Our SIEM system (Splunk) has detected a risk event on the Veeam ONE Server, involving the creation and subsequent deletion of a user account: Veeam_6043-4343A67F (create & delete in 1 min). This action was performed by the user xxxx (a service account). However, no one within our team is aware of this activity, and we could not locate any corresponding event logs on the OS (Windows Server 2019) or within Veeam ONE.
Could you please help us understand the following:
Is it possible that Veeam ONE itself creates and deletes such user accounts as part of its internal processes?
If so, what scenarios or mechanisms within Veeam ONE could result in this type of event?
We need to explain this situation to our Security team to ensure that this activity is not a result of unauthorized access or malicious actions. Any insights you can provide would be greatly appreciated.
Thank you for your assistance.
Case #07537821
-
koravit
- Lurker
- Posts: 1
- Liked: never
- Joined: Dec 12, 2024 4:43 am
- Full Name: Koravit Moonmuang
- Contact:
-
RomanK
- Veeam Software
- Posts: 802
- Liked: 210 times
- Joined: Nov 01, 2016 11:26 am
- Contact:
Re: SIEM Alert: Risk Detected about Activity User Creation and Deletion on Veeam ONE Server
Hello Koravit,
Yes, this is a known behavior, you can find more information in this KB https://www.veeam.com/kb4042
Thanks
Yes, this is a known behavior, you can find more information in this KB https://www.veeam.com/kb4042
Thanks
Who is online
Users browsing this forum: Baidu [Spider] and 1 guest