Our SIEM system (Splunk) has detected a risk event on the Veeam ONE Server, involving the creation and subsequent deletion of a user account: Veeam_6043-4343A67F. This action was performed by the user xxxx (a service account). However, no one within our team is aware of this activity, and we could not locate any corresponding event logs on the OS (Windows Server 2019) or within Veeam ONE.Could you please help us understand the following:Is it possible that Veeam ONE itself creates and deletes such user accounts as part of its internal processes? If so, what scenarios or mechanisms within Veeam ONE could result in this type of event?We need to explain this situation to our Security team to ensure that this activity is not a result of unauthorized access or malicious actions. Any insights you can provide would be greatly appreciated.Thank you for your assistance.

SIEM Alert: User Creation and Deletion Detected on Veeam ONE Server

Our SIEM system (Splunk) has detected a risk event on the Veeam ONE Server, involving the creation and subsequent deletion of a user account: Veeam_6043-4343A67F. This action was performed by the user xxxx (a service account). However, no one within our team is aware of this activity, and we could not locate any corresponding event logs on the OS (Windows Server 2019) or within Veeam ONE.

Could you please help us understand the following:

Is it possible that Veeam ONE itself creates and deletes such user accounts as part of its internal processes?
If so, what scenarios or mechanisms within Veeam ONE could result in this type of event?

We need to explain this situation to our Security team to ensure that this activity is not a result of unauthorized access or malicious actions. Any insights you can provide would be greatly appreciated.

Thank you for your assistance.

Page 1 / 1

Hi @koravit -

Welcome to the Community. Honestly, your best bet to get your questions answered is to get ahold of Veeam Support and/or Product Managers in the Forums (tho they generally request a case#). Not sure if anyone here in the Community can answer your queries.

Best.

I would think these are tasks that VONE is running like connecting to VBR servers or log analysis, but as Shane mentioned to get a proper answer you will need to check with Support and PMs on the Forums here - https://forums.veeam.com

Let us know what you find out.

Hi @koravit -

Welcome to the Community. Honestly, your best bet to get your questions answered is to get ahold of Veeam Support and/or Product Managers in the Forums (tho they generally request a case#). Not sure if anyone here in the Community can answer your queries.

Best.

I really appreciate your suggestion!

I would think these are tasks that VONE is running like connecting to VBR servers or log analysis, but as Shane mentioned to get a proper answer you will need to check with Support and PMs on the Forums here - https://forums.veeam.com

Let us know what you find out.

I appreciate your suggestion—let’s explore it further.

Keep us updated on what you find out.

Comment

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded