Veeam App for Microsoft Sentinel

Solution: Veeam

Veeam Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Veeam Software
Support Tier Partner
Support Link https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/
Categories domains
Version 3.0.1
Author Veeam Software - microsoftappsupport@veeam.com
First Published 2025-08-26
Solution Folder Veeam
Marketplace Azure Marketplace · Popularity: ⚪ Very Low (0%)

Veeam App for Microsoft Sentinel allows Veeam Data Platform Advanced and Premium customers to combine the powerful cyberthreat detection and response features of Microsoft Sentinel with a simple and powerful data platform that goes beyond backup, providing organizations with reliable data protection, seamless recovery, and vital security insights.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor Ingestion API

b. Azure Functions

c. Azure Key Vault

d. Azure Storage Account

e. Azure Relays

f. Azure Logic Apps

g. Azure Log Analytics

Contents

Data Connectors

This solution provides 1 data connector(s):

Tables Used

This solution uses 8 table(s):

Table Used By Connectors Used By Content
Event - Workbooks
Syslog - Analytics, Workbooks
VeeamAuthorizationEvents_CL Veeam Data Connector (using Azure Functions) Workbooks
VeeamCovewareFindings_CL Veeam Data Connector (using Azure Functions) -
VeeamMalwareEvents_CL Veeam Data Connector (using Azure Functions) Analytics, Workbooks
VeeamOneTriggeredAlarms_CL Veeam Data Connector (using Azure Functions) Analytics, Workbooks
VeeamSecurityComplianceAnalyzer_CL Veeam Data Connector (using Azure Functions) Analytics, Workbooks
VeeamSessions_CL Veeam Data Connector (using Azure Functions) Analytics

Content Items

This solution includes 164 content item(s):

Content Type Count
Analytic Rules 132
Playbooks 15
Watchlists 11
Parsers 4
Workbooks 2

