Blog

Last year, Everpure and Veeam joined forces to deliver cyber resilience as a service, setting a new standard for unified backup, recovery, and security. Today, Veeam is pleased to build on that foundation with the Pure1 Veeam Anomaly Awareness Workflow, bringing deeper integration and anomaly detection to our shared customers.

This integration became generally available (GA) on March 6, 2026.  With this new security integration from Pure and Veeam, cyber-resilience administrators gain greater visibility and control across their data protection environment, helping them perform quick, reliable, clean recoveries. 

For efficiency, we’ve formatted this blog post as a series of questions and answers, so you can read it start to finish or skim to the topics you care about most.

What is Pure1?

Pure1 is Everpure’s cloud-based management and analytics platform that provides monitoring, predictive analytics, and anomaly detection for Everpure arrays, enabling proactive management and optimization of storage environments. It leverages AI to deliver insights, recommendations, and support for storage infrastructure health and performance.

What are storage anomalies?

Everpure considers FlashArray storage anomalies to be any significant deviation from expected behavior or performance metrics. Pure1’s anomaly detection includes:

• Drops in data reduction ratios (DRR)
• Unexpected increases in latency (read or write)
• Deviations in other key systems and user behavior

Pure1 identifies these anomalies using AI-powered analytics that compare current metrics to historical baselines, helping quickly detect potential performance or operational issues within the storage environment.

Why does a cyber-resilience administrator care about storage anomalies?

Understanding storage anomalies is crucial for both storage and cyber-resilience administrators for the following reasons:

• Early detection of issues: Storage anomalies are often an indicator of underlying issues such as compromised systems, misconfigurations, or performance bottlenecks. This early warning allows storage and cyber-resilience administrators to address problems before they impact critical applications and users.
• Cybersecurity and resilience: Storage anomalies may be an early sign of cyberattacks (e.g., ransomware, unauthorized access). Pure1’s anomaly detection can alert both storage and cyber-resilience administrators to this suspicious activity, enabling a fast response to protect data security and maintain business continuity.
• Preventing data loss: Unexpected changes in FlashArray’s performance and capacity might indicate ransomware activity, or other threats to data security. Detecting these anomalies quickly helps prevent or mitigate data loss.
• Compliance and reporting: Most organizations must demonstrate proactive monitoring and incident response for regulatory compliance. Anomaly detection provides documentation of active oversight and risk mitigation.

FlashArray storage anomaly detection enables administrators to protect against threats, ensure compliance, and reduce operational risk. This makes it an important tool for both storage management and cyber-resilience administrators.

What types of storage anomalies does Pure1 detect?

Pure1 detects storage anomalies such as:

• Drops in data reduction ratios (DRR)
• Unexpected increases in latency (read/write)
• Changes in other key system and user behavior metrics compared to established baselines

These anomalies help identify potential risks or configuration changes within Everpure FlashArrays.

How are the Pure1 storage anomalies different from Veeam ONE anomalies?

Pure1 and Veeam ONE both offer anomaly detection, but their scope and focus are different, reflecting their roles in storage and data security/protection environments.

Pure1 detected storage anomalies:

Scope: Focuses on activity and behavior of Everpure FlashArray and related storage systems.

Examples of Pure1 detected anomalies:

• Drops in data reduction ratios (DRR)
• Unexpected increases in latency
• Changes in read and write bandwidth
• Deviations in storage usage and performance metrics

Purpose: Primarily targets storage health, performance, and operational issues. Anomaly detection helps admins identify hardware faults, misconfigurations, or potential threats affecting the storage array.

Cybersecurity: Detects indirect signs of cyber issues (e.g., sudden data changes) but is not specifically tailored for malware or backup integrity.

AI/Analytics: Uses AI to baseline “normal” storage behavior and highlight deviations.

Veeam ONE detected anomalies:

Scope: Focuses on Veeam Backup & Replication environments (including VMs, backups, and repositories).

Types of anomalies:

• Malware detected in backup data (e.g., Veeam Threat Hunter or YARA rules)
• Suspicious changes in backup size (e.g., sudden spike or drop)
• Unusual backup job durations
• Unexpected restore point deletions
• Suspicious restore activity

Purpose: Targets backup health, data protection, and cyber resilience. Anomalies often indicate ransomware, malware, or backup tampering.

Cybersecurity: Directly detects and alerts on potential malware, ransomware, or malicious activity in backup data.

AI/Analytics: Combines pattern matching (YARA), AI, and historical baselines to flag suspicious backup and restore activities.

