Skip to main content

Restore of OneDrive resources using Cyber Recovery tab (Recovery Intelligence)

Overview

The Recovery Intelligence (Cyber Recovery) feature provides an overview of Cyber Resiliency features specifically for OneDrive resources, leveraging insights from the Druva console. Understanding these capabilities is crucial for maintaining a strong security posture and ensuring rapid, secure recovery from cyber threats like ransomware. For more information, see How to use the Cyber Recovery feature.

Important:

  • To view and access the Cyber Recovery feature, you must have either an Accelerated Ransomware Recovery or a premium license.

  • To view and access the Cyber Recovery details for the Threat Hunting feature, the Premium license is mandatory.

Access Path

To access this feature for OneDrive resources, navigate to the Cyber Recovery tab using the following procedure:

  1. Log in to the Druva Cloud Platform Console. On the Global Navigation Panel, click Microsoft 365 > OneDrive. On the Users page, select a Data Source, select OneDrive.

  2. Click on the required user name to view their details. For Cyber Recovery restore, click Backups tab > Cyber Recovery tab.​

❗ Important:

By default, Curated Snapshot is the selected snapshot available for restoring Microsoft 365-OneDrive data if the Ransomware Recovery service is enabled for your organization and administrators have created a Curated Snapshot for Microsoft 365 - OneDrive.

How to use the Cyber Recovery feature

You can do the following using the Cyber Recovery tab:

  • Cyber Recovery tab dashboard: Get a comprehensive view of your OneDrive snapshots available for restore.

  • Run Threat Hunt: Manually scan backed-up data for indicators of compromise (IOCs). Once initiated, track progress and results on the Threat Hunting dashboard. Atleast one snapshot should be indexed to use this option.

    You must have the Druva Cloud Admin role to access this feature.

    You can auto-quarantine the impacted snapshots from the Cyber Resiliency > Threat Hunting UI. For more information, see Auto-Quarantine Snapshots.

  • Cyber Restore: Select a snapshot and perform a Cyber Restore. This feature allows for the restoration of OneDrive data with an emphasis on security. It is distinct from standard operational recovery and is typically used when there is a suspicion of compromise.

  • Download Data Anomalies Log: Download and view the logs for Data Anomalies for each snapshot.

    The Download Data Anomalies Log is disabled in the following scenarios:

    • Alert is older than 30 days

    • Snapshot is older than 30 days

    • If the alert is in Ignored state

  • Filters: Sort and view specific Cyber Recovery details for available snapshots based on the following criteria:

    • Date Range: Specify the start and end date

    • Indexed - Snapshot indexing state. Threat Hunt scan eligibility for Snapshots

    • Quarantine state of the snapshot

    • Snapshots with or without Data Anomalies

    • Snapshots according to the scan status

Understanding the Cyber Recovery dashboard

The Cyber Recovery dashboard provides a comprehensive view of your configured OneDrive backups that helps you quickly ascertain:

  • Snapshots: The total number of available snapshots for restore.

  • Indexed: Threat Hunt scan eligibility for Snapshots - Specifies if a backed-up snapshot meets the requirements to be scanned for threats. Threat hunting execution is limited to snapshots that have undergone indexing. The Threat Hunt scan results are displayed only for the indexed snapshots.

  • Size: The size of backed up data for a snapshot.

  • File Changes: Details of file changes (created, deleted, modified, and encrypted files) within each snapshot, which can be an early indicator of anomalous activity. For more information, see Data Anomalies.

  • Scan Status: Details of the scan status for each snapshot. The status can be as follows:

    • Not Scanned: The snapshot was not scanned for malicious data.

    • No Matches Found: The snapshot does not contain malicious files and is deemed safe for restore. Click to view the details. It displays Zero if no matches are found.

    • Matches Found: The snapshot contains malicious files. Click to view the file matches details, download the scan report for further investigation, and take appropriate action. The Scan Status pop-up is displayed with the details such as the date and time of the scan; the feature used for scan (Scan Source) which is Threat Hunt; total count for file matches found in the scan job.

Click Download Report to download Threat Hunt File Level and/or Snapshot level details report for offline investigation and auditing purposes.

Understanding Cyber Restore feature

Druva offers specialized recovery options designed for cyber incident scenarios - Cyber Restore.

