Submitting feedback for ransomware false positives

About this task

When you encounter a ransomware alert in IBM Storage Insights, you can now indicate whether it is a false positive. If so, you can provide more details about the potential cause, such as compression activities or other system events. IBM Storage Insights captures and analyzes this feedback to improve its potential ransomware threat detection capabilities.

Procedure

In modern UI

  1. Click Alerts in the top menu bar, and then click Potential Ransomware Detected in the Alert name column. The alert details panel opens. Click the Incorrect detection in the alert details pane.
    You can submit feedback on false ransomware threat detection alerts only through the modern UI in the free version of IBM Storage Insights because the classic UI does not support ransomware threat detection. In the Pro version, ransomware threat detection is supported in both the classic and modern UI.
  2. Select the reasons on why this alert is incorrect and optionally you can type other relevant information. Click Submit.

In classic UI

  1. Go to alerts overview page by navigating to Dashboards > Alerts or Alerts tab on storage systems overview page, or Alerts in storage system details page. Double-click the alert to open alert details page and then click Incorrect detection. To provide feedback for multiple ransomware alerts, select the alerts and right-click on the selection. Click Incorrect detection.
  2. Select the reasons on why this alert is incorrect and optionally you can type other relevant information. Click Submit.

Results

  1. The ransomware alert is acknowledged if not done already. The severity for the alert is marked as Critical - Acknowledged
  2. For volumes affected with ransomware alert, the status is changed from Online (Threat Detected) to Online (Threat Detected, Acknowledged). After the next full probe, the status becomes Online.
Important:
  • If multiple ransomware alerts have been triggered for a single volume, you must provide feedback for the appropriate alert. This is crucial because providing feedback on a false positive alert will reset the volume’s status to normal, potentially masking the presence of a real ransomware threat. For example, if three ransomware alerts are generated for the same volume at different times, and if the most recent alert is a genuine ransomware threat while the earlier two were false positives, submitting feedback on the false positive alerts will cause the volume to appear normal, despite the genuine threat identified by the latest alert.
  • You can provide multiple false positive feedback for a single ransomware alert.
  • All actions related to marking alerts as false positives are logged for auditing and compliance purposes. For more information, see Audit logs