Monitor Successful Backups

Description

With good backups, a ransomware attack goes from unrecoverable losses to a manageable nuisance. This shows how you can track successful backups.


Use Case

Security Monitoring, Compliance

Category

Operations, GDPR

Alert Volume

Very High (?)

SPL Difficulty

Basic

Journey

Stage 1

Data Sources

Backup

   How to Implement

Because there are so many different strategies for backups and data resiliency, this search is provided as an example. In order to implement this, you need to obtain data from the backup logs on your endpoints, or from a central server responsible for performing the backups. In this case, we used netbackup as an example. Feel free to modify this search according to your backup solution and strategy.

   Known False Positives

None at the moment

   How To Respond

This search will let you know when one of your systems has been backed up. It will help you understand your environment and how often systems are backed up. You can use this knowledge in your risk assessment for your environment.

   Help

Monitor Successful Backups Help

With sufficient backups that are maintained outside the local network, ransomware goes from unrecoverable losses to a manageable nuisance that consumes time. Organizations must track their back-up posture as a part of their overall corporate data availability and resiliency plan. This means knowing that routine backups are taking place and notifying the appropriate personnel when they are not. This use case helps Splunk users manage and verify that data resiliency processes are being conducted, specifically looking for indications of successful backups.

SPL for Monitor Successful Backups

Demo Data

First we load our basic demo data
Next we filter for the specific message that NetBackup sends for successful backups
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the day.
Finally we can look at the hosts that are successfully backed up over time, thanks to stats.

Live Data

First we load our NetBackup data and filter for the specific message that NetBackup sends for successful backups
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the day.
Finally we can look at the hosts that are successfully backed up over time, thanks to stats.