Ring 3 — Monitoring

Monitoring & Detection

Proactive backup infrastructure monitoring and detection of ransomware activity.

Book a consultation Explore the methodology
Cyber Resilience Ring 3 - Monitoring & Detection

Anomaly detection

Most ransomware attacks are preceded by specific symptoms. Typically for hours, and sometimes even days, the infrastructure sends signals that, when properly monitored and interpreted, turn into warnings. Veeam ONE monitors the backup and virtualization environment around the clock, catching exactly these signals.

Unusual CPU and disk load

Intensive encryption strains resources. Veeam ONE correlates VM performance data with backup job schedules, and deviations from the norm generate alarms.

Multiple hypervisor login failures

Attempts to guess the vCenter or Hyper-V password are a classic prelude to an attack. An alarm triggered by multiple failed logins — especially outside business hours — allows you to react before the threat actor gains control of the environment.

Attempts to delete or modify backups

The first target of a well-planned attack is the backups — because without them the victim has no way out. Veeam ONE alerts immediately when someone tries to delete backup jobs, repositories, or restore points.

Backup data anomalies

A sudden increase in backup size, an unusual number of changed data blocks, or a drastic drop in the deduplication ratio may indicate mass file encryption in the production environment. This is one of the earliest detectable signals of cryptolocker activity.

Data protection status reporting

Real-time monitoring is one thing. Equally important, if not more so, is the documentation of infrastructure status, which serves as a key reference during audits and internal security reviews. It is worth noting that sometimes this documentation may be the only evidence of due diligence in cyber resilience in a case with an insurer.

Reports can be generated on a schedule and sent by email to designated recipients, such as the board or the IT manager, without the need to log into the system.

Veeam ONE provides over 150 ready-made reports, including:

  • Protection status of virtual machines and physical servers — which are protected, which are not, and why
  • History of backup infrastructure configuration changes — who changed what and when
  • Immutability report — which workloads are protected by immutable storage
  • Data location compliance (important for GDPR and sector-specific regulations)
  • Capacity and occupancy trends for backup repositories

Since Veeam Backup & Replication 12.1, the console includes an Analytics tab with Veeam ONE dashboards embedded directly in the backup system interface. The central feature is the Threat Center, a security dashboard that presents the protection status of the entire infrastructure in a single view: active threats, anomalies, security check results, and compliance. The administrator sees alarm signals without needing to open a separate Veeam ONE console.

Recon Scanner detects attacks

Cyberattacks as well as malware infections have a quiet phase that precedes the attack itself. For hours or days, the attacker moves through the infrastructure, collects data, disables defenses, and searches for backups. During this time, traditional antivirus and EDR systems often do not raise any alarm.

How does Recon Scanner work?

Recon Scanner by Coveware is a lightweight agent installed directly on backup infrastructure servers that continuously monitors the system for characteristic activity patterns.

It does not look for viruses by signatures — it looks for behaviors. It analyzes Windows registries, system and Veeam logs, active network connections, file system activity, and other sources, searching for Tactics, Techniques and Procedures (TTPs) known from real-world attacks. Each finding is automatically mapped to the MITRE ATT&CK framework, providing clarity on what happened and at what stage the attack is. The detection database is continuously updated based on Coveware's knowledge from thousands of handled incidents worldwide.

Coveware Recon Scanner — threat detection interface

Recon Scanner is included in the Veeam Data Platform Advanced and Premium licenses at no additional cost. Adding Veeam ONE effectively upgrades the Foundation license to Advanced.

SIEM Integration

Backups and backup infrastructure are the target of 90% of attacks, and at the same time serve as the last resort when cybersecurity defenses are breached. That is why it is so important for cybersecurity systems to be integrated with the backup environment monitoring system.

Integrating Veeam ONE with SIEM allows you to correlate backup infrastructure alerts with signals from other layers of the IT environment: network, endpoints, production servers. A single event in isolation may appear harmless. In the context of others — it becomes a signal of an attack.

Veeam supports event forwarding via syslog (Veeam Backup & Replication) and REST API (Veeam ONE), and ready-made integration apps are available for the most popular SIEM/SOAR platforms.

Microsoft Sentinel

The integration provides real-time visibility, proactive alerts, and automated incident response across Veeam environments. Data flows via Syslog or API, enabling security teams to quickly detect and respond to threats.

Splunk

The Veeam App for Splunk uses the Event Forwarding mechanism to feed dedicated security dashboards, alerts, and reports. It integrates with Splunk user roles and data location management.

Palo Alto Networks XSOAR

Based on data from VBR and Veeam ONE REST API, the app automatically creates incidents related to malware detection and backup infrastructure component status. Incidents can be handled through the built-in Veeam Incident Dashboard or resolved automatically using ready-made playbooks.

Palo Alto Networks XSIAM

For VDP Advanced and Premium users — the app pulls events and alerts from VBR and Veeam ONE via the event forwarding mechanism, presenting them on Cortex XSIAM platform dashboards and reports.

CrowdStrike Falcon Logscale

The integration combines Veeam data management and threat detection with world-class log management capabilities. It uses event data from VBR and Veeam ONE for visualization and threat detection in the backup environment.

ServiceNow

The integration automates tracking and managing backup incidents on a single platform, connecting Veeam monitoring with ITSM processes, compliance, and reporting for organizations requiring full event documentation.

Monitoring is the third ring of cyber resilience

Proactive threat detection is crucial, but cyber resilience is more than a single mechanism. Discover the Viability methodology that combines data visibility analysis, backup and recovery, monitoring, and repository immutability into one cohesive protection system.

Discover the 4 Rings of Cyber Resilience
4 Rings of Cyber Resilience - Viability methodology diagram

Thinking about monitoring?

Let's talk. We'll show you how to monitor your infrastructure and detect threats before it's too late.

Book a consultation

Click the booking button and you will be redirected to our calendar, where you can choose a convenient time for an online meeting. We look forward to speaking with you!