Hi Admins, hope everyone's well.
Student coming from the side of security, currently working on a project with Veritas NetBackup. I'm designing some indicators to alert on malicious behavior in the context of the SW [Using Endpoint Detection and Response]. I was thinking to share with you some ideas that I have thought about implementing and I would be really appreciated if you could challenge/ give feedback on them. Your knowledge of what constitutes normal behavior and what isn't is crucial for me. So here are the ideas (if you have some by any means pls share)_
#1 - Deletion of images from the image catalog
#2 - Deletion of media entries from the EMM Database
#3 - Deletion/Tampering with NBDB configuration files
#4 - Deletion of SRTs from the Boot Servers (BMR) (maybe boot images also?)
#5 - Modification of Retention Levels
#6 - Setting expiration dates of backup images to expire immediately or near future
#7 - Mass freeze media
#8 - Stoppage of Critical Services/Daemons
For example: #1 images in the catalog are usually cleaned up automatically by a service and rarely deleted by an admin. Since the majority of it is done automatically, normal behavior would easy to exclude. An attacker deleting in bulk would be alerted and stopped. Other example: #5 I don't know how often admins change their Retention Levels, but changing them in away that backups would expire immediately would be very suspicious right? This is the kind of reasoning Im approaching the problem with.
I tried designing these taking into account if it's something a NBU admin does regularly, and also trying to distinguish it by if it's automatic or if it's manual work. But ultimately I would love your input.
There have been times when I get requests to extend expiration of images, and when those extensions end, I recalculate the images, which expires the images. You might want to add an ability to detect the recalculation option, since for example, if I have images that normally expire in a month and I manually set them to expire in a year, a few months later a recalculation would set the expiration in the past, and they would be cleaned up during the next normal cleanup.
Having said that, I know I do make changes to slp config files every day.
Also, with a disk storage unit, there are times when space becomes an issue, it is not abnormal to change retention and expire data there to save space.
This does seem like a beneficial thing to provide, surprised Veritas does not already have something