This feature allows for the restoration of OneDrive resources with an emphasis on security. It is distinct from standard operational recovery and is typically used when there's a suspicion of compromise.

Use the Cyber Restore feature in the OneDrive restore workflow to recover a specific snapshot, preceded by a Threat scan. You can certify whether the selected snapshot is clean and safe for restore based on the scan results.

Cyber Restore for OneDrive resources:

  1. On the Cyber Recovery tab, select the OneDrive snapshot and click Cyber Restore.

  2. On the Restore Data window, select the snapshot from which you want to restore and proceed with restore. The OneDrive Restore page provides Threat Scan details during the restoration process. These insights assist you in determining if a snapshot is safe and suitable for recovery.

    Threat Scan details include snapshot size, file matches details, scan status of the snapshot, and details of if the snapshot is quarantined.

    ❗ Important:

    By default, Curated Snapshot is the selected snapshot available for restoring Microsoft 365-OneDrive data if the Ransomware Recovery service is enabled for your organization and administrators have created a Curated Snapshot for Microsoft 365 - OneDrive.

Trends tab

This section provides vital security insights over the last 30 days for indexed snapshots only:

  • Snapshots Data Trend (Last 30 days): This graph visualizes the data size of your snapshots over time. It highlights key metrics:

    • Unscanned Snapshots: Indicates backups that have not yet undergone a security scan.
      Action: Ensure regular and comprehensive scanning is configured for all critical backups.

    • Impacted Snapshots: Represents snapshots where suspicious activity (e.g., malware, ransomware indicators) has been detected. These are critical for immediate investigation.

    • Snapshots with no file matches: Indicates snapshots that do not have malicious files and can be deemed safe for restore.

    • Quarantined Snapshots: Shows backups that have been isolated due to detected threats. These are crucial for preventing re-infection during recovery.

    • Data Anomalies: Alerts to unusual patterns in data behavior (e.g., sudden spikes in encrypted files, mass deletions, or unusual file creation rates). These are often the first signs of a cyberattack.


      💡 Tip: Click on the vertical bar to navigate to the OneDrive Restore page.

  • File Activity and Data Anomaly (Last 30 days): This graph provides a granular view of file activity trends, specifically highlighting:

    • Number of Files: Tracks the volume of created, deleted, encrypted, and modified files over the last 30 days for indexed snapshots only.

    • Anomaly Detection: Critical warning icons directly flag periods of detected data anomalies. These spikes or unusual patterns warrant immediate investigation as they can indicate ransomware activity, data exfiltration, or other malicious actions.

Hover over the graph to view details.

Actionable Insights for Security Administrators

Based on the console's insights, security administrators should take the following actions:

  • Configure and verify Scan Status: Ensure that all critical OneDrive snapshots are being scanned for malware and ransomware. The Not Scanned status (as seen in the Backups tab) indicates a significant security gap. Implement and monitor your scanning policies. For more information, see Threat Hunting.

  • Investigate impacted and anomalous snapshots: Promptly investigate any impacted snapshots or Data Anomalies flagged in the trends.

  • Leverage Threat Intelligence: Integrate and utilize Druva's curated Threat Intelligence (IOC Sets) and your custom IOC Sets to enhance detection capabilities during scans.

  • Utilize Quarantine Bay: Understand and leverage the Quarantine Bay feature to isolate infected snapshots, preventing their accidental restoration and potential re-infection of your environment.

  • Develop Cyber Recovery Playbooks: Incorporate Druva's Cyber Recovery features (Cyber Restore) into your organization's incident response and disaster recovery playbooks.

Things to consider for Cyber Recovery

  • Run Threat Hunt: You cannot run two Threat Hunt jobs at a time on the same resource triggered by the same administrator for the same resource from the Cyber Recovery tab.

Related Articles
Restore VMware virtual machines using Cyber Recovery (Recovery Intelligence)
Restore EC2 and EBS resources using Cyber Recovery (Recovery Intelligence)
Restore of Azure VM resources using Cyber Recovery (Recovery Intelligence)
Restore of Exchange Online resources using Cyber Recovery tab (Recovery Intelligence)
Restore of SharePoint resources using Cyber Recovery tab (Recovery Intelligence)
Did this answer your question?