Alerts for workload anomaly detection

The workload anomaly alerting mechanism brings an extra layer of detection for IBM Storage Virtualize.

Using advanced compression formulas and entropy analysis, IBM Storage Insights identifies suspicious conditions at both the node and volume level, providing you with early warnings of potential system misbehavior.

You will receive an email notification at the configured email addresses whenever a workload anomaly alert is triggered. This email includes details about the anomalies in your storage environment and provides a link to the corresponding alert in IBM Storage Insights.

Key capabilities of workload anomaly detection alert

  1. Streamlined alerting for IBM Storage Virtualize systems:

    IBM Storage Insights will now trigger either a ransomware threat alert or a workload anomaly alert for IBM Storage Virtualize system based on the following firmware and FCM drive conditions:

    Table 1. FCM and firmware version requirements for ransomware and workload anomaly detection alerting support
    Firmware version Storage system with at least one FCM drive with version 4 or later Storage system with no FCM drives
    Below 8.6.0.0 No ransomware threat and workload anomaly detection is supported No ransomware threat and workload anomaly detection is supported
    8.6.0.0 to below 8.6.3.0 Only workload anomaly detection is supported Only workload anomaly detection is supported
    8.6.3.0 or later Only ransomware threat detection is supported Only workload anomaly detection is supported
    Note:
    1. The ransomware threat detection for volume groups is supported only for the storage systems with the firmware version 8.7.2.0 or later and having at least one FCM drive with version 4.2 or later.
    2. For the storage system with firmware version 8.6.0.0 or later and having at least one FCM drive with version earlier to 4, only workload anomaly detection is supported.

    Why this enhancement: This enhancement simplifies the alerting process by providing clear conditions under which each type of alert is triggered. This enhancement ensures that alerts are relevant to the firmware and hardware configuration of the system, reducing false positives and focusing on actionable events.

  2. Accessing workload anomaly threat alerts
    • Modern UI: Bell icon on the overview page. Locate Workload anomaly detected alert tile.
    • Classic UI: You can access workload anomaly alerts through the following locations:
      • Dashboards > Alerts.
      • Resources > Block storage systems > Alerts.
      • Alerts tab in the General section of the storage system's details page.
      • Volumes tab in the Internal Resources section of the storage system's details page.
  3. Alert details
    • Classic UI: Double-click the alert in Dashboards > Alerts to view related storage systems, affected volume(s) table, performance charts (Read I/O Rate, Write I/O Rate, Total I/O Rate), and recommended mitigation actions.
    • Modern UI: On the overview page, click the bell icon and locate the Workload anomaly detected alert tile page to view similar alert details.
  4. Acknowledgment

    You can acknowledge or un-acknowledge workload anomaly alerts at both the volume level. For more information, see Acknowledging a false positive alert

  5. False-positive reporting

    A feedback mechanism for false positives is also available for workload anomaly alerts, enhancing alert accuracy. Submitting feedback for workload anomaly false positives

  6. Confirmation for canceling false positive feedback:

    When you are resolving an alert as a false positive by providing the feedback and then attempt to cancel that action, a confirmation prompt will now appear to reconfirm the cancellation request.

    This enhancement prevents accidental cancellation of feedback on false positives, ensuring that important data on alert handling is accurately captured.

  7. Recommended mitigation actions for alerts:

    When a ransomware or workload anomaly alert is triggered, you can now see recommended actions to mitigate the issues. Recommendations include checking whether encryption is enabled, migrating data, or contacting the security team.

    To access the recommendations from modern UI, click the bell icon in the overview page and double-click the alert name. The alert details pane opens. Click the Recommendations tab to view the recommended actions.

    To access the recommendations from classic UI, double-click the alert name from Dashboards > Alerts. The alert details pane opens. You can see the Recommendations section with the suggested actions.

    Providing suggested actions directly within the alert details allows you to respond quickly, improving efficiency in addressing potential security risks or performance issues.