# Understanding EMS alerts for Autonomous Ransomware Protection You can use NetApp ONTAP's Events Management System (EMS) to monitor events related to ARP including potential attacks. For more information about ARP and how it detects attacks, see [How ARP works](ARP.md#how-ARP-works) and [What ARP looks for](ARP.md#ARP-detects). The following table contains all of the alerts related to ARP. For more information about EMS, see [Monitoring FSx for ONTAP EMS events](ems-events.md). **** | EMS message name | EMS message description | | --- | --- | | `arw.analytics.ext.report` | This message occurs when anti-ransomware analytics generate or update the **suspicious file extensions** report for a volume. | | `arw.analytics.high.entropy` | This message occurs when the number of high entropy data log messages (pertaining to ransomware detection and analysis) cross the predefined threshold for a volume. | | `arw.analytics.probability` | This message occurs when an anti-ransomware attack probability has changed from `low` to `high` on a volume. | | `arw.analytics.report` | This message occurs when an anti-ransomware analytics report is generated or updated for a volume. | | `arw.analytics.suspects` | This message occurs when a list of suspects generated by anti-ransomware analytics grows to a point where further investigation is needed. | | `arw.new.file.extn.seen` | This message occurs when a new file extension is observed in an anti-ransomware enabled volume. Its purpose is to promptly notify the user about the observed extension, which enables timely investigation. | | `arw.snapshot.created` | This message occurs when a new ARP snapshot is created in an anti-ransomware enabled volume. Additionally, it provides information about the reason why the snapshot was created. | | `arw.volume.state` | This message occurs when the anti-ransomware state of a volume is changed. | | `arw.vserver.state` | This message occurs when the anti-ransomware state of an SVM is changed. |