Unreducible Capacity Alerting for PowerMax for Possibly Indicating a Ransomware Attack
Thu, 31 Aug 2023 21:00:21 -0000
|Read Time: 0 minutes
Unreducible Capacity Alerting for PowerMax for Possibly Indicating a Ransomware Attack
With the release of PowerMaxOS 6079.175.0042 and Unisphere 10.0.1 (March 2023), you can now get anomaly detection for your PowerMax storage environment. This blog explores the various ways you can set up capacity anomaly detection for your PowerMax storage environments that could possibly indicate a ransomware attack occurring on your PowerMax.
Unisphere 10.0.1 provides a new performance metric called Unreducible Capacity, which reports on the unreducible capacity in the storage array. With data reduction capabilities enabled by default, this metric monitors your unreducible capacity for a system and Storage Group. To chart the unreducible capacity within a PowerMax environment:
- Log in to Unisphere 10.0.1.
- Select the PowerMax for which you would like to chart unreducible capacity (this assumes that the PowerMax is leveraging DRR capabilities).
- On the left-hand side of Unisphere, expand the Performance section and select Charts (example shown here).
- Locate the Time Frame section and select a time frame. Please note, the ‘Unreducible Capacity’ metric is selectable with all ‘Diagnostic’ and ‘Historical’ time frames, however the metric is not selectable with the Realtime time frame.
- Under Category, Unreducible Capacity is eligible for System and Storage Group (which is under the System & Hosts category). There are benefits to charting unreducible capacity for system and Storage Groups. The benefits are:
- For System – Gives customers an idea if a massive ransomware attack is occurring across the whole system.
- For Storage Groups – Gives customers a more surgical approach because Storage Groups are typically created on an application-by-application basis. Therefore, customers can chart the unreducible capacity per Storage Group and give an indication if a ransomware attack may be occurring on the application.
- Change Data Format from the default setting of Avg (for average) to Max.
- If charting the System, check under Instances for the PowerMax array serial number you want to chart.
- Under Metric, select All for all the available metrics.
- In the All Metrics field, enter unreducible and Unreducible Capacity appears. Select Unreducible Capacity, and click Create at the bottom of the screen.
Here is how the screen now appears:
This figure shows how customers can chart the Unreducible Capacity metric in Unisphere. Customers can also set a Performance Threshold and Alert within the Settings section of Unisphere. Doing this enables customers (after monitoring the System and Storage Group for the appropriate thresholds) to set an alert within Unisphere. Unisphere will generate an alert within Unisphere and could email and/or have SNMP send the alert to stakeholders if the thresholds set for Unreducible Capacity are exceeded. To set an alert for Unreducible Capacity:
- Log in to Unisphere.
- Navigate to and select the gear icon in the top right-hand corner of Unisphere. The gear icon is the Settings section for Unisphere for this PowerMax instance.
- On the left-hand side, navigate to the Alerts section and expand it.
- Select the Performance Thresholds and Alerts section. This opens a panel to configure performance thresholds and alerts within Unisphere.
- By default, the category System is selected. To create a threshold for Unreducible Capacity for System:
- Select the Create button.
- On the top right-hand side, select the All setting to view all the Performance Metrics available within Unisphere for the category System.
- The metrics are listed in alphabetical order, so scroll down to the Unreducible Capacity metric and select it.
- Enter a number for First Threshold and a higher number for Second Threshold.
- On the bottom right-hand side, click OK to create a Performance Threshold alert for unreducible capacity being measured against the PowerMax system.
Here is how the information appears with these steps completed:
You can change the Category shown in this screenshot from System to Storage Groups to set a performance threshold alert for an individual storage group. Here is a screenshot of creating a performance threshold and alert for Storage Groups (Note: I selected the radio button Specific to pick specific Storage Groups that I want to monitor and alert on).
If you have SRS enabled on your PowerMax array, you can onboard CloudIQ through Unisphere. CloudIQ is a monitoring and reporting tool for all supported Dell assets that feed data into CloudIQ. With PowerMaxOS 6079.175.0042, you can use CloudIQ for Capacity Anomaly Detection on a PowerMax storage array.
For more information about the technologies mentioned in this blog, see the following resources:
- For Unisphere information, review the Dell Technologies Support page
- PowerMaxOS Release Notes
Authors: Justin Bastin (Senior Principal Engineer) and Richard Pace (Principal Engineering Technologist)