THIS IS A DEPRECATED DETECTION
This detection has been marked deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported.
This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.
- Type: Hunting
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2017-09-12
- Author: David Dorsey, Splunk
- ID: a34aae96-ccf8-4aef-952c-3ea214444440
Kill Chain Phase
- CIS 10
1 2 3 4 5 6 7 8 `netbackup` MESSAGE="Disk/Partition backup completed successfully." | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`
The SPL above uses the following Macros:
extended_period_without_successful_netbackup_backups_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.
Known False Positives
Associated Analytic Story
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1