Analytic Rules

Name Severity Tactics Tables Used
Adding User or Group Failed Low - Syslog
Application Group Deleted Informational - Syslog
Application Group Settings Updated Informational - Syslog
Archive Repository Deleted High - Syslog
Archive Repository Settings Updated Low - Syslog
Attempt to Delete Backup Failed High - Syslog
Attempt to Update Security Object Failed High - Syslog
Backup Proxy Deleted Informational - Syslog
Backup Repository Deleted High - Syslog
Backup Repository Settings Updated Low - Syslog
Best Practice Compliance Check Not Passed Medium - VeeamSecurityComplianceAnalyzer_CL
Cloud Gateway Deleted Informational - Syslog
Cloud Gateway Pool Deleted Informational - Syslog
Cloud Gateway Pool Settings Updated Informational - Syslog
Cloud Gateway Settings Updated Informational - Syslog
Cloud Replica Permanent Failover Performed by Tenant High - Syslog
Configuration Backup Failed High - VeeamSessions_CL
Configuration Backup Job Failed Medium - Syslog
Configuration Backup Job Settings Updated Informational - Syslog
Connection to Backup Repository Lost High - Syslog
Credential Record Deleted High - Syslog
Credential Record Updated High - Syslog
Detaching Backups Started Informational - Syslog
Encryption Password Added Informational - Syslog
Encryption Password Changed High - Syslog
Encryption Password Deleted High - Syslog
External Repository Deleted High - Syslog
External Repository Settings Updated Informational - Syslog
Failover Plan Deleted Low - Syslog
Failover Plan Failed Low - Syslog
Failover Plan Settings Updated Informational - Syslog
Failover Plan Started High - Syslog
Failover Plan Stopped Medium - Syslog
File Server Deleted High - Syslog
File Server Settings Updated Informational - Syslog
File Share Deleted High - Syslog
Four-Eyes Authorization Disabled High - Syslog
Four-Eyes Authorization Request Created High - Syslog
Four-Eyes Authorization Request Expired Medium - Syslog
Four-Eyes Authorization Request Rejected Informational - Syslog
General Settings Updated Informational - Syslog
Global Network Traffic Rules Deleted Low - Syslog
Global VM Exclusions Added High - Syslog
Global VM Exclusions Changed High - Syslog
Global VM Exclusions Deleted Low - Syslog
Host Deleted Low - Syslog
Host Settings Updated Informational - Syslog
Hypervisor Host Deleted Informational - Syslog
Hypervisor Host Settings Updated Informational - Syslog
Invalid Code for Multi-Factor Authentication Entered High - Syslog
Job Deleted High - Syslog
Job No Longer Used as Second Destination High - Syslog
KMS Key Rotation Job Finished Informational - Syslog
KMS Server Deleted High - Syslog
KMS Server Settings Updated High - Syslog
License Expired High - Syslog
License Expiring Informational - Syslog
License Grace Period Started High - Syslog
License Limit Exceeded Medium - Syslog
License Removed High - Syslog
License Support Expired High - Syslog
License Support Expiring Low - Syslog
Malware Activity Detected High - Syslog
Malware Detection Exclusions List Updated Medium - Syslog
Malware Detection Session Finished Informational - Syslog
Malware Detection Settings Updated High - Syslog
Malware Event Detected Medium - VeeamMalwareEvents_CL
Multi-Factor Authentication Disabled High - Syslog
Multi-Factor Authentication Token Revoked Medium - Syslog
Multi-Factor Authentication User Locked High - Syslog
Multi-Factor Authentication for User Disabled High - Syslog
NDMP Server Deleted Informational - Syslog
Object Marked as Clean Informational - Syslog
Object Storage Deleted High - Syslog
Object Storage Settings Updated Low - Syslog
Objects Added to Malware Detection Exclusions High - Syslog
Objects Deleted from Malware Detection Exclusions Informational - Syslog
Objects for Job Deleted High - Syslog
Objects for Protection Group Changed Informational - Syslog
Objects for Protection Group Deleted High - Syslog
Preferred Networks Deleted Informational - Syslog
Protection Group Deleted High - Syslog
Protection Group Settings Updated Informational - Syslog
Recovery Token Deleted Low - Syslog
Restore Point Marked as Clean Informational - Syslog
Restore Point Marked as Infected High - Syslog
SSH Credentials Changed High - Syslog
Scale-Out Backup Repository Deleted High - Syslog
Scale-Out Backup Repository Settings Updated Low - Syslog
Service Provider Deleted Informational - Syslog
Service Provider Updated Informational - Syslog
Storage Deleted High - Syslog
Storage Settings Updated Informational - Syslog
Subtenant Deleted High - Syslog
Subtenant Updated Informational - Syslog
SureBackup Job Failed High - Syslog
Tape Erase Job Started High - Syslog
Tape Library Deleted Informational - Syslog
Tape Media Pool Deleted Informational - Syslog
Tape Media Vault Deleted Informational - Syslog
Tape Medium Deleted High - Syslog
Tape Server Deleted Informational - Syslog
Tenant Password Changed High - Syslog
Tenant Quota Changed Informational - Syslog
Tenant Quota Deleted Informational - Syslog
Tenant Replica Started Informational - Syslog
Tenant Replica Stopped High - Syslog
Tenant State Changed Informational - Syslog
User or Group Added High - Syslog
User or Group Deleted High - Syslog
Veeam ONE Application with No Recent Data Backup Sessions High - VeeamOneTriggeredAlarms_CL
Veeam ONE Backup Copy RPO High - VeeamOneTriggeredAlarms_CL
Veeam ONE Backup Server Security and Compliance State Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE Computer with No Backup High - VeeamOneTriggeredAlarms_CL
Veeam ONE Immutability Change Tracking Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE Immutability State Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE Job Disabled Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE Job Disabled (Veeam Backup for Microsoft 365) Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE Malware Detection Change Tracking High - VeeamOneTriggeredAlarms_CL
Veeam ONE Possible Ransomware Activity (Hyper-V) High - VeeamOneTriggeredAlarms_CL
Veeam ONE Possible Ransomware Activity (vSphere) High - VeeamOneTriggeredAlarms_CL
Veeam ONE Suspicious Incremental Backup Size High - VeeamOneTriggeredAlarms_CL
Veeam ONE Unusual Job Duration Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft 365) Medium - VeeamOneTriggeredAlarms_CL
Veeam ONE VM with No Backup High - VeeamOneTriggeredAlarms_CL
Veeam ONE VM with No Backup (Hyper-V) High - VeeamOneTriggeredAlarms_CL
Veeam ONE VM with No Replica High - VeeamOneTriggeredAlarms_CL
Veeam ONE VM with No Replica (Hyper-V) High - VeeamOneTriggeredAlarms_CL
Virtual Lab Deleted Low - Syslog
Virtual Lab Settings Updated Low - Syslog
WAN Accelerator Deleted Informational - Syslog
WAN Accelerator Settings Updated Informational - Syslog