In summary, Pure1 anomalies are about storage system health and performance, while Veeam ONE anomalies are primarily about backup data integrity and detecting cyber threats within backup environments. Both are important and serve complementary purposes in cyber-resilience and data security.

What have Everpure and Veeam done with the Pure1 Veeam Anomaly Awareness Workflow?

Everpure created the Pure1 Veeam Anomaly Awareness Workflow to identify all VMware virtual machines (VMs) whose datastores are hosted on FlashArray volumes (LUNs) that are impacted by a Pure1-detected storage anomaly. After Pure1 collects each VM’s unique identifiers, such as UUID, fully qualified domain name (FQDN), or IP address, the workflow sends an API call for each affected VM to the Veeam Incident API to notify Veeam Backup & Replication of the anomaly details. Veeam Backup & Replication then tags any backups created after the anomaly as suspicious.

What is the Veeam Incident API?

The Veeam Incident API is a RESTful interface that enables integration with security and monitoring tools by allowing external systems to report security incidents and anomalies directly to Veeam Backup & Replication, triggering automated response actions like restore point tagging or immediate backups to preserve forensic states.

What can a Veeam cyber-resilience administrator do with these Pure1 incidents?

A Veeam cyber-resilience administrator can leverage Pure1’s storage anomaly incidents to:

• Investigate potential threats to quickly identify and analyze how anomalous storage activity could indicate ransomware, insider threats, or system misconfigurations.
• Correlate with other security events to cross-reference Pure1 anomaly alerts with logs and alerts from Veeam ONE, SIEM, or EDR tools to detect sophisticated attacks.
• Trigger automated response actions like running a Veeam quick backup to preserve forensic state or initiating predefined incident response workflows to contain threats and protect and preserve critical data.
• Document incidents by using anomaly records for compliance reporting, post-incident forensics, and to demonstrate proactive monitoring for regulatory requirements.
• Strengthen policies around analyzing trends in anomaly alerts to improve security controls and data security strategies for greater cyber resilience.

How can I ensure clean recovery with Veeam’s Secure Restore?

If a backup restore point in Veeam Backup & Replication is tagged as infected or suspicious, then Secure Restore can prevent reinfection by scanning backups for malware before recovery, ensuring only clean data is restored. This supports safe, compliant recovery operations.

Veeam recommends that, in addition to using the Pure1 Veeam Anomaly Awareness Workflow, you follow these best practices:

1. Enable malware scanning: Configure Secure Restore to automatically scan backup files for malware using Veeam Threat Hunter and YARA rules before restoring data.
2. Review scan results before restore: Veeam Secure Restore will alert you to any detected malware. You can choose to abort, proceed with caution, or restore only clean files based on scan results.
3. Automate secure restore in workflows: Integrate Secure Restore into your recovery workflows so every restoration operation includes a malware scan to minimize human error and oversight.
4. Leverage role-based access controls: Restrict who can perform restores and access scan results to ensure only authorized personnel handle potentially infected data.
5. Monitor and audit recovery activities: Use Veeam ONE to track Secure Restore events and generate compliance reports.

What does it look like?

Check out this demonstration video (link to be added after Editorial and Creative review) to see the architecture and the Pure1 and Veeam user interfaces.

Conclusion

Pure1’s advanced storage anomaly detection and workflow automation deliver deep visibility and control across data center infrastructure, empowering cyber-resilience administrators to proactively safeguard critical data assets.

By continuously monitoring for deviations in storage performance and behavior, Pure1 enables rapid identification and response to potential threats or system issues before they escalate into major incidents. Integrated workflows streamline incident handling, facilitate cross-platform coordination, and support compliance efforts, ensuring that administrators can maintain robust cyber resilience and data security in an increasingly complex IT environment. With Pure1, organizations gain the actionable insights and operational agility needed to protect their data and sustain business continuity against evolving cyber risks.

In this context, the combination of Everpure and Veeam provides enhanced value to customers by unifying Everpure’s anomaly detection and resilient storage infrastructure with Veeam’s comprehensive backup, recovery, and security capabilities. This synergy allows organizations to quickly identify and address storage anomalies, ensure backup integrity and data security, and automate coordinated response actions across both platforms. The result is deeper visibility, faster threat mitigation, seamless data protection, and improved cyber resilience throughout data center environments.

The post Leveling Up: Pure1 and Veeam Anomaly Detection appeared first on Veeam Software Official Blog.

from Veeam Software Official Blog https://ift.tt/7UYyKwi