Try in Splunk Security Cloud

Description

This search gives you the hosts where a backup was attempted and then failed.

  • Type: Hunting
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2017-09-12
  • Author: David Dorsey, Splunk
  • ID: a34aae96-ccf8-4aaa-952c-3ea21444444f

Annotations

ATT&CK
Kill Chain Phase
  • Exploitation
NIST
  • PR.IP
CIS20
  • CIS 10
CVE
1
2
3
4
5
6
7
`netbackup` 
| stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE 
| search MESSAGE="An error occurred, failed to backup." 
| `security_content_ctime(latestTime)` 
| rename COMPUTERNAME as dest, MESSAGE as signature 
| table latestTime, dest, signature 
| `unsuccessful_netbackup_backups_filter`

Macros

The SPL above uses the following Macros:

Note that unsuccessful_netbackup_backups_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required field

  • _time

How To Implement

To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.

Known False Positives

None identified

Associated Analytic story

RBA

Risk Score Impact Confidence Message
25.0 50 50 tbd

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1