Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=veeam-cases

Veeam integration case studies

Log collector Backup and Recovery

The case

The Sophos MDR Team received a cluster of security alerts from the source system Veeam. The alert type with the highest alert score is GlobalMfaDisabled which is mapped under the MITRE ATTACK Technique as defense evasion. As the impacted device is managed by MDR, we reviewed the cluster by leveraging the telemetry from XDR based on the parsed alert information, such as entities and attributes. We observed the activity was unactioned by the alerting security control. From our review, the alert was due to multi-factor authentication being disabled by VEEAM-user. The MDR team reviewed login events on the host VEEAM-host and observed several successful logins for user. At this time review our recommendations below.

Recommendations

  • Confirm whether the user user disabling MFA is expected.
  • If unexpected, disable the user user and report back to MDR so we may continue our investigation.

Please inform MDR of your actions and findings after reviewing our recommendations. Don't hesitate to contact us with any further questions or concerns.