Skip to main content
Question

SIEM Alert: User Creation and Deletion Detected on Veeam ONE Server

K
  • koravit
  • Not a newbie anymore
  • 1 comment

Our SIEM system (Splunk) has detected a risk event on the Veeam ONE Server, involving the creation and subsequent deletion of a user account: Veeam_6043-4343A67F. This action was performed by the user xxxx (a service account). However, no one within our team is aware of this activity, and we could not locate any corresponding event logs on the OS (Windows Server 2019) or within Veeam ONE.

Could you please help us understand the following:

  1. Is it possible that Veeam ONE itself creates and deletes such user accounts as part of its internal processes?
  2. If so, what scenarios or mechanisms within Veeam ONE could result in this type of event?

We need to explain this situation to our Security team to ensure that this activity is not a result of unauthorized access or malicious actions. Any insights you can provide would be greatly appreciated.

Thank you for your assistance.

Chris.Childerhose
coolsport00
Jean.peres.bkp
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • coolsport00
    coolsport00
  • Jean.peres.bkp
    Jean.peres.bkp

4 comments

coolsport00
Forum|alt.badge.img+20
  • coolsport00
  • Veeam Legend
  • 4113 comments
  • December 11, 2024

Hi ​@koravit -

Welcome to the Community. Honestly, your best bet to get your questions answered is to get ahold of Veeam Support and/or Product Managers in the Forums (tho they generally request a case#). Not sure if anyone here in the Community can answer your queries.

Best.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
K
1 person likes this
  • K
    koravit
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8408 comments
  • December 11, 2024

I would think these are tasks that VONE is running like connecting to VBR servers or log analysis, but as Shane mentioned to get a proper answer you will need to check with Support and PMs on the Forums here - https://forums.veeam.com

Let us know what you find out.

 
 
 
Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
coolsport00
K
2 people like this
  • coolsport00
    coolsport00
  • K
    koravit
K
  • koravit
  • Author
  • Not a newbie anymore
  • 1 comment
  • December 12, 2024

  

coolsport00 wrote:

Hi ​@koravit -

Welcome to the Community. Honestly, your best bet to get your questions answered is to get ahold of Veeam Support and/or Product Managers in the Forums (tho they generally request a case#). Not sure if anyone here in the Community can answer your queries.

Best.

I really appreciate your suggestion!

 

Chris.Childerhose wrote:

I would think these are tasks that VONE is running like connecting to VBR servers or log analysis, but as Shane mentioned to get a proper answer you will need to check with Support and PMs on the Forums here - https://forums.veeam.com

Let us know what you find out.

I appreciate your suggestion—let’s explore it further.

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8408 comments
  • December 12, 2024

Keep us updated on what you find out.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions