Name:Unsuccessful Netbackup backups id:a34aae96-ccf8-4aaa-952c-3ea21444444f version:3 date:2024-10-17 author:David Dorsey, Splunk status:deprecated type:Hunting Description:This search gives you the hosts where a backup was attempted and then failed. Data_source:
search:`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`
how_to_implement:To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution. known_false_positives:None identified References: drilldown_searches:
: tags: analytic_story: - 'Monitor Backup Solution' asset_type:Endpoint confidence:50 impact:50 message:tbd observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:endpoint