Workbooks

Name Tables Used
VeeamDataPlatformMonitoring Syslog
VeeamSecurityActivities Event
Syslog
VeeamAuthorizationEvents_CL
VeeamMalwareEvents_CL
VeeamOneTriggeredAlarms_CL
VeeamSecurityComplianceAnalyzer_CL

Playbooks

Name Description Tables Used
Veeam-ChangeCollectionTime This Microsoft Sentinel playbook adjusts the recurrence intervals for Veeam collection playbooks bas... -
Veeam-CollectConfigurationBackups A Microsoft Sentinel playbook that automatically runs configuration backup sessions on Veeam Backup ... -
Veeam-CollectCovewareFindings This Microsoft Sentinel playbook automatically collects Coveware findings on a schedule. Retrieves C... -
Veeam-CollectMalwareEvents A Microsoft Sentinel playbook that automatically collects malware events from Veeam Backup & Replica... -
Veeam-CollectSecurityComplianceAnalyzerResult A Microsoft Sentinel playbook that automatically collects Veeam Security Compliance Analyzer results... -
Veeam-CollectVeeamAuthorizationEvents This Microsoft Sentinel playbook automatically collects Veeam authorization events Veeam Backup & Re... -
Veeam-CollectVeeamONEAlarms This Microsoft Sentinel playbook automatically collects Veeam ONE alarms on a schedule. Retrieves Ve... -
Veeam-FindCleanRestorePoints A Microsoft Sentinel playbook with the incident trigger, that finds the last clean restore point for... -
Veeam-PerformConfigurationBackupOnIncident A Microsoft Sentinel playbook that automatically runs configuration backup session when triggered by... -
Veeam-PerformInstantVMRecovery This Microsoft Sentinel playbook performs instant VM recovery on the vm specified by MachineDisplayN... -
Veeam-PerformScanBackup This Microsoft Sentinel playbook with an incident trigger performs antivirus scan on Veeam backup us... -
Veeam-ResolveTriggeredAlarm A Microsoft Sentinel playbook with an incident trigger that resolves Veeam ONE alarms (identified by... -
Veeam-SetupConnections A Microsoft Sentinel playbook that configures Key Vault secrets and hybrid connections for Veeam ser... -
Veeam-StartQuickBackup A Microsoft Sentinel playbook with an incident trigger, that performs quick backup support for affec... -
Veeam-StartSecurityComplianceAnalyzer This Microsoft Sentinel playbook initiates and monitors Veeam Security and Compliance Analyzer sessi... -

Parsers

Name Description Tables Used
Veeam_GetFinishedConfigurationBackupSessions - Syslog (read)
Veeam_GetJobFinished - Syslog (read)
Veeam_GetSecurityEvents - Syslog (read)
Veeam_GetVeeamONEAlarms - Syslog (read)

Watchlists

Name Description Tables Used
action_results_lookup - -
collection_schedule_settings - -
coveware_settings - -
job_types_lookup - -
license_editions_lookup - -
license_types_lookup - -
operation_names_lookup - -
session_states_lookup - -
vbr_events_lookup - -
vbr_settings - -
vone_settings - -

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.2 15-10-2025 Updated author to Veeam Software
3.0.1 03-10-2025 Updated Coveware security findings integration; Removed irrelevant mappings from all analytic rules; Updated Workbooks' drilldown capabilities
3.0.0 26-08-2025 Initial Solution Release

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index