are present.



    ------------------------------
    TMasteen
    ------------------------------

    Original Message


  • 6.  RE: Volumegroup snapshot Threat Detection Event

    Posted 27 days ago

    if there is no volumegroup Event ID 090036: A volume received a workload anomaly due to new application configuration (encryption enabled) or a result of a security threat such as ransomware. logged on Events.



    ------------------------------
    Nezih Boyacioglu
    ------------------------------

    Original Message


  • 7.  RE: Volumegroup snapshot Threat Detection Event

    Posted 26 days ago

    Nezih,

    You wrote: "I thought SI informs the FlashSystem". Could you please be more precise, as how this is done?

    The documentation says the communication is one way (outbound only), encrypted and compressed from FlashSystem to SI.

    Regards,



    ------------------------------
    Istvan Buda
    ------------------------------

    Original Message


  • 8.  RE: Volumegroup snapshot Threat Detection Event

    Posted 26 days ago

    In my understading that this feature has two independent component:

    What do you think?



    ------------------------------
    Istvan Buda
    ------------------------------

    Original Message


  • 9.  RE: Volumegroup snapshot Threat Detection Event

    Posted 26 days ago

    I think its the cloud call home/services route, as thats secured.

    Same method we show the software recommended levels IIRC.

    Double checking and will confirm.



    ------------------------------
    Barry Whyte
    ------------------------------

    Original Message


  • 10.  RE: Volumegroup snapshot Threat Detection Event

    Posted 26 days ago

    Starting from IBM FlashSystem / Spectrum Virtualize 9.1.0.x, the "Threat Detection Event (Yes/No)" column for snapshots within a Volume Group indicates whether the system has detected an anomaly-such as ransomware-like behavior or unusual data patterns-on the associated volume.

    This information is generated by the Real-Time Threat Detection (RTD) engine built into the FlashSystem software, which continuously analyzes I/O entropy and workload deviations using embedded AI inference models.
    When an anomaly is detected, the next snapshot created after that event is marked as "Threat Detection Event = Yes," while the preceding snapshot is preserved as the last known good copy. If that snapshot had an expiration policy, it is automatically extended (typically by 7 days) to allow investigation and recovery.

    The detection and event correlation are performed locally on the storage system, but alert visibility and extended analytics are enhanced when the system is connected to IBM Storage Insights Pro (SI Pro) or an equivalent call-home service. SI Pro receives the telemetry and advisory data, allowing these events to be surfaced in the GUI or APIs for monitoring and reporting.

    In summary:

    • The "Yes" flag appears when RTD detects an anomaly.

    • Detection logic runs locally but is augmented when Storage Insights Pro is enabled.

    • This feature helps quickly identify which snapshot was taken after a potential ransomware or abnormal activity event.



    ------------------------------
    Mustapha Gbogboade
    ------------------------------

    Original Message


  • 11.  RE: Volumegroup snapshot Threat Detection Event

    Posted 26 days ago

    Hello Mustapha,

    Thank you for your detailed answer. I want to double-check something.

    In summary:

    • The "Yes" flag appears when RTD detects an anomaly.

    • Detection logic runs locally but is augmented when Storage Insights Pro is enabled.

    So we will get an event (Yes flag) without having SI Pro (with cloud services) enabled?



    ------------------------------
    TMasteen
    ------------------------------

    Original Message


  • 12.  RE: Volumegroup snapshot Threat Detection Event
    Best Answer

    Posted 26 days ago

    To add to this thread:

    Yes it requires Cloud call home (which the RTD and SI Pro communication needs anyway), but since in this case SI Pro actively needs to instruct the FlashSystem to mark something, you need to have this setting set to yes:
    chsystem -storageinsightscontrolaccess yes

    If you book this TechZone Demo https://techzone.ibm.com/collection/679397f62bcf08ca77ec5e96 you can see it for yourself

    Hint: while the roadbook doesn't mention it, go ahead and create a snapshot. ie. using:
    addsnapshot -retentiondays 1 -volumegroup <name or id>
    (please not safeguarded copy) BEFORE your run the simulation, and you will also see that the expiration will get increased, so that the most recent snapshot from before the ransomware event gets it expiration extended.I typically do this CLI part without the customers, and simply show them that we have a snapshot in the UI

    After the ransomware simulation you can also use the GUI to create another snapshot, that will than be showing a"yes" in the column Threat Detection Event

    Since it's not easy to create your own demo, go ahead and use the link above, it's very simple, but good that we have it, and it's easy to use 

    I hope this helps,
    Markus



    ------------------------------
    Markus Standau
    Offering Leader for FlashSystems and SVC
    IBM
    Walldorf
    ------------------------------

    Original Message


Related Content