Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This playbook creates a NetApp volume snapshot using the updated NetApp Ransomware Resilience take-snapshot API endpoint and optionally polls for completion.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | NetApp Ransomware Resilience |
| Source | View on GitHub |
📄 Source: NetApp-RansomwareResilience_Volume_Snapshot_Playbook/readme.md
This playbook creates point-in-time snapshots of NetApp volumes to protect your data. When responding to a security incident, snapshots provide a clean recovery point and preserve evidence for investigation.
During a ransomware or security incident, taking immediate snapshots of critical volumes ensures you have a clean copy of data before any potential corruption or encryption occurs. These snapshots can be used for recovery or forensic analysis.
This playbook should be deployed FIFTH, after: 1. ✅ Auth Playbook (required) 2. ✅ Async Poll Playbook (required) 3. ✅ Enrich IP Playbook (optional) 4. ✅ Enrich StorageVM Playbook (optional)
Before deploying this playbook: 1. Auth Playbook must be deployed and functioning correctly 2. Async Poll Playbook must be deployed and functioning correctly 3. Valid NetApp API credentials configured 4. Sufficient storage capacity for snapshots
This playbook can be: - Called manually when you identify a volume that needs protection - Triggered automatically by Microsoft Sentinel automation rules - Integrated into multi-step incident response workflows - Combined with enrichment playbooks to identify which volumes to snapshot
Input Required:
- volume_id: The ID of the volume to snapshot
- agent_id: The NetApp agent identifier
- system_id: The NetApp system identifier
Ransomware Incident Response: 1. Receive alert about suspicious file encryption activity 2. Use Enrich IP or Enrich StorageVM playbooks to identify affected volumes 3. Use this playbook to immediately snapshot clean volumes 4. Use Volume Offline playbook to isolate compromised volumes 5. Restore from snapshots if needed
After deploying this playbook: 1. Test with a non-production volume using valid IDs 2. Verify the snapshot is created successfully 3. Configure automation rules to trigger snapshots during security incidents 4. Document your snapshot retention policies
Combine this playbook with others to create comprehensive incident response: - Enrich IP → Identify volumes → Take snapshots → Take volumes offline - Alert triggers → Enrich StorageVM → Take snapshots of all critical volumes
If snapshot creation isn't working, verify: - The Auth Playbook is returning valid tokens - The Async Poll Playbook is functioning correctly - Volume ID, agent ID, and system ID are correct - You have sufficient storage capacity for snapshots - Your NetApp system supports snapshot operations
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