Comprehensive data protection for all workloads
Post Reply
Brad Schubring
Novice
Posts: 6
Liked: 1 time
Joined: Oct 27, 2017 4:28 pm
Full Name: Brad Schubring
Contact:

Feature Request- Generate alerts for restore point deletions, especially via Files Tab in B&R console

Post by Brad Schubring » 1 person likes this post

Regarding this thread and case 05942639
veeam-one-f28/vm-restore-point-deletion ... 85567.html

I was asked by my workplace to show if we could alert based on malicious/inappropriate administrator activity in the B&R console, specifically the deletion of restore points. I believe that when done through the means documented in the thread above, a 10050 event is generated, which is the same event ID for automatically removed restore points and makes it challenging to alert on. Further, deletion through the files tab do not generate events at all. This would be the ideal place to act as a malicious actor.

I understand that preventing the deletion or mitigating it via immutability is the solution. However, I would argue that knowing that the restore point was deleted is an important part of recovering. Immutability is not typically as lengthy of a time period as overall retention. This leaves a gap for backups to age out of immutability, but still be in retention if you don't realize that the deletion happened.

I'd like to suggest events centered around manual admin actions in the console could fill this gap. Alternatively, on each job run if there was an alert generated when part of the expected backup chain was missing could also draw attention to the action afterwards and allow quicker response.

I hope my explanation makes sense, please let me know your thoughts!
HannesK
Product Manager
Posts: 14818
Liked: 3074 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Feature Request- Generate alerts for restore point deletions, especially via Files Tab in B&R console

Post by HannesK »

Hello,
we agree with what you say and we have some ideas for improvement.

Question: would it help you, if only "backup administrators" can access the "files" section?

Best regards,
Hannes
Post Reply

Who is online

Users browsing this forum: AdsBot [Google], Bing [Bot], EskBackupGuy23, MILJW002, r0bbienz, Valdereth and 79 guests